The UK Health Security Agency (UKHSA) has agreed to a set of recommendations from the Information Commissioner’s Office (ICO) on data protection in the NHS Test and Trace programme.
They have been made on the basis of a consensual audit agreed with the Department for Health and Social Care.
The move comes after UKHSA took responsibility of Test and Trace last October. It has now provided a detailed action plan and the ICO will review the progress in 2022.
The recommendations include expanding staff training to include tailored courses for different roles. An example of this would be on how to communicate privacy information for frontline staff.
Another is to develop and communicate additional processes and policies, such as privacy risk assessments and security guidance, to create a strong privacy culture inside Test and Trace.
The ICO has also identified a need to add auditing mechanisms, such as periodic reviews and monitoring of contracts, to ensure that staff and third parties follow agreed processes.
Dr Jenny Harries, chief executive of UKHSA, said: “UKHSA is fully committed to working proactively with the ICO to ensure it is fully compliant with all relevant legislation, including the UK General Data Protection Regulation, and I’d like to thank the ICO for their support.
“UKHSA has already made significant progress implementing changes since the ICO audit took place in the summer.”
James Dipple-Johnstone, ICO deputy commissioner and chief regulatory officer, said: “The NHS Test and Trace programme was set up at pace, under extraordinary circumstances and is a vital tool to help keep people safe in this pandemic. That's why it was important for us to work together to highlight any data protection issues.
“Our findings were what you would expect from a new service that was implemented so quickly. But, given the improvements made and their ongoing commitment to embedding high data protection standards, people can continue to have confidence the NHS Test and Trace programme is implementing appropriate safeguards for people’s data.”
The audit, which took place in summer 2021, checked DHSC’s compliance with data protection legislation and highlighted areas where people’s data could be handled better.
It was focused on two areas of activity: governance and accountability, and processor and third party supplier relationship management. Due to the system’s infancy and the speed at which it was set up, the ICO found key requirements for data protection were not yet in place and formal processes had not yet been embedded.
Image from iStock, Abluecup