Information Commissioner's Office
ICO and NHS Test and Trace agree data protection improvements following consensual audit
The ICO has issued NHS Test and Trace with recommendations to strengthen the protection of people’s personal data, so it can continue to play a vital role in tackling the pandemic.
The recommendations are the result of a consensual audit agreed with the Department for Health and Social Care (DHSC). The audit, which took place in the summer 2021, checked DHSC’s compliance with data protection legislation and highlighted areas where people’s data could be handled better.
The ICO and DHSC agreed to focus the audit on two specific areas to bring about improvements that would bring greatest benefit to the public. The first, “Governance and Accountability”, looked at the policies and procedures that were introduced to keep data secure. The second area, “Processor and Third Party Supplier Relationship Management” looked at how NHS Test and Trace managed external suppliers and contractors to ensure they maintained high data protection standards.
Due to the system’s infancy and the speed at which it was set up, the ICO found key requirements for data protection were not yet in place and formal processes had not yet been embedded.
As a result, the audit proposed a number of recommendations to strengthen the protection of people’s personal data.
- expanding NHS Test and Trace’s programme of staff training to include tailored courses for different roles. For example, training on how to communicate privacy information for front-line staff.
- developing and communicating additional processes and policies to staff, such as privacy risk assessments and security guidance, to ensure that there’s a strong privacy culture within NHS Test and Trace.
- adding auditing mechanisms, such as periodic reviews and monitoring of contracts, to ensure that staff and third parties follow agreed processes.
The UK Health Security Agency (UKHSA), which in October 2021 took responsibility for NHS Test and Trace, agreed to these recommendations and provided a detailed action plan outlining their response and progress for all recommendations. The ICO will review in 2022 UKHSA’s progress in addressing any outstanding recommendations.
James Dipple-Johnstone, Deputy Commissioner, Chief Regulatory Officer yesterday said:
“The NHS Test and Trace programme was set up at pace, under extraordinary circumstances and is a vital tool to help keep people safe in this pandemic.
That's why it was important for us to work together to highlight any data protection issues. Our findings were what you would expect from a new service that was implemented so quickly. But, given the improvements made and their ongoing commitment to embedding high data protection standards, people can continue to have confidence the NHS Test and Trace programme is implementing appropriate safeguards for people’s data. The ICO will continue to offer support to NHS Test and Trace as they continue their important work in tackling the pandemic."
Dr Jenny Harries, Chief Executive of UKHSA, yesterday said:
“In response to the global pandemic we have built the largest diagnostic network in British history, to ensure everyone can get tested for COVID-19 and close contacts can be traced quickly and efficiently in response to the changing epidemiology.
“UKHSA is fully committed to working proactively with the ICO to ensure it is fully compliant with all relevant legislation, including the UK General Data Protection Regulation (UK GDPR), and I’d like to thank the ICO for their support. UKHSA has already made significant progress implementing changes since the ICO audit took place in the summer.”
Notes to Editors
- The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
- The DPA2018 and UK GDPR gave the ICO new strengthened powers.
- The data protection principles in the UK GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
- Section 146 of the DPA2018 gives the Information Commissioner the power to carry out compulsory data protection audits, but the ICO predominantly conducts consensual audits. These audits are completed by the Assurance Department.
- At the start of the COVID-19 outbreak, Public Health England (PHE) carried out test and trace activities. In May 2020, the NHS Test and Trace programme was introduced.
- The Department of Health and Social Care (DHSC) has overarching responsibility for NHS Test and Trace and the Secretary of State for Health and Social Care has ministerial accountability. In October 2021 T&T was incorporated into the UK Health Security Agency (UKHSA).
- The audit of the NHS Test and Trace system covered “Governance and Accountability” and “Processor and Third Party Supplier Relationship Management”. The functionality of the NHS COVID-19 App was not included in the scope of this audit.
Latest News from
Information Commissioner's Office
Blog: What does equality of access really mean when developing a career with a visual impairment?19/05/2022 12:25:00
On Global Accessibility Awareness Day, Paul Arnold, ICO Deputy Chief Executive and Chief Operating Officer shares his story.
Blog: A day in the life of the ICO’s information management team13/05/2022 12:25:00
“It’s important to remember the people behind the information.”
ICO response to Channel 4 ‘Inside the Metaverse’ documentary29/04/2022 12:25:00
A recent C4 Dispatches – Inside the Metaverse looked at the metaverse and how the platforms enforce against users that act inappropriately.
Conclusion of ICO investigation into unauthorised disclosure of CCTV footage from DHSC – 19 April 202220/04/2022 12:25:00
The ICO found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care (DHSC).
Statement following conclusion of ICO investigation into unauthorised disclosure of CCTV footage from DHSC13/04/2022 16:20:00
The Information Commissioner’s Office (ICO) has found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care (DHSC).
Children's privacy and international collaboration12/04/2022 15:20:00
John Edwards, UK Information Commissioner, is in Washington DC this week to meet with regulators, civil society, lawmakers and tech companies, as well as present the work of the ICO at the IAPP Global Privacy Summit.
Blog: Why protecting children online in UK living rooms starts 5,000 miles away12/04/2022 09:10:00
Blog posted by: John Edwards, UK Information Commissioner, 11 April 2022.
Statement in response to open Democracy's letter08/04/2022 12:25:00
openDemocracy has issued an open letter about the Freedom of Information Act.
John Edwards article in Civil Service World – 5 April 202207/04/2022 12:25:00
Civil Service World have published an article by John Edwards, in which he discusses what he’s learned so far from his listening tour, and offers reassurance about the service that the ICO is looking to give to people and businesses.