Mastodon Kuan0: Security / identity theft risks - reporting Covid-19 home test results

Saturday 10 April 2021

Security / identity theft risks - reporting Covid-19 home test results

It's laudable that free Covid19 lateral flow home test kits became available in England yesterday, e.g. from pharmacies.

You're meant to report results even if negative (though that could be made clearer), by phone/online. But - then you get an email from Gov.uk Notify with your result, advocating continued social distancing etc - with your name, date of birth and NHS number, right at the top of the email! Full marks for promptness, but - for security/privacy...?

As is well known, email is insecure. If your email or the NHS's gets hacked, or intercepted, or shoulder surfed, bad guys can use your name, DoB and NHS no. for fraud and/or identity theft. I guard my DoB jealously, not just because some women don't like revealing their age (yes, I am over 30!), but because of this risk of crime. I only ever give my real DoB to government, health and financial organisations (perturbation anyone? 😁).

Too many organisations use just name and DoB to identify customers who contact them, sometimes combined with address/postcode, which usually aren't difficult for criminals to discover. (Recall that in Germany, for using just name and DoB for authentication, 1&1 got fined €9.55m, reduced by the court to €0.9m – which is still substantial.)

I'm OK with the UK DHSC requesting my DoB and NHS number (as long as they store it securely and share it securely and only on a need to know basis). But, I already know my own DoB and NHS no., wouldja believe it, and, with this type of home test kit, I do actually already know my result! There's absolutely no need to email any of that info to me.

Even if they'd adapted a previous standard form of email designed to go to people who didn't already know their results, again there's no need to include DoB or NHS number. (It's not just the DHSC - other organisations are guilty of emailing people with their DoB too, including an optician I was unfortunate enough to try using.)

I suspect that if I didn't give my DoB/NHS no. they wouldn't take my report, or if I asked for that info not to be automatically included in their followup email, they'd reply "The computer says no, the system hasn't been designed that way, we can't tell it to omit that info!"

Let's count the UK GDPR issues here:

  • Art.5(1)(f) integrity and confidentiality, and the related Art.32 security.
  • Art.5(1)(c) data minimisation, most definitely. 
  • (Not to forget Art.25 data protection by design & by default of course. And Art.35 on data impact assessments aka DPIAs.) 
Also, the UK NIS Regulations under the EU NIS Directive require operators of essential services or OESs (critical infrastructure, including the healthcare sector) to take appropriate and proportionate technical and organisational measures to manage risks to the security of their network and information systems. (Ironically, the DHSC doesn't seem to be caught under those Regs, although NHS Trusts are.)

The worst consequence of the DHSC's approach is that it might cause privacy/security-conscious people (like data protection professionals!) to decide not to report their test results (at least if negative) while it's not legally-required, in order to avoid the risk of fraud and identity theft. Meaning that the NHS may not receive fully comprehensive data...

Because, in connection with Covid-19, it handles sensitive, special category data like health data, the DHSC might be expected to be more careful about security and privacy than most. Our NHS heroes of course deserve our greatest respect and gratitude. But real security and privacy risks to individuals can be created unless everything is thought through carefully when conducting the DPIA (I hope there was one?) - even supposedly minor process issues like the content of standard followup emails after home test reports.

I've emailed the DHSC's data protection officer (at the email address in the privacy notice linked to from the test results reporting webpage), and I really hope the DHCS will change this risky practice ASAP.