JMW Solicitors Head of Data Protection Toni Vitale speaks to HEQ about data security in the UK’s Test and Trace programme.
Earlier this year, the UK government was forced to admit that its ‘world-beating’ COVID-19 Test and Trace programme had been operating unlawfully for months, having failed to carry out a Data Protection Impact Assessment (DPIA) – which is legally required under the terms of the General Data Protection Regulation (GDPR) – before launching the programme.
HEQ speaks with Toni Vitale, Head of Data Protection at JMW Solicitors LLP, about the need for enhanced data security throughout healthcare.
It has been reported that the UK government failed to carry out a DPIA on its Test and Trace programme. What are the legal implications of this?
If an establishment or institution is going to begin a new type of data processing or if they are going to be processing what is called ‘special category’ data, which includes medical information, they are required by law, under the Data Protection Act of 2018, to carry out a DPIA, which is like a self-audit for data security. A DPIA acts as a checklist which enables you to determine whether the data processing you are planning is safe and whether you need to take any special precautions or implement additional processes.
In this particular case, the government has said that it does not believe anything it’s doing with the data is unlawful – but that is one of the things that the DPIA is intended to ascertain. The government should not have made that statement without first conducting the impact assessment, because the purpose of a DPIA is to work out what the impact will be on the data subjects and actively inform the final decision on whether or not to proceed with the actual data processing: these are the steps that need to be put in place in order to look after the safety and the best interests of data subjects.
Technically, the government – or the NHS in this case – has breached the law. The ultimate sanction that the Information Commissioner’s Office (ICO) can impose is a fine of up to £17m, but what is more likely is that if the ICO were concerned about this, it would try to ensure that a DPIA was carried out at some point; and any implications of that impact assessment would then be put into place in order to protect the interests of data subjects. For example, it may be that if a third party was being used to help produce the software code, the ICO would say: check the terms of your contract with that third party and make sure they have provided adequate training for all their staff. It might want to know how you ensure the data is held securely. Those are the questions that the DPIA is meant to help you find the answers to. It is an interesting situation, because the government has broken its own law, in a way, and is now trying to say there is nothing illegal in what it’s doing – but it cannot be certain of that without doing a DPIA.
It is really disappointing that the government has not carried out a DPIA in relation to Test and Trace. I was disappointed in their answer; if a business or government agency were to give the same answer, I think the regulator of the ICO would be equally disappointed in that. The government really needs to set an example in terms of how it looks after personal data, particularly sensitive medical information, and how it complies with those regulations – because if the government doesn’t do it, then no one else will.
How could people who have participated in the contact tracing programme be impacted?
It may be the case that their data is not held securely, because that is one of the key issues covered by a DPIA: are there adequate technical and security measures in place in order to protect the data properly? The worst case scenario for the people who have given their data is that their data is now not secure, because the government and the NHS have not asked themselves the right questions and therefore have not put in place the right measures to make sure that security is locked down.
When you are storing medical data in particular, you are meant to put in extra precautions – that might mean encryption of sensitive data, restricting access to a very limited number of people or simply making sure that anyone involved in handling the data has had adequate training in data protection and security. I have heard anecdotal accounts that the Test and Trace service has been using social media to contact people: effectively, that is not permitted, but I think that resulted from the fact of these people were not adequately trained. One potential consequence of this is that, if someone who has not been trained properly were allowed access to the data, they might be at risk of inadvertently disclosing sensitive information either on social media or simply through not safeguarding it correctly. Some of these people are working remotely and they might be working on a home computer; and if their home computer does not have the most up-to-date security software, that becomes a security risk: people’s personal data gets exposed, and this ultimately leads to very serious consequences. This is why we have the DPIA: to act as a checklist of things you need to put in place in order to make sure that the data is secure and that everyone follows the right protocols and processes.
Have low levels of public trust in the government contributed to people’s reluctance to participate in contact tracing?
You could argue that this is another example of one law for the government and one law for everyone else. The fact that they did not perform a DPIA suggests that they didn’t consider it properly and that they didn’t understand what their obligations were. The government was obviously working at pace and trying to get things done as quickly as possible, but that does not mean that it shouldn’t comply with data protection laws, because those laws are there to protect people’s human rights. You have the human right to make sure that your personal data is adequately protected, whoever is looking after it, whether that is the government, a non-government agency or any business.
I completely agree that it is possible that this would continue the disintegration or decline in the trust people have in government, generally; but it is also the case that lots of government departments and local government bodies have been involved in data breaches in the past, so it’s not like a breach of data protection law is unusual for the government. However, it is still possible that this could cause a decline in people’s trust; and trust is very important when you’re handing over very sensitive data. The issue is particularly pressing in this situation, because the Test and Trace system requires people to hand over personal data about other people: you are asked to say with whom you have been in contact and to disclose their contact details. If someone does not have trust in the system, the NHS and the government, they may be reluctant to do this; and that really undermines the whole Test and Trace system.
With technological solutions such as telehealth and remote care on the rise due to the COVID-19 pandemic, is there a risk that the cybersecurity element could be overlooked in the rush to find socially distant healthcare options?
We have already seen some examples of data breaches where third party providers assisting GP practices have not put the right security measures in place, and that has enabled patients to have access to other people’s online consultations – there has already been at least one data breach recorded in relation to that. The rush to put technology in place quite often gives rise to corners being cut. A good example of that is Zoom: not many people had heard of Zoom before March; it was largely successful, but nowhere near the level that it is now, with millions of additional downloads. Looking at the standard protocols, it is quite clear that Zoom was not very secure at the point that it suddenly became very popular; and so they suddenly had to roll out updates and patches to make it more secure, as a result of the fact that so many more people were now using it.
The methods and processes used by most healthcare providers do not typically include the use of Zoom – they are usually more secure – but as we already had one supplier report a data breach, it is quite possible that corners will be cut in the rush to get solutions out there. It is quite possible that our demand for these additional facilities, like online consultations, may result in patients being put at risk; and again, that may give rise to a breakdown in trust. It might give rise to potential risks of harm to individuals if their personal information is available because there are very few relationships that are as sensitive as the one between you and your doctor. Perhaps your relationship with your priest or your lawyer may be comparable, but as a patient, you are likely to confide in your doctor issues about your mental or physical health which you may not yet have told your employer, members of your family or your partner; therefore the requirement for complete, 100% security in relation to that is absolute. As soon as people start to think they may not be able to trust this technology, they may become reluctant to actually use it; and that actually may result in them having less access to healthcare, which could give rise to very serious health consequences.
In many sectors the NHS still relies on largely outdated digital technology; and this has led to data security issues in the past. Should the security of patients’ data be more of a priority for the NHSX and NHS Reset programmes? How could it be better protected?
It is key to the whole service delivery to have a high level of trust in place; and the only way to guarantee that is by putting data security uppermost in the list of priorities. Especially given that we have already seen data breaches within this sector as a result of the use of these online consultations, the NHS and other clinical practices really need to make an additional effort to ensure that they have got the best and most up-to-date security, procedures, processes and software in place. Although a lot of GP practices are required to have a certain level of IT security in order to connect with NHS systems, beyond that they are effectively left on their own in terms of the type and level of security they are required to implement, so it is really incumbent on them to ensure that they have the right technology in place.
Partner and Head of Data Protection
JMW Solicitors LLP