Data provided by people through the new test-and-trace programme to defeat coronavirus will be kept for 20 years, it has been revealed.
The disclosure – coming after ministers rejected a plea from MPs and peers to pass an emergency law to set out clear rules – will heighten privacy fears, on the day the scheme finally got underway.
Information including name, address, date of birth, phone numbers and email addresses, will be collected and stored by the NHS for people with Covid-19, or with symptoms.
Download the new Independent Premium app
Sharing the full story, not just the headlines
Individuals will be able to “ask” for their information to be deleted, but Public Health England has warned “this is not an absolute right” and that it might “need to continue to use your information”.
A new privacy notice states that a private firm, Amazon Web Services, “is providing the secure storage location for the information collected by NHS test-and-trace”.
And it adds: “This information needs to be kept for this long because Covid-19 is a new disease and it may be necessary to know who has been infected, or been in close contact with someone with symptoms, to help control any future outbreaks or to provide any new treatments.”
Data from people with symptoms will be retained “for 20 years”, while information from those without symptoms will be kept “for 5 years”.
The notice reassures people that the data will be “held on PHE’s secure cloud environment, which is kept up-to-date to protect it from viruses and hacking”.
“It can only be seen by those who have a specific and legitimate role in the response and who are working on the NHS test-and-trace. All these staff have been trained to protect people’s confidentiality.”
However, the notice triggered a warning that the long period of data-retention risked people refusing to use the smartphone app, when it is finally launched as part of test-and-trace.
The latest news on Brexit, politics and beyond direct to your inbox
“The length of time the data is being stored for, and the lack of personal control on how the data is being used and kept are bound to cause privacy concerns,” said David Grout, of information security company FireEye.
“This might not be too much of a headache for the government while manual tracking is the norm, but it will become more of an issue when NHSX’s contact tracing app is launched, as this will rely on the public opting in for the project to work.”
Last week, Harriet Harman, Labour’s former deputy Labour leader who chairs Westminster’s human rights committee, attacked the failure to pass a privacy law.
“The data gathered for this purpose should be protected. That is the responsibility on the state,” she told ministers.
“It’s also important in terms of ensuring there’s confidence in it such that people are prepared to download and stick with the app.”
A Public Health England spokesperson declined to discuss why data would be retained for 20 years, but said: “It is important that Public Health England is able to retain information about these cases and their contacts to help control any future outbreaks or to provide any new treatments.”