It's laudable that free Covid19 lateral flow home test kits
became available in England yesterday, e.g. from pharmacies.
You're meant to report results even if negative (though that could be made clearer), by phone/online. But - then
you get an email from Gov.uk Notify with your result, advocating continued social distancing etc -
with your name, date of birth and NHS number, right at the top of the email! Full marks for promptness, but - for security/privacy...?
As is well known, email is insecure. If your email or the
NHS's gets hacked, or intercepted, or shoulder surfed, bad guys can use your
name, DoB and NHS no. for fraud and/or identity theft. I guard my DoB
jealously, not just because some women don't like revealing their age (yes, I
am over 30!), but because of this risk of crime. I only ever give my real DoB
to government, health and financial organisations (perturbation anyone? 😁).
Too many organisations use just name and DoB to identify
customers who contact them, sometimes combined with address/postcode, which
usually aren't difficult for criminals to discover. (Recall that in Germany,
for using just name and DoB for authentication, 1&1 got fined
€9.55m, reduced
by the court to €0.9m – which is still substantial.)
I'm OK with the UK DHSC requesting my DoB and NHS number (as long as they store it securely and share it securely and only on a need to know basis). But, I already know my own DoB and NHS no., wouldja believe it, and, with this type of home test kit, I do actually already know my result! There's absolutely no need to email any of that info to me.
Even if they'd adapted a previous standard form of email
designed to go to people who didn't already know their results, again there's
no need to include DoB or NHS number. (It's not just the DHSC - other organisations are guilty of emailing
people with their DoB too, including an optician I was unfortunate enough to
try using.)
I suspect that if I didn't give my DoB/NHS no. they wouldn't take
my report, or if I asked for that info not to be automatically included in
their followup email, they'd reply "The computer says no, the system
hasn't been designed that way, we can't tell it to omit that info!"
Let's count the UK GDPR issues here:
- Art.5(1)(f) integrity and confidentiality, and the related Art.32 security.
- Art.5(1)(c) data minimisation, most definitely.
- (Not to forget Art.25 data protection by design & by default of course. And Art.35 on data impact assessments aka DPIAs.)
The worst consequence of the DHSC's approach is that it might cause privacy/security-conscious people (like data protection professionals!) to decide not to report their test results (at least if negative) while it's not
legally-required, in order to avoid the risk of fraud and identity theft. Meaning
that the NHS may not receive fully comprehensive data...
Because, in connection with Covid-19, it handles sensitive, special category data like health data, the DHSC might be expected to be more careful about security and privacy than most. Our NHS heroes of course deserve our greatest respect and gratitude. But real security and privacy risks to individuals can be created unless everything is thought through carefully when conducting the DPIA (I hope there was one?) - even supposedly minor process issues like the content of standard followup emails after home test reports.
I've emailed the DHSC's data protection officer (at the email address in the privacy notice linked to from the test results reporting webpage), and I really hope the DHCS will change this risky practice ASAP.