Personal information collected by NHS Test and Trace to be kept for 20 years
And there is 'no absolute right' for people to delete their personal data after the pandemic has passed
According to the privacy notice attached to the new NHS Test and Trace website, data collected as part of the new Test and Trace programme will be held for up to 20 years.
Test and Trace is a Public Health England (PHE) programme designed to identify and quarantine people who have been in contact with individuals who test positive for Covid-19. Its aim is to slow the spread of the coronavirus. Test and Trace will deploy human contact tracers and a contact tracing phone app is currently being tested on the Isle of Wight.
"If you have had a positive test for COVID-19, we will ask for information about your illness, recent activities you did and people you met whilst you were potentially infectious," says the programme's website (which is labelled 'Beta'). "If you are a contact of a person who tested positive, we will ask about your health and provide health advice to keep yourself and others safe."
In other countries such as South Korea, similar programmes have helped to minimise the spread of the virus and drastically reduce the number of fatalities. However, the UK has lagged behind in terms of testing and currently has one of the highest infection rates. The website shows signs of having been rushed out, using US terminology such as "personal identifiable information" which has no legal meaning in the UK, for example.
Privacy experts have expressed concern on social media about the terms attached. For example, personal identifiable information collected by the NHS Test and Trace on people with coronavirus or who have symptoms will be kept for 20 years.
Also, while citizens may ask for their data to be deleted, this is not an absolute right.
While the case for the authorities to use personal health data to control the disease is clear, so too is the need to maintain public trust.
Many experts have questioned the efficacy of the app currently being trialled and also the choice of centralised data collection where other countries have opted for a privacy-protecting decentralised approach where data is kept encrypted on the device.
"The privacy notice for the NHS contact tracing app has stated that the NHS will hold onto personally identifiable information for 20 years. While they claim this is to help prevent the spread of coronavirus in the future this will be highly concerning for many, and is likely to discourage people from downloading the app. It fails to take into account that user preferences might change over that time. They may be happy to offer the data now to support the wider spread of the current pandemic, but why should it be held to prevent a future pandemic that may never happen?" said Youngjin Yoo, project lead of another contact-tracing app, Sharetrace, and a professor for research environment at Warwick Business School.
"Users should not need to sacrifice their data for years on end just to feel safe at the present moment. There are alternatives to this system where users can maintain control over their data, but allow the NHS to access it when it is necessary - with data infrastructures that are based on personal data ‘accounts'. Trusting the NHS with this data is not the same as ensuring that users' privacy is protected. We must prioritise the approaches that protect privacy of personal data."
Public Health England have been asked to comment.