NHS under fire for plans to store track and trace data for 20 years

Matthew Field
Dido Harding

NHS Test and Trace will store harvested health data on millions of people for up to 20 years in a data grab described by privacy experts as worse than “post 9/11 data retention”.

A privacy notice for the Test and Trace system, which comes into force today, says the service will store details of people who report they have coronavirus symptoms for two decades.

The notice said: “The personal identifiable information collected by the NHS Test and Trace on people with coronavirus or who have symptoms will be kept for 20 years.

“The personal identifiable information collected on the contacts of people with coronavirus, including those who are showing symptoms, will be kept for 5 years.

“The information needs to be kept for this long as may be needed to help control the spread of coronavirus, both currently and possibly in the future.”

The data gathered on individuals can include name, date of birth, post code and house number, telephone number, and email. 

However, privacy experts cautioned the mass storing of coronavirus data could undermine trust in the system.

Technology Intelligence newsletter - UK

Gus Hosein, a director at Privacy International and member of NHSX’s ethics board, called it a “ridiculously long period of time”. “I can say that even post 9/11 retention periods were never dreamt to be that long,” he said.

Storing health data for many years is not unprecedented. British Medical Association guidelines state that some health data can be held for several decades. Maternity data is held for 25 years after the birth of a child, and mental health records are held for 20 years.

However, Mr Hosein, who has been advising NHSX, said the coronavirus crisis should not provide justification for a massive data grab. Mr Hosein said: “In any emergency the data should be destroyed when the emergency is over. If there’s a case to be made to extend it, make that case clearly and thoroughly right now, before it all starts.”

Ravi Naik, a data privacy lawyer, said the retention period was “not abnormal” for NHS data, “but it does seem a worryingly long time in the context of coronavirus. In particular, what happens to the data once stored?”

He added clauses on who could work with the test and trace data were “dangerously vague”. 

An spokesman for the Information Commissioners Office, the UK's data watchdog, said they had written to Public Health England to “understand more about how the test and trace system will ensure the protection of people’s personal data”.

The privacy documents state people do not have an “absolute right” to have their data deleted from the service if they ask. It adds the data gathering is justified in the public interest and to protect public health.

The privacy notice adds only those with a “specific and legitimate role in the response and who are working on the NHS Test and Trace” can see the data.

The team behind UK’s contact-tracing app, which is being developed by NHSX but has not launched alongside the track and trace system on Thursday, have previously said data gathered by this app would be deleted at the end of the pandemic or anonymised for research purposes.

David Grout, of cyber security firm FireEye, said the length of time the test and trace system stored data could still worry those downloading the separate NHSX app, since the whole system will rely on public trust. 

He said: “This might not be too much of a headache for the Government while manual tracking is the norm, it is hard for the public to 'opt out' of that, but it will become more of an issue when NHSX’s contact tracing app is launched as this will rely on the public opting in for the project to work.”

A Public Health England spokesman said the data was being held in “order to retain information about these cases and their contacts to help control future outbreaks or to provide new treatments”