ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Covid testing firm intends to sell swabs carrying customers' DNA?

The UK's data privacy watchdog is inspecting a major Covid-19 testing firm, Cignpost Diagnostics, following the firm's claim that it holds the right to analyze the samples to "learn more about human health" – and even sell the information to third parties.


Cignpost Diagnostics is a UK government-approved Covid testing firm that trades as ExpressTest and sells £35 – £120 tests for holidaymakers. It's estimated that the firm has delivered up to three million tests since it was established in June 2021. It seems, however, that Cignpost Diagnostics has come up with a more lucrative business strategy – trading in sensitive customer data.

The research behind the curtain

The "research programme information sheet" from Cignpost Diagnostics shows that the firm keeps sensitive customer data, such as "biological samples" and "the DNA obtained from such samples", and even "genetic information derived from processing your DNA sample... using various technologies such as genotyping and whole or partial genome sequencing".

The most worrying section of the policy, however, is the one that shows Cignpost may share customers' DNA samples and similar data with third parties (so-called collaborators), including research universities and private companies. Worse yet, the firm can keep the samples and data indefinitely and "may receive compensation" for them.

Cignpost Diagnostics has around 71 walk-in centers across the UK, and offers pre-departure and arrival testing for international travelers, including at London Heathrow and Gatwick airports. It's estimated that the company has conducted close to three million tests since June last year. Each test costs between £35 and £120, that's tens of millions of pounds earned from testing alone.

The exact number of samples Cignpost collected is still under investigation, as well as whether or not the firm has sold or used any of the data for research already. But, with the policy stating that data belonging to all those providing a swab would be retained indefinitely, abuse was inevitable if the Information Commissioner's Office (ICO) and the Human Tissue Authority hadn't stepped in. According to their report, customers did not receive explicit information on what Cignpost was planning to do with their medical data, specifically that the firm could sell it for purposes beyond just Covid virus testing.

One box for 5,000 words

Can a single box hold 5,000 words? If it's a box for giving consent to ExpressTest, apparently it can. According to The Sunday Times, the ExpressTest customers all received a form to fill in with a box to tick, to give agreement to a 4,876-word privacy policy. What's more, the company outlined the details about the research program in a completely separate document, accessible via a link only.

There is no personal data more sensitive than our DNA... People should be told about what's happening to it in a clear, open and honest way so they can make informed decisions about whether they want to give it up. We'll look carefully at the information gathered by The Sunday Times.

ICO deputy commissioner, Steve Wood

UK data protection laws strictly require explicit informed consent for sensitive personal information to be used. The analysis of sensitive medical information, therefore, can only be executed when explicit consent is obtained – which wasn't the case here.

A quick reminder to our readers

When this became public (and the ICO and the Human Tissue Authority found out about the proposal), Cignpost Diagnostics removed all references to the research program from its privacy policy. As we speak, the firm is standing by its position that "it is in full compliance with all laws related to data privacy", adding that it had "invested significantly in robust systems and processes to ensure we protect our customers".

All COVID-19 tests are based upon samples which invariably contain human DNA as a result of the swabbing process. DNA is not analysed nor retained following the testing process and all samples are destroyed once the COVID-19 test process is completed and results have been shared with you as our customer and the relevant public health authority

Cignpost Diagnostics

As another government-approved institution faces a privacy probe over an alleged plan to sell sensitive customer information, we would like to take the opportunity to remind our readers to:

  • Never rely on a brand or organization name as the sole authority for trustworthiness – that's exactly what impostors expect you to do

Written by: Danka Delić

With her BA in English Language and Literature, Private Pilot Licence, and passion for researching and writing, Danka brings further diversity to the team. As a former world traveler, she learned to appreciate cyber security and the necessity for digital privacy. Danka is a nature, animal, and written-word lover. She enjoys staying on the go, both mentally and physically, and spends most of her free time either reading or hiking with her dog.


There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service