The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO has issued NHS Test and Trace with recommendations to strengthen the protection of people’s personal data, so it can continue to  play a vital role in tackling the pandemic.

The recommendations are the result of a consensual audit agreed with the Department for Health and Social Care (DHSC). The audit, which took place in summer 2021, checked DHSC’s compliance with data protection legislation and highlighted areas where people’s data could be handled better.

The ICO and DHSC agreed to focus the audit on two specific areas to bring about improvements that would bring greatest benefit to the public. The first, “Governance and Accountability”, looked at the policies and procedures that were introduced to keep data secure. The second area, “Processor and Third Party Supplier Relationship Management” looked at how NHS Test and Trace managed external suppliers and contractors to ensure they maintained high data protection standards.  

Due to the system’s infancy and the speed at which it was set up, the ICO found key requirements for data protection were not yet in place and formal processes had not yet been embedded.

As a result, the audit proposed a number of recommendations to strengthen the protection of people’s personal data.

These included:

  • expanding NHS Test and Trace’s programme of staff training to include tailored courses for different roles. For example, training on how to communicate privacy information for front-line staff;
  • developing and communicating additional processes and policies to staff, such as privacy risk assessments and security guidance, to ensure that there’s a strong privacy culture within NHS Test and Trace; and 
  • adding auditing mechanisms, such as periodic reviews and monitoring of contracts, to ensure that staff and third parties follow agreed processes.

The UK Health Security Agency (UKHSA), which in October 2021 took responsibility for NHS Test and Trace, agreed to these recommendations and provided a detailed action plan outlining their response and progress for all recommendations. In 2022, the ICO will review UKHSA’s progress in addressing any outstanding recommendations.

James Dipple-Johnstone, ICO Deputy Commissioner and Chief Regulatory Officer said:

“The NHS Test and Trace programme was set up at pace, under extraordinary circumstances and is a vital tool to help keep people safe in this pandemic.

That's why it was important for us to work together to highlight any data protection issues. Our findings were what you would expect from a new service that was implemented so quickly. But, given the improvements made and their ongoing commitment to embedding high data protection standards, people can continue to have confidence the NHS Test and Trace programme is implementing appropriate safeguards for people’s data. The ICO will continue to offer support to NHS Test and Trace as they continue their important work in tackling the pandemic."

Dr Jenny Harries, Chief Executive of UKHSA, said:

“In response to the global pandemic we have built the largest diagnostic network in British history, to ensure everyone can get tested for COVID-19 and close contacts can be traced quickly and efficiently in response to the changing epidemiology.

“UKHSA is fully committed to working proactively with the ICO to ensure it is fully compliant with all relevant legislation, including the UK General Data Protection Regulation (UK GDPR), and I’d like to thank the ICO for their support. UKHSA has already made significant progress implementing changes since the ICO audit took place in the summer.”


Notes to editors

  1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
  4. The DPA2018 and UK GDPR gave the ICO new strengthened powers.
  5. The data protection principles in the UK GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
  6. Section 146 of the DPA2018 gives the Information Commissioner the power to carry out compulsory data protection audits, but the ICO predominantly conducts consensual audits. These audits are completed by the Assurance Department.
  7. At the start of the COVID-19 outbreak, Public Health England (PHE) carried out test and trace activities. In May 2020, the NHS Test and Trace programme was introduced.
  8. The Department of Health and Social Care (DHSC) has overarching responsibility for NHS Test and Trace and the Secretary of State for Health and Social Care has ministerial accountability. In October 2021 T&T was incorporated into the UK Health Security Agency (UKHSA).
  9. The audit of the NHS Test and Trace system covered “Governance and Accountability” and “Processor and Third Party Supplier Relationship Management”. The functionality of the NHS COVID-19 App was not included in the scope of this audit.