Personal information collected by NHS Test and Trace to be kept for 20 years

[Puffing Devil]

And no absolute right for people to delete their personal data after the pandemic has passed.

We can rest assured that "It is held on PHE’s secure cloud environment, which is kept up-to-date to protect it from viruses and hacking."

All in the privacy notice on the NHS/GOV/Contact Tracing Website.

The personally identifiable information collected by NHS Test and Trace for people with COVID-19 symptoms is kept by Public Health England for 20 years.

The personally identifiable information collected on the contacts of people with COVID-19 but who do not have any symptoms is kept by Public Health England for 5 years.

This information needs to be kept for this long because COVID-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments.

I'm not comfortable surrendering my data to a cobbled-together cloud system, with minimally trained operators recruited in a rush. Others may have a different opinion.

 

[yorksrob]

I can see little justification for retaining personal data for such a long time.

Surely any relevant data for future study can be anonymised a lot earlier.

 

[Puffing Devil]

Surely any relevant data for future study can be anonymised a lot earlier.

Precisely.

 

[david1212]

Hmmmmmmmmmmmmmmmmm

All personal contact information is only needed very short term to communicate with the person who is the Covid-19 carrier and anyone known to them.

For overall analyisis of the system only anonymised data is required.

 

[RichT54]

I wonder whose computers the PHE’s secure cloud environment runs on? Is it their own, or is it outsourced to an organisation that could make lucrative use of the information?

 

[Bletchleyite]

Surely it should be deleted at the end of the 14 day isolation period?

 

[EssexGonzo]

Even if it's an outsourced IT infrastructure and cloud service, that provider won't be able to use the information. Any big Gov't provider just won't play around with that sort of thing. The data owner will be PHE.

However, without seeing the T&Cs, I don't know whether PHE can pass the data on to any other Gov't department.

Also - what about the app provider? That's the bit of the chain that I really don't trust. There may well be some allowance in the T&Cs for them to use the data for seemingly innocuous purposes.

I won't be using it.

 

[GRALISTAIR]

I can see little justification for retaining personal data for such a long time.

Surely any relevant data for future study can be anonymised a lot earlier.

Precisely.

Yes - should be two years maximum 0- 20 years is bl---y ridiculous.

 

[Tetchytyke]

I wonder whose computers the PHE’s secure cloud environment runs on?

That would be Amazon. And we all know Bezos is as honest as the day is long.

Interestingly they've put a geo lock on the website. I can't access it from my Manx IP.

Any big Gov't provider just won't play around with that sort of thing.

The boss of this new thing is Dido Harding. You might know her from such things as the 2015 TalkTalk hack where up to 4m people had confidential information stolen. Harding "didn't know" if the information was encrypted or how many people were actually affected.

She is, however, a Tory Peer and married to a former Tory minister, so she is perfectly qualified for the job

 

[Yew]

Whilst I support keeping the data, as it could come in useful for helping define epidemiological models in the future (see the comments on Prof. Fergursons models) I can see no reason for it not to be anonymised. I suppose that in theory, ones identity can be discovered through location data, however that strikes me as a reasonable level of obfuscation, as long as access is controlled for academic purposes only.

 

[Bayum]

Surely it should be deleted at the end of the 14 day isolation period?

Depends. You might find that you’re asked to isolate a number of times if you’re very unlucky!

 

[Bletchleyite]

Depends. You might find that you’re asked to isolate a number of times if you’re very unlucky!

Indeed, though each period could be handled individually with the data newly collected.

 

[Tetchytyke]

define epidemiological models in the future

Is that what Professor Ferguson is calling it now?

 

[Enthusiast]

And we all know Bezos is as honest as the day is long.

The longer the daylight, the less he does wrong!

 

[Qwerty133]

This is especially worrying considering the prior disregard shown to the importance of keeping data safe or even in informing people when it becomes clear there has been a breach shown by the woman in charge of NHS track and trace.

 

[Qwerty133]

Surely it should be deleted at the end of the 14 day isolation period?

There may be genuinely beneficial reasons to keep some data for a short time beyond the isolation period, such as in order to collect user feedback as to how the system is working, or to determine if there is any possibility of becoming symptomatic after more than 14 days, but there is certainly no reason for the timeframe to be measured in years rather than months (or even weeks).

 

[Starmill]

I'd like to get a proper data protection lawyer's view on this.

In my own judgment though, 20 years seems both lacking in an evidence base and also egregiously long.

 

[pdeaves]

There may be genuinely beneficial reasons to keep some data for a short time beyond the isolation period, such as in order to collect user feedback as to how the system is working, or to determine if there is any possibility of becoming symptomatic after more than 14 days, but there is certainly no reason for the timeframe to be measured in years rather than months (or even weeks).

If I recall correctly, blood donation information is kept for many years, way after the donation has been used and, hopefully, the patient has made a full recovery. I am not aware of massive worries about this. In principle, is there any difference in this case?

 

[RichT54]

In addition to concerns about the retention of this information by the official system, it provides a new opportunity for criminals to impersonate contact tracers in text messages and phones calls in order gain and exploit personal information. How do we know any contract tracer is genuine?

