The UK's data privacy watchdog is inspecting a major Covid-19 testing firm, Cignpost Diagnostics, following the firm's claim that it holds the right to analyze the samples to "learn more about human health" – and even sell the information to third parties.
Cignpost Diagnostics is a UK government-approved Covid testing firm that trades as ExpressTest and sells £35 – £120 tests for holidaymakers. It's estimated that the firm has delivered up to three million tests since it was established in June 2021. It seems, however, that Cignpost Diagnostics has come up with a more lucrative business strategy – trading in sensitive customer data.
The research behind the curtain
The "research programme information sheet" from Cignpost Diagnostics shows that the firm keeps sensitive customer data, such as "biological samples" and "the DNA obtained from such samples", and even "genetic information derived from processing your DNA sample... using various technologies such as genotyping and whole or partial genome sequencing".
The most worrying section of the policy, however, is the one that shows Cignpost may share customers' DNA samples and similar data with third parties (so-called collaborators), including research universities and private companies. Worse yet, the firm can keep the samples and data indefinitely and "may receive compensation" for them.
Cignpost Diagnostics has around 71 walk-in centers across the UK, and offers pre-departure and arrival testing for international travelers, including at London Heathrow and Gatwick airports. It's estimated that the company has conducted close to three million tests since June last year. Each test costs between £35 and £120, that's tens of millions of pounds earned from testing alone.
The exact number of samples Cignpost collected is still under investigation, as well as whether or not the firm has sold or used any of the data for research already. But, with the policy stating that data belonging to all those providing a swab would be retained indefinitely, abuse was inevitable if the Information Commissioner's Office (ICO) and the Human Tissue Authority hadn't stepped in. According to their report, customers did not receive explicit information on what Cignpost was planning to do with their medical data, specifically that the firm could sell it for purposes beyond just Covid virus testing.
One box for 5,000 words
Can a single box hold 5,000 words? If it's a box for giving consent to ExpressTest, apparently it can. According to The Sunday Times, the ExpressTest customers all received a form to fill in with a box to tick, to give agreement to a 4,876-word privacy policy. What's more, the company outlined the details about the research program in a completely separate document, accessible via a link only.
There is no personal data more sensitive than our DNA... People should be told about what's happening to it in a clear, open and honest way so they can make informed decisions about whether they want to give it up. We'll look carefully at the information gathered by The Sunday Times.
UK data protection laws strictly require explicit informed consent for sensitive personal information to be used. The analysis of sensitive medical information, therefore, can only be executed when explicit consent is obtained – which wasn't the case here.
A quick reminder to our readers
When this became public (and the ICO and the Human Tissue Authority found out about the proposal), Cignpost Diagnostics removed all references to the research program from its privacy policy. As we speak, the firm is standing by its position that "it is in full compliance with all laws related to data privacy", adding that it had "invested significantly in robust systems and processes to ensure we protect our customers".
All COVID-19 tests are based upon samples which invariably contain human DNA as a result of the swabbing process. DNA is not analysed nor retained following the testing process and all samples are destroyed once the COVID-19 test process is completed and results have been shared with you as our customer and the relevant public health authority
As another government-approved institution faces a privacy probe over an alleged plan to sell sensitive customer information, we would like to take the opportunity to remind our readers to:
- Be extremely stingy with your personal data (whenever possible)
- Always ask for the exact reason behind any data collection and retention
- Always read privacy policies in full, especially before giving away sensitive information
- Never rely on a brand or organization name as the sole authority for trustworthiness – that's exactly what impostors expect you to do