News and Events

Businesses beware! Test & trace not compliant with data laws

View profile for Tracey Dickens
  • Posted
  • Author
Businesses beware! Test & trace not compliant with data laws

The Department of Health has conceded that its test and trace programme was launched without carrying out a privacy impact assessment, a requirement of article 35 of the GDPR 2016. 

Article 35 requires that where a type of processing, taking into account the

  • Nature
  • Scope
  • Context
  • purposes of the processing

Is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing on the protection of personal data. 

The Department of Health did not carry out such an assessment, and while they have a lawful purpose for processing the data, they have not considered the privacy risk and impact of the processing.

Guidelines suggest that a DPIA (Data Privacy Impact Assessment) should be carried out if the processing consists of two or more listed criteria. In the case of track and trace, the processing meets at least four of the criteria, including:

  • the processing of sensitive (or special category) personal data, 
  • matching or combining datasets, 
  • processing on a large scale and 
  • invisible processing (processing of data that has not been obtained directly from the data subject).

The purpose of the DPIA is to help organisations fully analyse, identify and minimise the data protection risks of a project or plan. It is a key part of the accountability obligation under the GDPR, and if carried out properly should help an organisation demonstrate how it complies with its data protection obligations. 

The Department of Health’s failure to do this has also seen them challenged over how long they proposed keeping the data collected. The department now agrees to reduce the retention period from 20 to 8 years. This is embarrassing for the Government and could cause distrust between them and the public t by not operating the programme with basic privacy safeguards in place.

How is this relevant to business? 

It shows how easy it is, with a desire to do something positive, to trip over data laws. Such considerations should be paramount to a business when its plans involve collecting and processing data, since a failure to do so can result in damage to reputation in addition to breaches of data protection laws that can result in fines.

If you would like advice regarding data protection laws for your business, please contact me on 01206 217326 or