Privacy campaigners are planning a legal challenge as it was revealed that the UK contact tracing app retains personal data for up to 20 years …

A privacy notice (link not available outside the UK) says that those who declare a positive test result for coronavirus will see their personal data retained for 20 years, while contacts without symptoms will have their data kept for five years. The usual GDPR right to have personal data deleted on request may not apply.

The personally identifiable information collected by NHS Test and Trace for people with COVID-19 symptoms is kept by Public Health England for 20 years.

The personally identifiable information collected on the contacts of people with COVID-19 but who do not have any symptoms is kept by Public Health England for 5 years.

This information needs to be kept for this long because COVID-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments […]

You can ask for any information held about you to be deleted. This is not an absolute right and Public Health England may need to continue to use your information. We will tell you why if this is the case.

For those who test positive, the personal data retained is extensive.

  1. full name
  2. date of birth
  3. sex
  4. NHS Number
  5. home postcode and house number
  6. telephone number and email address
  7. COVID-19 symptoms, including when they started and their nature

The Guardian reports on the planned legal challenge.

Privacy campaigners are preparing a legal challenge to the NHS’s coronavirus test-and-trace programme as concerns grow about the amount of contact data that will be collected and retained by government.

The Open Rights Group (ORG) has instructed the data rights lawyer Ravi Naik to draft a letter outlining its concerns after Public Heath England said it would retain “personally identifiable” data of those who test positive for 20 years.

Jim Killock, the ORG’s executive director, said: “The government needs to better explain its reasoning; what they have done so far has been rushed. Our concern is people will feel reluctant to participate if they feel their personal data is leaving their control.”

ORG says that the government also appears to be breaking the law by not carrying out a privacy impact assessment before launching the app.

The government has failed to complete a legally mandated data protection impact assessment, which is supposed to be filed with the Information Commissioner’s Office before any “high-risk” activity is carried out.

Opposition MPs are calling for legislation to ensure the contact tracing app retains personal data for coronavirus purposes only, and cannot be used for other purposes further down the line.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear