The Department of Health has conceded the initiative to trace contacts of people infected with Covid-19 was launched without carrying out an assessment of its impact on privacy.
The Open Rights Group (ORG) says the admission means the initiative has been unlawful since it began on 28 May.
The government said there is no evidence of data being used unlawfully.
The test and trace system involves people being asked to share sensitive personal information. This can include:
■ their name, date of birth and postcode
■ who they live with
■ places they recently visited
■ names and contact details of people they have recently been in close contact with, including sexual partners.
“In no way has [there] been a breach of any of the data that has been stored,” said Education Secretary Gavin Williamson.
He told BBC Breakfast: “I think your viewers will understand that if we are to defeat this virus, we do need to have a test and trace system and we had to get that up and running at incredible speed…. Are you really advocating that we get rid of a test and trace system? I don’t think you are.”
ORG had threatened to go to court to force the government to conduct a data protection impact assessment (DPIA) – a requirement under the General Data Protection Regulation (GDPR) for projects that process personal data.
A letter from the Department of Health to the group confirmed that a DPIA was a legal requirement and had not been obtained.
ORG’s executive director, Jim Killock, said the government had been “reckless” in ignoring this legally-required safety step and had endangered public health.
“A crucial element in the fight against the pandemic is mutual trust between the public and the government, which is undermined by their operating the programme without basic privacy safeguards,” he added.
Scotland, Wales and Northern Ireland all carry out parallel contact-tracing schemes of their own but have not been accused of the same failing.
The government has told the ORG it is working with the Information Commissioner’s Office to make sure that data is processed in accordance with the requirements of the law.
The ICO confirmed this and told the BBC it was providing guidance as “a critical friend”.
But the regulator added that, while it recognised the urgency in rolling out the programme, if the public were to have confidence in handing over their data and that of their friends, “people need to understand how their data will be safeguarded and how it will be used”.
The watchdog is already investigating the Test and Trace programme after the Sunday Times reported last week that some contact tracers had posted private patient data to WhatsApp and Facebook groups.
A Department of Health spokeswoman said: “NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using, and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.”
■ ‘Almost half’ of Blackburn Covid-19 contacts not reached
■ Coronavirus: How does contact tracing work?
■ Contact tracing: My new skill
The ORG’s complaint stems from work carried out on its behalf by Ravi Naik, a lawyer at the AWO data rights consultancy.
He said the legal requirements for data processing were more than just a tick-box exercise.
“They ensure that risks are mitigated before processing occurs, to preserve the integrity of the system,” he explained.
“Instead, we have a rushed-out system, seemingly compromised by unsafe processing practices.”
Mr Naik added the ORG had already won a concession from the government. It had originally planned to keep data for 20 years but has now cut that to eight years.
Since the test and trace programme was launched, its 27,000 staff have contacted more than 155,000 people, who may have been infected with the virus, and asked them to go into isolation.
Coronavirus: England’s test and trace programme ‘breaks GDPR data law’ https://www.bbc.co.uk/news/technology-53466471