The government has admitted its contact tracing programme is unlawful in a legal letter which confirms it has been running in breach of data protection laws since it was launched in May.
Confirmation the programme failed to adhere to privacy regulations comes as Sky News can reveal that contractors working for NHS Test and Trace have been told they may be fired following reports of dozens of staff sharing patients’ confidential data on social media.
According to the legal letter, the government did not conduct a data privacy impact assessment (DPIA) which is required to ensure that breaches of patients’ information don’t take place.
The letter was sent in response to a legal challenge brought by Open Rights Group (ORG) against the government for failing to confirm whether it had met the required safeguards for the programme.
In the letter, which has been seen by Sky News, the government’s lawyers accept that the government was legally required to have a completed DPIA at the time Test and Trace launched on 28 May.
The lawyers add that a single one covering the whole of the project has still not been completed, but was being worked on, and that a number of DPIAs covering different parts of it were in place.
A spokesperson for the Department of Health and Social Care drew a distinction between the programme itself being unlawful versus the way it was handling NHS patients’ data being unlawful, claiming: “There is no evidence of data being used unlawfully.”
They stressed that the contact-tracing programme had been developed quickly as part of the public health emergency caused by the pandemic.
“NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations,” they added.
The spokesperson did not respond when asked whether a report in The Sunday Times, which found Test and Trace workers were sharing patients’ confidential data on social media sites, was evidence of data being used unlawfully.
Sky News has seen internal communications from NHS Test and Trace warning contractors that “patient identifiable information must never be posted” on social media.
They add: “Any such examples which come to light will be dealt with through the appropriate employment processes.”
This message was first circulated to workers on 13 July before being repeated on 16 July.
Jim Killock, the executive director of ORG, described the government as “reckless” in “ignoring a vital and legally required safety step”.
“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.
“The Information Commissioner’s Office and Parliament must ensure that Test and Trace is operating safely and lawfully,” he said.
“As we have already seen individual contractors sharing patient data on social media platforms, emergency remedial steps will need to be taken,” Mr Killock added.