A Data Protection Impact Assessment (“DPIA”) is a key first step in data protection compliance for a new project or change to existing processes.  It should set out the scope of the proposed processing and assess the applicability of the data protection principles and other GDPR safeguards on the processing.  Risks identified should be avoided or mitigated and the DPIA process should be reviewed during the course of the project and documented.

It sounds simple enough, lots of businesses carry them out every month but the requirement was overlooked by government when it introduced the Test and Trace scheme in the UK.  The government argues that DPIAs were carried out on parts of the process but not on the scheme overall.  It was brought to public attention by a UK rights group and resulted in widespread coverage and criticism.

So what are the issues when the DPIA step is omitted?  Firstly there is the resultant bad PR around the fact that privacy issues are being overlooked!

Technically the data collection could be ruled unlawful.  Failure to conduct a DPIA means that the data collection under the Test and Trace scheme, which has already started, is unlawful and operators could be instructed to delete the records. Enforcement Notices could by used by the Information Commissioner to stop processing or to implement specific security measures

There is now the risk of legal action in relation to the Test and Trace Scheme.  This will inevitably fuel the continued bad PR as well as potential enforcement action.  The government could lose control of Test and Trace.  Added to that there is the resources needed to fight a legal case, time, money, management attention which would have been better directed elsewhere.

Other criticisms levelled by the UK rights group is that the program has been rushed and systems have been bolted together at short notice.  This undermines the perceived fitness of the programme in the minds of the public.  Test and trace is a voluntary scheme and publicity about privacy failings will influence whether or not the public is prepared to participate.

In legal terms the DPIA is an important step to meet legal requirements under UK GDPR and could lead to regulatory investigation.  One commentator noted that it is an indication of exceedingly poor governance and control.  The Guardian reported three other data breaches by the programme in addition to the failure to carry out a DPIA showing that data breaches bring unwanted attention and who knows what else might come to light?  Public Health England has stated that parts of the Test and Trace programme were subject to DPIA and the ICO is now involved in reviewing the outcome.  An investigation by the ICO will again require time, money and management attention from the Test and Trace team and Public Health England.

The ICO has issued guidance for private businesses collecting data for the Test and Trace Scheme.  One issue is immediately apparent, the government and NHS can hold the data for 20 years under relevant legislation, whereas café, restaurant and bar owners are advised to hold the data for the minimum required which is suggested as 21 days.  I think we need to see that DPIA.

A longer term issue is the message implicit in the government’s failure to conduct a DPIA.  Is our government not committed to data protection?  Is data protection viewed as just all red tape?

It may be so, but it is clear that there are implications of non-compliance even for the government: bad PR; risk of legal action; loss of consumer trust; threat of regulatory inquiry; and the time, cost and management attention required to manage the fallout from all of these.  Carrying out a DPIA risk assessment is still a UK legal requirement and we still recommend carrying them out for projects or changes to existing processes to save time, money and hassle.

Mandy Webster, Data Protection Consultant