12:43, May 31 277 0 theguardian.com

2020-05-31 12:43:03
Privacy campaigners prepare legal challenge to UK's test-and-trace scheme

Privacy campaigners are preparing a legal challenge to the NHS’s coronavirus test-and-trace programme amid concern about the amount of contact data that will be collected and retained by government.

The Open Rights Group (ORG) has instructed data rights lawyer Ravi Naik to draft a letter outlining their concerns this week after the government said it would retain “personally identifiable” data of those who test positive for 20 years.

Jim Killock, the group’s executive director, said: “The government needs to better explain its reasoning; what they have done so far has been rushed. Our concern is people will feel reluctant to participate if they feel their personal data is leaving their control.”

Newly employed contact tracers have been given the task of interviewing people who test positive for coronavirus – currently a little over 2,000 a day – and asking them who they came into close contact with in the two weeks prior to becoming infected.

They will then call those people and ask them to self-isolate – and if they do not become sick their personal data will be retained by the NHS in England for a shorter period of five years.

Concerns raised by the ORG include whether the personally identifiable data retained could be subsequently obtained by the Home Office or other government departments for immigration or other purposes.

They are also unhappy that the government failed to complete a legally-mandated data protection impact assessment, which is supposed to be filed with the information commissioner’s office before any “high-risk” activity is carried out.

The health secretary, Matt Hancock, has argued existing data protection law is sufficient, while last week Baroness Dido Harding, the chair of NHS test and trace, said any data collected wold be part of “an NHS conversation, entirely confidential”.

However, senior politicians have called for ministers to introduce a special bill to safeguard data privacy, arguing that oral reassurances are insufficient.

Harriet Harman, the chair of the influential joint committee on human rights (JCHR), pressed the case by writing to the health secretary arguing “these new powers require new protections” in a letter seen by the Guardian.

“It seems to us absolutely evident that the bill is needed,” Harman told the Guardian. “And instead of looking ahead to that fact, they’re going to wait until it’s urgent. Public opinion is very volatile about this sort of thing. One minute everyone can be seeing the absolute good sense, and the next they can have a lot of worries about it.”

Harman warned the 20-year limit risks losing the trust of the public, and giving authorities too much leeway. “Our goal is to make the promises that [Hancock] has already made meaningful. Assurances in a letter don’t protect anyone. What protects people is legislation,” Harman said.

“I’d rather they just did the bill, because I don’t want to be turning around and saying ‘I told you so’ when there’s some sort of scare and confidence collapses and the important test-trace-isolate initiative hits a roadblock.”

The JCHR, a cross-party committee that includes members from both houses of parliament, took the unusual step of drafting its own bill enshrining in law the requirement to delete gathered information after the end of the outbreak. “This is what Boris Johnson would describe as oven-ready,” said Harman. “I just think they’re being irrational about it, and unwise, and are going to make things more difficult.”

In the letter, Harman lays out ten areas where existing law doesn’t match the promises the government has made, from security to anonymisation.

PHE said it is standard practice across the NHS to securely retain data for the benefit of both patients and wider public health, and that all data collection and storage is fully compliant with GDPR and the Data Protection Act.

Separately, a rightwing thinktank made an alternative call for an independent reviewer to review emergency powers and surveillance measures put in place at the start of the coronavirus crisis if they look like becoming permanent.

A report from the Henry Jackson Society entitled Leaving Lockdown concludes that “continued scrutiny” of the powers taken in the Coronavirus Act passed in March is vital and should reflect the system used for terrorism oversight.

Existing rules provide for an independent reviewer of terrorism legislation – Jonathan Hall QC – who scrutinises and reports on security bills and has access to sensitive and secret information to carry out their job.

Nikita Malik, the report author, said that “the response to Covid-19 has involved navigating the balance between civil liberties and national security” and that “what we need now is greater transparency, oversight, and accountability”.

Malik also highlighted attempts to consolidate NHS databases in work being conducted to help ministers respond to the pandemic by data mining firms Palantir and Faculty, the second of which worked on the Vote Leave campaign in 2016. The report said there were “concerns around ‘surveillance creep’ where intrusive powers are expanded or data is used to prosecute for a range of crimes”.