 

[geoffk]

She is, however, a Tory Peer and married to a former Tory minister, so she is perfectly qualified for the job

Another case of Cronyvirus, then.

 

[Domh245]

If I recall correctly, blood donation information is kept for many years, way after the donation has been used and, hopefully, the patient has made a full recovery. I am not aware of massive worries about this. In principle, is there any difference in this case?

Two key differences spring to mind, firstly that Blood donation (and until recently organ donation) is entirely voluntary/opt-in meaning that if you don't want to have your data kept for 30 years, you simply don't have to donate blood whereas if you get COVID symptoms (or someone you've been in contact with does) then your data is harvested.
Secondly, the retention for Blood & Transplant is set out in laws that have gone through Parliament in the proper fashion and are evidently have sound basis and requirement. Keeping the COVID data seems to just be "because" with no real basis.

From Blood & Transplant

NHSBT will hold your data for the time period stated in the Blood Safety & Quality Regulations 2005, Tissue and Cells Quality and Safety Regulations 2007, the Organ Quality and Safety Regulations 2012 and the Records Management Code of Practice for Health and Social Care. These set out minimum retention periods. For example, for blood donation we must retain records for a period of not less than 30 years for the identification of each single blood donation and each single blood unit and its components (including blood and blood components which are imported into the European Community) and to ensure full traceability to the point of delivery to a hospital.

From Track & Trace

The personally identifiable information collected by NHS Test and Trace for people with COVID-19 symptoms is kept by Public Health England for 20 years.

The personally identifiable information collected on the contacts of people with COVID-19 but who do not have any symptoms is kept by Public Health England for 5 years.

This information needs to be kept for this long because COVID-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments.

 

[ainsworth74]

Yeah, I was already thinking that I would be giving the app a miss due to the seeming dogs breakfast of an implementation but I think this is the final nail in the coffin in terms of whether I'll be downloading it!

 

[Darandio]

Yeah, I was already thinking that I would be giving the app a miss due to the seeming dogs breakfast of an implementation but I think this is the final nail in the coffin in terms of whether I'll be downloading it!

But it's your civic duty!

Eye roll directed at the muppets in charge and not you of course.

 

[carlberry]

But it's your civic duty!

Eye roll directed at the muppets in charge and not you of course.

If your eyes are rolling I suggest driving at least 30 miles to any available tourist destination, preferable with as many family members as you can get in the same vehicle just to make sure you're OK. And keeping the evidence for 20 years just in case it happens again.

 

[Islineclear3_1]

From the 1998 Data Protection Act which has since been updated by the new Act of 2018

"Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"

How does one define "limited to what is necessary?" Very grey area IMHO

"Kept in a form which permits identification of data subjects for no longer than is necessary"

Again, how does one define "for no longer than is necessary?" Again, a very grey area

There is also: the right to erasure, or the right to be forgotten viz:

Right to erasure

ico.org.uk

At a glance

• The GDPR introduces a right for individuals to have personal data erased.
• The right to erasure is also known as ‘the right to be forgotten’.
• Individuals can make a request for erasure verbally or in writing.
• You have one month to respond to a request.
• The right is not absolute and only applies in certain circumstances.
• This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.

 

[ainsworth74]

From the 1998 Data Protection Act:

That has been superseded by the Data Protection Act 2018 as of May 2018.

 

[Islineclear3_1]

That has been superseded by the Data Protection Act 2018 as of May 2018.

Yes of course, thanks for reminding me. However, there is still a right to be forgotten (now strengthened by the new Act)

 

[johntea]

I work for NHS IT (not Test and Trace just to clear any doubt!) and you see this a lot, they want to keep data for an enternity which usually boils down to 'just in case' more than any actual valid reason

It can be annoying in terms of backups as they seem to think we have an unlimited budget for storage, luckily enough at least most are virtual servers rather than the wide array of physical ones we used to have to deal with! (Good luck booting one of those back up and expecting it to work 20 years later!)

GDPR is also an interesting one, there is simply no way we could go through all the backups and 'delete' someone out of them! The only way would be for their details to be removed from the live system but this would then take 6 months to filter fully through the backups due to retention (I believe the unofficial line is this is fine even though the policy doesn't mention it as such, with the caveat that if we had to restore a system from a backup we would take the person out of the restored copy straight away)

 

[Crossover]

GDPR is also an interesting one, there is simply no way we could go through all the backups and 'delete' someone out of them! The only way would be for their details to be removed from the live system but this would then take 6 months to filter fully through the backups due to retention (I believe the unofficial line is this is fine even though the policy doesn't mention it as such, with the caveat that if we had to restore a system from a backup we would take the person out of the restored copy straight away)

I seem to recall GDPR does account for that insomuch as the details would be deleted out of the live system and would ultimately work its way out of backups in due course.

However, if the data had to be restored to an earlier point in time, then surely in order to be able to remove those details of someone who wishes to be forgotten, that one would have to have another copy of some of their details in order to know to remove them

 

[Crossover]

Regarding the point at hand, has any justification been given for the storage of data for 20 years or has it just been plucked out as an arbitary figure? Either way, it is rather concerning