Data protection and the COVID-19 test and trace system
Pannone Corporate

The NHS Test and Trace system for COVID-19 was launched on 28 May 2020, some critics say with undue haste. The accompanying contact tracing app has had a first phase launch in the Isle of Wight. The purpose of these systems is to help control the spread of the virus. As part of this, large amounts of personal data will be collected. So how has data protection been addressed in these systems?

NHS Test and Trace system for COVID-19

The Privacy Notice for the system gives some insight into the type of data that is collected and why. It sets out that people who test positive will be contacted and asked to confirm or provide their full name, date of birth, sex, NHS number, home postcode and house number, telephone number and email address as well as details of their COVID-19 symptoms including when they started and their nature. They will also be asked to give the contact details of anyone they have been in close contact with who will then be contacted by text, email or by a contact tracer to provide their full name, date of birth and contact details as well as details of any COVID-19 symptoms. Some contact tracers will be employed by private companies which act as data processors in which case those people can only see the information of the contacts they are to call.
Public Health England (PHE) will keep the personal data for people with COVID-19 symptoms for 20 years and 5 years for contacts of those people who do not have symptoms. PHE justify this retention period on the basis that COVID-19 is a new disease and it may be necessary to know this information to help control any future outbreaks or provide any new treatments. However, privacy campaigners have expressed concern about the length of the retention period and the potential for personal data to be used by other government departments for other purposes.
It has been reported that PHE did not complete a Data Protection Impact Assessment (DPIA) before launch of the NHS Test and Trace system and that The Open Rights Group have made a complaint to the Information Commissioner’s Office (ICO) about this. Under the GDPR a DPIA must be carried out for processing which is likely to result in high risk to an individuals’ rights and freedoms, prior to the processing. In particular a DPIA must be carried out in the case of processing on a large scale of special category data, which includes health data, so one should have been carried out for the system. In certain cases the ICO needs to be consulted about a DPIA if the processing would result in a high risk and the controller cannot take measures to reduce that risk. In that case, the ICO will provide advice to the controller including in appropriate cases advice not to carry out the processing because the ICO consider it would breach the GDPR.
The DPIA serves the important purpose of considering the likely processing and helps to identify and mitigate the data protection risks. The reported lack of a DPIA before launch gives the impression that the data protection implications of the system have not been fully thought through and could be a factor which undermines public trust in it.

NHS Covid-19 App

On 7 May 2020 the ICO confirmed that it is reviewing the DPIA for NHSX’s pilot of its contact tracing app on the Isle of Wight. The ICO state that even though there is no legal requirement for NHSX to do so, NHSX has asked the ICO for an informal review of its DPIAs for the Isle of Wight trial and for a national roll out of the app. The ICO has agreed to do this as part of its support to NHSX.
Alongside this the ICO has prepared a document for the Human Rights Joint Committee which was sent in advance of an appearance before the Committee of the Information Commissioner and the ICO’s Executive Director of Technology and Innovation. This document sets out the ICO’s expectations on how contact tracing solutions may be developed in line with the principles of data protection by design and default and includes best practice recommendations. This makes clear that a DPIA must be completed prior to the commencement of the processing and updated at all relevant stages of the app’s development.


The ICO’s involvement with the NHSX contact tracing app is encouraging. However, it does seem that the NHS Test and Trace system has some further work to do to re-assure the public that the data protection risks have been considered and addressed.
If you require any further information or assistance please contact our specialist data protection team:

Amy Chandler, Partner,
Patricia Jones, Consultant,
Danielle Amor, Senior Associate,

Back to homepage