A government-approved Covid testing firm is being investigated by the UK’s data privacy watchdog after it emerged that it plans to sell customers’ DNA to third parties.
Cignpost Diagnostics, which trades as ExpressTest and offers £35 tests for holidaymakers, said it holds the right to analyse samples from seals to “learn more about human health” – and sell information on to third parties.
Individuals are required to give informed consent for their sensitive medical data to be used – but customers’ consent for their DNA to be sold now as buried in Cignpost’s online documents.
When buying tests, customers were asked to tick a box agreeing to a 4,876 privacy policy which links to a separate document outlining the research programme, The Sunday Times reported.
‘Biological samples’
Cignpost removed the reference last week after the newspaper passed evidence of its activities to the Information Commissioner’s Office, which is now investigating.
It is still not known how many samples have been stored by the form of if they have been sold on already; the policy said data belonging to those providing swabs could be retained indefinitely.
Cignpost was founded last year and is believed to have sold as many as three million tests. It supplies pre-departure and arrival tests for travellers, with walk-in centres at sites including Gatwick and Heathrow.
The company’s “research programme information sheet” reveals it keeps hold of data including “biological samples… and the DNA obtained from such samples”.
It adds that it may share DNA samples and other personal information with “collaborators” – including universities and private companies – and that it “may receive compensation” in return.
‘Full compliance’
ICO deputy commissioner Steve Wood said the watchdog would look “carefully” at the firm.
“There is no personal data more sensitive than our DNA. People should be told about what’s happening to it in a clear, open and honest way so they can make informed decisions about whether they want to give it up,” he said.
A Cignpost spokesperson said it was in “full compliance” with data privacy laws, adding: “We have invested significantly in robust systems and processes to ensure we protect our customers.
“Because we are testing our customers for a potentially serious condition, protecting that data is paramount.”
Related: Shareholder win! Covid contracts drive Serco to bumper profits and revenues