Fraudsters could seek to exploit the test and trace programme to target vulnerable individuals by posing as contact tracers, police have warned.
One force attempted to get ahead of potential scam attempts by telling the public how they could recognise a genuine phone call from NHS Test and Trace.
It came as the information watchdog said it would examine the new system to ensure people’s sensitive health information is protected, despite the programme struggling to get up and running with volunteers complaining about a lack of cases.
West Mercia Police issued a detailed list of requests a contract tracer would never make – but a fraudster might – such as asking for payment or downloading software to take control of your computer.
Detective Sergeant Jon Cooper from the West Mercia Police Economic Crime Unit said: "We are urging the public to please be aware of the Track and Trace process and to guard against fraud attempts.”
Addressing the potential security concerns, Dr Isabel Oliver from Public Health England told the BBC: “Of course we are concerned but we are working with the National Cyber Security Centre and others to make sure the programme is as robust as possible and those issues are monitored.”
In a separate development yesterday, the Information Commissioner’s Office said it had got ‘in contact’ with the NHS after it launched the contact tracing system before meeting its obligation to outline the privacy protections in place.
The discovery that the system has gone live before the mandatory Data Protection Impact Assessment was completed prompted warnings from legal experts that the NHS could be vulnerable to legal challenges over test and trace.
The development comes as the contact tracing system continued to be beset by technical problems for a second day, with Downing Street unable to confirm yesterday how many people were self-isolating as a result of getting calls.
One contact tracer told The Telegraph they had failed for a second day to log into the computer programme that showed them the numbers to call after, after the online system initially crashed on Thursday morning.
Another contact tracer was reported to have managed to log on only to then not receive any numbers to call.
The Government’s scheme launched on Thursday morning with 25,000 health workers and volunteers planned to start calling people who have tested positive for Covid-19 or had been in contact with confirmed cases.
The system sees Public Health England and other health workers calling people who have tested positive to collect the details of those they have had close contact with over recent days.
The other volunteers are then tasked with calling those contacts to ask them to self-isolate for 14 days.
However, under General Data Protection Regulation (GDPR), any organisation handling people’s personal sensitive information has to complete an impact assessment beforehand to outline how they intend to protect the data and who will have access to it.
On Friday, Public Health England said it was still ‘preparing’ the assessment, days after the system had gone live.
A spokesman said: “Public Health England, supported by the NHS Business Services Authority, is preparing a data protection impact assessment for the NHS Test and Trace system, and expects to publish this shortly.”
Following the admission, a spokesman for the ICO said: “A data protection impact assessment should be completed before sensitive personal data such as health data is processed on a large scale. We appreciate that organisations need to move at pace to respond to the Covid-19 crisis and this will affect some of their usual processes.
“The most important thing is that suitable measures are in place to protect people’s personal data and manage any risks to their privacy. We are in contact with Public Health England and other organisations to understand more about how the test and trace system will ensure the protection of people’s personal data.”
On Thursday, Public Health England published a notice saying it intended to hold onto the health data obtained from the test and trace programme for up to 20 years.
The information would include people’s full name, date of birth, sex, postcode and house number, phone and email address as well as any Covid-19 symptoms they had.
Ravi Naik, a solicitor and legal director of AWO, the data rights agency, said there were big questions over exactly what the sensitive health information could be used for, such as assessing people's eligibility for future ‘immunity passports’.
Commenting on the NHS launching the scheme before publishing the data protection assessment, he added: “They could open themselves up to a legal challenge.”
The revelation also led to an outcry from privacy groups, who warned the Government could lose public support for vital public health schemes if they were not transparent about how people’s medical information is handled.
A spokesman for the campaign group, Privacy International said: “Rushing to satisfy these obligations after the fact, when already knowing for quite some time that measures like trace and test would be deployed, does not engender confidence in the government, nor trust at this most crucial time.”
Meanwhile, as the test and trace programme appeared to still struggle with teething problems, Number 10 declined to give figures for how many people were now voluntarily self-isolating as a result of calls from contact tracers.
The Prime Minister's spokesman said: "I completely understand the interest in that", but he was unable to confirm the extent of the voluntary quarantine.
Downing Street has said it remains on track to meet the promised 200,000 capacity target for coronavirus tests on Monday.
Amid the set backs, one minister admitted that the test and trace system was not perfect but insisted the progress made so far was "incredible".
Lord Bethell, Minister for innovation at the Department of Health, said: "Progress is incredible. We've moved quickly to stand up a huge track and trace programme, so all is not perfect. We're snagging loose ends. But very proud of our public and private partners."