View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data
May 28, 2020

The NHS Will Hold Test and Trace Data for 20 Years: Questions Abound

"Specific and legitimate role' is one of the most vaguely defined terms I’ve ever seen in a privacy notice..."

By CBR Staff Writer

NHS Test and Trace ran into headwinds today as it launched, as the Health Secretary urged people to do their “civic duty” to participate in the scheme — which in the absence of a working app will require those who have tested positive to provide call centre staff with details of their recent contacts.

Amid a growing uproar over how the government has handled the outbreak, and the news that the UK has the world’s highest rate of excess deaths resulting from the pandemic, the “civic duty” request drew an indignant response.

Oxford University professor and primary care expert Trish Greenhalgh was among those rejecting the plea. As she put it bluntly: “It is not my ‘civic duty’ to participate in a scheme that is ‘test, track and trace’ by name only, run by cronies, aligned weakly if at all with our public health and primary care infrastructure, and tied to a vainglorious political target.”

Legal experts meanwhile raised concerns over the programme’s privacy policy, which, curiously, appears to have been published on March 4 — a long three-weeks before the UK even introduced a public lock-down.

This concedes that “personal identifiable information” (a term not used in privacy law in the UK; “personal data” is the term under the Data Protection Act 2018) will be retained for 20 years on a “secure cloud environment”.

This will include name, address, date of birth, postcode and phone number.

See also: Gov’t Launches Test and Trace – But There’s Still No App

Experts noted that it was not unusual for the NHS to keep data for lengthy periods, but with public distrust surrounding the government’s response to the COVID-19 outbreak high, many suggested that given the centralised nature of the response, some form of consultation should have occurred.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Ravi Naik solicitor and legal director AWO, a data rights agency, told Computer Business Review today: ” Looking at this policy itself there are a few things here that give me concern. Probably the main one is this idea that the data can be seen by, quote, those who have  ‘a specific and legitimate role in the response and who are working on the NHS Test and Trace'”.

He added: “‘Specific and legitimate role’ is one of the most vaguely defined terms I’ve ever seen in a privacy notice and it’s really concerning when we are talking about our collective response to coronavirus.

“The bigger concern is that there are companies we know the NHS is working with in the data store that have questionable approaches to data protection. For this system to work we need confidence as without uptake there’s no utility. That lack of transparency is a real concern.”

Public Health England has been contacted for comment.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.