The oversight was first brought to light by the digital privacy campaigners Open Rights Group (ORG).
They argue the lack of a data protection impact assessment means test and trace has been unlawful from the beginning.
“The reckless behaviour of this government in ignoring a vital and legally required safety step known as the data protection impact assessment has endangered public health,” said the executive director of the ORG, Jim Killock.
England’s test and trace coronavirus programme has broken data protection laws, privacy campaigners and data protection lawyers have said.
Under the General Data Protection Regulation (GDPR) every project which involves people’s data must first conduct an impact assessment on privacy.
However, the Department for Health and Social Care has now admitted its flagship test and trace scheme, which involves those infected with Covid-19 passing on personal information and the details of those they have been in contact with, was launched in May without any such assessment.
“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.”
The 27,000 staff of England’s test and trace programme contact people who may have been infected by someone who has tested positive for coronavirus.
As well as asking them to self-isolate for two weeks in case they also have the virus, the contact tracers can ask them to share who they live with, where they have been recently, and the names and contact details of anyone they have been in close contact with.
So far, more than 150,000 people have come into contact with the test and trace programme. Scotland, Wales and Northern Ireland all run their own test and trace schemes, independent of the NHS England one.
Magnus Boyd, an information security lawyer at the firm Schillings, told The Independent the government had unambiguously broken the law.
“There’s no way that the government could fudge this. It’s very clear on the face of the legislation that an impact assessment is required in these circumstances.”
“What if this data was to leak in some way? Date of birth, sex… you might argue these aren’t particularly sensitive but somebody’s NHS number is hugely sensitive as is their Covid-19 symptoms.”
Matt Hancock says test and trace ‘app won’t work because Apple won’t change their system’
The Information Commissioner’s Office (ICO), which regulates data protection, said in a statement it was working with the government to make sure test and trace is in line with the legal requirements on processing personal data.
“It is an organisation’s responsibility to complete a data protection impact assessment as a way of identifying and addressing key privacy questions,” the statement said.
The ICO also said it was acting as a “critical friend” to the government as it recognised the test and trace programme was rolled out at high speed in the middle of a pandemic.
Nevertheless, the public needed to know “how their data will be safeguarded and how it will be used” if they were to have trust in the scheme and continue to give it their personal details and those of their friends.
A Department for Health and Social Care spokeswoman said: “NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.”
But the ORG is not satisfied and is currently crowdfunding to start a legal action to force the government to conduct a DPIA.
“We are forced to take action, because the Information Commissioner is not doing its job,” the advocacy group’s website states. “When the regulator fails, it is up to us to step in.”
So far, they have raised more than £3,000. Mr Boyd agreed that the ICO should not allow the government to break data protection law simply because of the extraordinary circumstances of the pandemic.
“They should come down hard on the government so that it sends a message that impact assessments are a vital part of the whole architecture of the GDPR,” he said.
“The government cannot be exempt from the sort of pressure that small businesses are under. It would look like one rule for the little guy and one rule for the government.”
Judging by comparable cases in other EU nations, he suggested if the ICO did sanction the government a likely fine would be in the range of £300,000 to £500,000, significantly short of the highest fine possible under GDPR of €10m, or just over £9m.
Others have also raised concerns about the test and trace programme in the past. The Labour peer Lord Hain accused the government last month of sharing data from test and trace “on unnecessarily favourable terms to large companies”.
The Independent also revealed on Sunday the project may be struggling to achieve its main goal of controlling the spread of Covid-19.
Leaked public health analysis showed the service was failing to reach more than half of contacts named by infected residents across the north-west of England, including council areas such as Blackburn with Darwen which has been hit hard by an outbreak.
The government’s scientific advisory group has said at least 80 per cent of those named by infected locals should be contacted within 48 hours in order to stop a new surge in cases.
