The British government publicly admitted on 20 July 2020 that the way they rolled out their COVID-19 test and trace programme was unlawful, following the threat of legal action by the Open Rights Group, a UK-based civil liberties organisation.
Phil Booth, a coordinator of medConfidential campaigning for patient confidentiality and consent in the UK, explains what the implications of this revelation are and why he thinks much more information is needed about how patient data is being used. He also says the Information Commissioner's Office has failed in its duty to keep the government in check.
Sputnik: What exactly does it mean for the government to have admitted that its test and trace programme was unlawful? Is this just about a technicality?
Phil Booth: While people may be treating this as a data protection technicality, it actually has far more significant consequences. If the Government knowingly chooses not to comply with the law, it undermines the legitimacy of what it is doing with millions of people's personal details – and may indeed breach the very basis on which it is exercising some of the extraordinary powers it has taken during the pandemic.
We have rules for a reason. The Government may consider them annoying or inconvenient, but they are there for a purpose: to protect people. Without proper lawful safeguards, citizens are exposed to all sorts of risks and harms – from relationship-wrecking embarrassment at one end, to outright discrimination and criminal abuse at another. And without ensuring that the entire system flows data safely and accurately to every agency that needs to know, even more people will die.
Sputnik: Why should the average Brit care about these recent developments?
Phil Booth: People should know how their personal information is used! Without publishing its contracts with suppliers, and all the data sharing agreements and legally-required documents like Data Protection Impact Assessments, the public have no real evidence of what's being done and where their data is going. The Government is essentially saying "just trust us", without providing the basis for anyone to do so.
With all the sensitive personal information that the Test and Trace programme requires to work, individual and public trust is absolutely vital. If what the Government's doing really is trustworthy, then there's no good reason for it not to tell people all about it. Transparency demonstrates you can be trusted.
Sputnik: Do we know why the Information Commissioners Office didn't take up this case rather than leave it to a civil society organisation like the Open Rights Group?
Phil Booth: The Information Commissioner's Office (ICO) has effectively taken itself out of the picture during COVID. Its public statements have made it clear that the ICO will sign off pretty much anything done with personal data processed under what are called the 'Control of Patient Information (COPI) Notices' that the Department of Health issued back in March. That civil society is having to sue for information, like openDemocracy and Foxglove did, or threaten the Government with Judicial Review (JR), like Open Rights Group (ORG) and AWO [law firm], simply to get it to comply with the law begs the question, "What is the regulator actually for?"
As the Government's response to ORG made clear, JR is an ineffective remedy in this instance. But if I were them, I'd be seriously considering Judicial Review of the ICO itself for its continued failure to act. This isn't just about a Data Protection Impact Assessment (DPIA), or even just one programme; it's about who is defending our rights. If the regulator won't regulate – and that doesn't mean stopping the Government from doing things, but rather ensuring that what it does is lawful, fair and transparent – then what use is it?
Sputnik: Why is judicial review an "ineffective remedy" in this case, didn't the ORG score a victory?
Phil Booth: Judicial Review (JR) would be an ineffective remedy as, by the time any such Review made it to court, the Department of Health and Social Care (DHSC) will have published the DPIA. And - given it's now said it is doing one, and the ICO was effectively complicit with it not doing one before launch, and 'cos COVID - the court would most likely rule in favour of DHSC in any case.
In point of fact, ORG hasn't actually judicial reviewed the DHSC, and [the] DHSC hasn't 'given up' the information sought - we're still waiting on the contracts, statements of work and data sharing agreements that ORG tells me they asked for (and which Foxglove actually managed to get, and publish). Plus don't forget, the DPIA isn't published yet either!
Getting your opponent to concede they did wrong in letters before action is far from unprecedented, and is not a 'victory' in and of itself. In campaigning, it's what you do with that which matters and, as I said, ORG's best bet here would be to JR the ICO to force the regulator to start taking a tougher stance on data protection issues during the pandemic.
Sputnik: To what extent are any concerns that you have resolved by the most recent development? Can Britain's test and trace system now be trusted to be effective and respect people's personal data?
Phil Booth: The Government were going to publish a DPIA eventually – they've published other ones. What we really need to see are the contracts, statements of work and data sharing agreements for all aspects of the system. I understand ORG have asked for these, so I hope they'll continue pressing the Department until they are all published.
A DPIA by itself doesn't guarantee anything; it simply shows you've considered some risks and (hopefully) taken some steps to mitigate them. Until we have the actual detail of the system and the data flows within it, we simply won't know what is going on – or even what's supposed to be. So our work continues.
Will Test and Trace be effective? It can and has to be! Will it work if the Government keeps everything secret? No – for the simple reason that it has to rely on public trust.
Sputnik: What, if anything, are you calling for now in terms of any aspect of the test and trace system?
Phil Booth: The Government must publish all the contracts, the statements of work and the data sharing agreements – as well as the DPIA – and it should do so quickly, and without redactions. While members of the general public may not grasp all of the detail, those of us in civil society with expertise and experience of such systems will be able to gauge whether they are operating lawfully and effectively. And get answers to the questions that will really matter to people, like does every positive result (i.e. COVID-19 diagnosis) make it into a person's GP record?
The views and opinions expressed in the article do not necessarily reflect those of Sputnik.