Track and Trace

Case Study

Track and Trace

AWO have secured a series of major concessions from the Department from Health about the Test & Trace system: (1) that Test & Trace was deployed unlawfully, as no DPIA was conducted and (2) that the previous retention period of 20 years was unjustified and had to be changed. Those concessions come following the threat of litigation by AWO on behalf of clients, the Open Rights Group following a pre-action letter and response from the Government.


On 1 May 2020, AWO published a legal opinion on tech responses to the coronavirus pandemic. That opinion was written by barristers Matthew Ryder QC and Edward Craven of Matrix Chambers and Gayatri Sarathy of Blackstone Chambers, with our Legal Director, Ravi Naik.

In that opinion, we set out our views as follows:

We are of the view that … transparency would be best achieved through a Data Protection Impact Assessment that is made widely and publicly available, with appropriate views from the ICO on that DPIA also made public. Article 35 GDPR provides that, where a type of processing is “likely to result in a high risk to the rights and freedoms of individuals”, the controller must carry out a DPIA. We note the ICO’s “Examples of processing ‘likely to result in high risk’” include “Innovative technology” and “Tracking”. Further, Article 36 GDPR requires that the controller must consult the supervisory authority prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. Our view is that any proposed measure for contact tracing is likely to result in high risk to the rights and freedoms of individuals, particularly considering the use of new technologies that involve tracking. We consider that these technologies must be the subject of a DPIA and consultation with the ICO prior to the processing of personal data.

At this stage, Test & Trace had not been deployed but the law was clear. Article 35 of the GDPR required a DPIA before Test and Trace was deployed.

Ignoring the law

On 25 May 2020, the government made clear that a manual contact tracing system would be deployed that week. On 26 May 2020, our Legal Director tweeted about concerns that there was no DPIA conducted. On 27 May 2020, Test and Trace became operational. On 28 May 2020, a privacy notice was published for Test & Trace, which contained reference to storing data for 20 years. There were a number of other concerns with that notice. On 28 May 2020, Politico reported that no DPIA had been conducted.

In this context, Open Rights Group instructed AWO to write to the government about concerns regarding the deployment of Test & Trace. On 2 June 2020, a letter was sent to DHSC with a series of questions about Test & Trace. Chief amongst those questions was the failure to conduct a DPIA and the 20-year retention period. In response to questions about the justification and explanation for the 20-year retention period, none were provided. Instead, the DHSC agreed to amend the retention period to 8 years. The engagement on the DPIA was much more fraught.

Pulling data protection from a stone

On 2 June 2020, our clients requested further information on the rapid deployment of Test & Trace and expressed concerns regarding the failure to conduct a DPIA prior to the processing of data under that system. Our letter asked four questions concerning the DPIA, including whether it was correct (as suggested to Politico) that no DPIA had been conducted prior to the deployment of the system and, if so, why. We sought an answer by 4 June 2020.

No response was received by 4 June 2020. Chasing emails were sent on 5 and 8 June 2020. On 10 June 2020, we received an email to say the DHSC was “commit[ted] to” replying by 16 June 2020. No response was received by that date. Rather, on 16 June 2020, the DHSC emailed to state that they “will reply” by 22 June 2020. In response to that communication, our client then asked a single question about the DPIA: Was test and trace deployed without a DPIA having been conducted?

In response, the DHSC stated (sic): “there were DPIAs - and accompanying privacy notices - undertaken for both the testing and contract tracing advisory service (CTAS) aspects of the programme, which augment pre-existing assessments regarding public health tracing functions.”

The DHSC further confirmed that “We will respond substantively to your remaining detailed questions by close on Monday 22nd June.”

This was the first time that the CTAS system had been mentioned in correspondence from the DHSC. On 18 June 2020, our clients sought clarification of that system and how it relates to the Programme. On 19 June 2020, the DHSC replied but did not clarify if a DPIA had been conducted for Test & Trace as a whole. On 19 June 2020, a detailed email of response was sent to Ms Perry seeking to clarify the relationship between CTAS and Test & Trace. In particular, we sought clarification of the following matters:

  • whether the CTAS system, which appeared from publicly available material to be the web-portal through which manual contract tracers logged in rather than the Programme as a whole, covered the types of processing envisaged by the Programme;
  • what aspects of the Programme were covered by the DPIA conducted for the CTAS system;
  • whether the information provided by Ms Thompson was incorrect.

A response to that email was sought in the substantive response due on 22 June 2020. No response was received by that date. Following further chasing emails, Ms Perry sent an email at 20:39 on 23 June 2020. That email confirmed that no DPIA was conducted for the Programme as a whole but rather only for CTAS. On 25 June 2020, our clients sought further direct clarification of whether the CTAS system was the same system as the Programme, as this information had not been provided, despite repeated requests for the same.

On 26 June 2020, the DHSC responded to confirm that “CTAS is also known as the NHS Test & Trace website. It is the website used by the NHS Test & Trace service to identify and trace the contacts of people who test positive for coronavirus.”

We understand Ms Perry to have confirmed that the CTAS system is a website, which is part of the Programme as the online portal for the contact tracers, but not the Programme as a whole.

Accordingly, on 1 July 2020 a pre-action letter was sent to the DHSC which was covered by Wired. A response was sent by the Government Legal Department on 15 July 2020, in which the DHSC admitted that they had not conducted a DPIA for the Test & Trace Programme as a whole. The pertinent part of that letter stated that:

“[t]he defendant accepts that: (i) Articule 35 applies to the Programme in its entirety; (ii) at or prior to the commencement of the Programme on 28 May 2020, there was not already in place a DPIA or DPIAs which addressed the processing of personal data across all aspects of the Programme; (iii) such a DPIA was and is required;”

Accordingly, DHSC admitted that Test & Trace was deployed unlawfully.

Why does this matter

The system is unlawful. But this is more than a procedural failure. A risk assessment is vital to understand the problems that may arise about a system. Its integrity will be affected and confidence in that system will be undermined. This is particularly pressing in the chief system to support the UK’s capacity to test the spread of coronavirus. However, trust and confidence in the way the Test and Trace programme uses personal data is essential to achieving the high levels of public participation we expected are needed to make the programme a success. It seems critical to not lose that trust.

The team

Open Rights Group were represented by AWO, with our legal director Ravi Naik as solicitor on the case.

Matthew Ryder QC, Edward Craven and Gayatri Sarathy acted as counsel.