Photo by Matt Cardy/Getty Images
The UK’s Information Commissioner’s Office (ICO) repeatedly failed to take action over clear breaches of data protection law by the government, according to privacy campaigners.
The Open Rights Group (ORG) analyzed the use of data in three key Covid-19 health programs: NHS Test and Trace, NHS Contract Tracing App and the NHS Datastore.
And, it says, all three programs failed to comply in full with the requirement in Article 35 of the GDPR for Data Protection Impact Assessments (DPIAs)—especially Test and Trace and Datastore, where no DPIA was carried out with providers prior to signing them up.
“The ICO’s failure to enforce data protection law undermined public trust at a time when it was desperately needed. We are still feeling the implications of this negligent data governance with the continued sharing of public health data with companies such as Palantir,” says ORG’s policy manager, Abigail Burke.
“With the government attempting to weaken data protection rights through the Data Protection and Digital Information Bill, it is more important than ever that the UK has a strong and independent data protection authority that is willing to stand up to the government, public bodies and corporations.”
The programs were subject to several data breaches, including the leaking of confidential contact tracing data on social media channels by Test and Trace personnel, data being abused to harass women, and data being lost because it was stored on an Excel sheet.
They involved very large scale and often novel processing of special category personal data by public authorities, as well as by a number of third parties—some of which were based in the US, with its far lower data protection standards. Sharing data with Palantir, in particular, could give predatory private researchers and pharmaceutical companies access to sensitive public health data for profit, says the ORG.
The ICO, says the ORG, failed to use its powers effectively, acting instead as a “critical friend”.
At the time, the ICO said that when evaluating these programs it would “balance the benefits to the public and the dissuasive effect of taking regulatory action against the effect of doing so on regulated organizations, taking into account the particular challenges being faced by organizations and the UK economy.”
The ORG is calling for the government to scrap the Data Protection and Digital Information Bill (DPDI) which, it says, would weaken data subjects’ rights, water down accountability requirements, further reduce the independence of the ICO, and hand undemocratic power over data protection to the Secretary of State.
The ICO, meanwhile, should audit government departments to ensure proper data governance, exert stronger enforcement mechanisms and develop solid systems for oversight during future emergencies.
The ICO denies that it did anything wrong.
“The ICO’s priority during the pandemic was to ensure organizations understood how data protection law could facilitate action at a time of emergency,” it says in a statement. “The ICO achieved this by mobilising a dedicated task force and publishing prompt advice for organizations who were faced with using data in new ways.”
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
