Test and Trace unlawful?

All over the world, there are methods and programmes in place to track and trace people with particular virus. In this case, Coronavirus (Covid-19).  The UK is still learning valuable lessons and was in the process of developing a mobile application for test and trace.

Reports from websites (such as https://www.bbc.co.uk/news/technology-53466471) indicate that the Department of Health has admitted to the Open Rights Group (ORG) that it failed to conduct a Data Protection Impact Assessment (DPIA). 

Let us refer to the ICO’s website statement:

“You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”.

Strictly speaking, doing a DPIA at the beginning of a project is not mandatory. However, surely a DPIA should have been performed prior to any processing?  The nature of such innovative technology is to collect name, date of birth, postcodes, who they live with, places they visited, names and contact details of other people who were in close proximity.  Therefore, how can you design a system without a DPIA?   As a software developer in a previous life, one of the things we learn is that it is better to get requirements in at the earliest opportunity because it costs more money down the software development lifecycle to fix problems.  One of the things I teach people is to get your functional AND SECURITY requirements in place. Using techniques such as threat modelling and embedding security considerations should be the normality nowadays (alas, I keep on dreaming).

You must do a DPIA before you begin any type of processing that is “likely to result in a high risk

The government is arguing there is no evidence of data being used unlawfully.  ORG is stating that DPIA is a legal requirement that has not been produced.  Who should we believe?  If it is shown no DPIA was done by the time it was rolled out, all I can think about is rolling my eyes and question how can anyone design and focus on rushing a pilot app and then think “oh, maybe we should think about doing a DPIA”.

One thing I do find curious is that the ICO confirmed to the BBC it was providing guidance as a “critical friend”. What does that mean?   I do not know the extend of co-operation, but I would be surprised if ICO were working with the government instead of acting as an independent regulator.

I’m sure there is more to come in the consequence months and when the world has Covid-19 under control.  There will be lots of lessons learned. It’s just a shame that we could not learn from other countries in previous years who experienced previous forms of Coronavirus.

Sadly, often it is the case where I’m called into a business where they are now thinking about security, this “thing called GPDR” or “PCI DSS”.  I take a deep breath in, smile and away we go on their security or compliance journey.

And remember… Doing security is not a compromise.