THE government has admitted that England’s Covid-19 test-and-trace programme has broken a data-protection law in a letter sent to privacy campaigners.

The Department of Health & Social Care (DHSC) acknowledged it had failed to carry out a risk assessment on how the system would affect privacy.

It follows the threat of legal action from the Open Rights Group (Org), which claims that the programme to trace contacts of those infected with Covid-19 has been operating unlawfully since its launch on May 28.

Carrying out a data-protection impact assessment (DPIA), which helps to identify and mitigate risks relating to use of personal data, is a requirement under general data-protection laws.

In response to a pre-action letter from the privacy campaigning organisation, the government confirmed that, while an assessment is a legal requirement, it has not yet been completed.

The letter from the DHSC, dated July 15, said that the legal requirement is being “finalised.”

Calling the government’s behaviour “reckless,” Jim Killock, executive director of Org, said: “We have a ‘world beating’ unlawful test-and-trace programme.

“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards.”

Ravi Naik, legal director of the data-rights agency AWO, instructed to act on behalf of Org, said that failing to carry out the appropriate assessment meant all data collected is “tainted.”

A spokesman for the DHSC said there is no evidence of data being used in an unlawful way.