The UK government has come under fire for launching a countrywide "test and trace" program without completing a Data Protection Impact Assessment (DPIA), a mandate required under the EU's General Data Protection Regulation (GDPR).
Test and Trace, also known as "Track and Trace," is a National Health Service initiative designed to track contacts of people who test positive for COVID-19. It requires people to share sensitive information, including names, birthdates, postal codes, people they live with, places they have recently traveled, and names and contact details of people with whom they've been in close contact.
Officials confirmed this program, which launched in May, has been running without a complete DPIA to assess how all of this personal data could be compromised. A privacy organization called the Open Rights Group (ORG) had written a letter to the Department of Health and Social Care, demanding publication of the DPIA for the Test and Trace program and threatening legal action.
The government has said none of the information has been breached to date; however, the implications of neglecting a DPIA for months have not been determined. Failure to assess the use of individuals' personal information could result in noncompliance under the GDPR. The UK's Information Commissioner's Office says the DPIA is a legal requirement for any type of data processing, including specific types of processing likely to be a high risk to peoples' rights.
Read more details here.