Test and trace scheme to keep citizens’ personal data for 20 years
PHE also reveals outsourcers Serco and Sitel will process sensitive information and claims length of retention is ‘because Covid-19 is a new disease’
Personal data from the NHS Test and Trace programme will be kept for 20 years and health secretary Matt Hancock has provided special exemption for the scheme to use sensitive information without citizens’ consent.
The privacy notice for the programme, which launched yesterday, not only cites the sections of the General Data Protection Regulation pertaining to use of data in the public interest or for delivery of public services, but also indicates that Hancock has provided Public Health England with “special permission… to use personally identifiable information without people’s consent, where this is in the public interest”.
Personal data – on those who have tested positive for Covid-19 – will initially be provided to the programme by Public Health England. Contact tracers will then get in touch with these people to obtain or confirm their full name, date of birth, sex, NHS number, full home address, telephone number, email address, and a history of their coronavirus symptoms. Tracers will also ask for contact details of anyone to have come into close contact with those who have tested positive.
Personal data on people that have suffered symptoms will be kept by PHE for 20 years. Information on those who have been in close contact with confirmed cases but have shown no symptoms themselves will be retained for five years.
The privacy notice said: “This information needs to be kept for this long because Covid-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments.”
Number of contact tracers recruited for Test and Trace scheme
Serco and Sitel Group
Outsourcers appointed by PHE to help meet the recruitment requirements of Test and Trace
End date of emergency order issued last month by Matt Hancock, instructing NHS organisations to process and share confidential data
Length of time personal data will be kept on people who have been in contact with coronavirus cases did not develop symptoms
Amazon Web Services
Cloud firm tasked with storing and securing data
The data will be stored in an Amazon Web Services cloud environment. But, although the notice indicates that the tech firm will is allowed to process the data, its “staff… are not able to see any of the information collected”.
“Information… is held on computer systems, which have been tested to make sure they are secure and are being kept up-to-date to make sure they are safe from viruses and hacking,” PHE said.
In addition to Public Health England – which is the data controller – information will also be processed by the Department of Health and Social Care, and two of its arm’s-length bodies: NHS Business Services Authority; and NHS Professionals – a recruitment company owned by DHSC.
Because of the “unprecedented” hiring demands of the programme – which has required the rapid recruitment of 25,000 tracers, PHE has “instructed” two outsourcers, Serco and Sitel Group, to provide “additional staff”.
The two firms are consequently listed as data processors.
“The contact tracers working for Serco UK and Sitel Group… can only see the information of the contacts they have been instructed to call,” PHE said. “Serco UK and Sitel Group staff working on NHS Test and Trace have been trained to protect the confidentiality of people with Covid-19 and their contacts.”
It added: “No information that could identify any person with COVID-19 or their contacts will ever be published by Public Health England or any of the organisations working with it on NHS Test and Trace.”
Rights and restrictions
Citizens whose data is held by the scheme have the right to ask for a copy of their personal information, and for inaccurate info to be corrected or restricted in its use.
They can also object to their data being used, and can ask for its deletion – but the notice makes clear that neither of these is “an absolute right”.
“Public Health England may need to continue to use your information,” it said. “We will tell you why if this is the case.”
Although 20 years may seem like a long time for data to be retained – particularly in support of a comparatively short-term scheme such as this – lengthy data-storage periods are not uncommon across the health service.
"Information needs to be kept for this long because Covid-19 is a new disease and it may be necessary... to help control any future outbreaks or to provide any new treatments"
The Records Management Code of Practice implemented by the government in 2016 outlines that, for example, care providers should keep mental health records for 20 years after a patient’s discharge, while information on long-term or recurring conditions is held for 30 years after treatment has ended. Blood bank records are kept for a minimum of 30 years after their creation.
The exemption given by Hancock for data to be used without individuals’ consent comes after the health secretary last month issued a six-month order instructing health-service organisations that, in supporting government’s coronavirus response, they are “required to process confidential information” in ways that might ordinarily be restricted.
In a series of emergency notifications, all national and local NHS entities, arm’s-length government bodies, and local authorities were informed that they can, effectively, share any patient data with any relevant organisation, providing the purpose of doing so is solely related to coronavirus research or response. They may also be directly instructed by government to engage in such sharing.
The order was issued with an end date of 30 September – although this could be extended if Hancock issues an explicit order to do so.
Fake online shops, malware, phishing emails and ransomware attacks on hospitals have been among the scams perpetrated by bad actors during the pandemic
In a lengthy attempt to find out about the security of government’s software systems, PublicTechnology finds a very uneven approach to transparency and what constitutes sensitive...
Head of Test and Trace programme Baroness Harding says she does not want to specify a timeframe as projects often do not ‘run in a smooth way’
The UK has tended to only introduce data-protection laws in conjunction with EU legislation and, according to Ray Walsh from ProPrivacy, the post-Brexit world may see the country prioritise...
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
Locked down and forced to close clinics, the hospital trust enabled 2,000 employees to work from home and maintain continuity of services within 48 hours
University of Cambridge chose Citrix Workspace to deliver an efficient, sustainable desktop, and gained work-from-home continuity when Covid-19 struck
PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right