Concerns have been raised that staff working on NHS test and trace call centres used their personal email accounts to handle individuals’ health data. 

The issue was raised by a former employee of outsourcing giant Sitel, which runs a large part of the test and trace call centre operation.

She told PoliticsHome, that managers instructed call handlers to use their own email accounts to send case information for review because the internal systems made it unmanageable for details to be shared securely via their online platform.

The whistleblower believed the practice was in breach of the EU’s General Data Protection Regulations (GDPR).

A spokesperson at the Information Commissioner's Office (ICO) confirmed it is investigating the complaint.

WHY IT MATTERS

The former staff member said it was likely that personal information, including names, date of births, phone numbers and NHS numbers, was being sent via personal email accounts.

THE LARGER CONTEXT

It’s not the first time the NHS test and trace programme has faced controversy. The contract tracing app was affected by numerous software issues including a bug that meant the system failed to send notifications to users who should have self-isolated.

Concerns were also raised about the vulnerability of health data when test and trace contracts service company, Serco was hit by a ransomware attack.

The European Commission recently granted the UK preliminary data access on the basis that its data protection rules are “essentially equivalent” to the EU’s GDPR and Law Enforcement Directive (LED). 

ON THE RECORD

A Department of Health and Social Care spokesperson said: “We expect the highest standard of our suppliers and expect them to fully comply with their obligations in regard to their data protection requirements.”

A Sitel spokesperson said: "We are currently investigating the suggestion that certain team members have used personal email accounts in the course of their work.

"This is something we take very seriously and multiple controls are in place to prevent this from happening. Any actions taken by team members that are not in compliance with our controls will be addressed through the appropriate channels and consistent with our internal policies."

Pascale Robinson, campaigns officer at We Own It said: "These revelations about Sitel's practices are shocking. But sadly they're not surprising. Throughout the pandemic we've seen numerous reports of private companies involved in running England's broken contact tracing system engaging in dodgy practices when it comes to managing data.

"Contact tracing is delicate, sensitive work, and it requires the utmost commitment to best practice of data protection. It's disappointing to see that this appears not to have been followed by one of the companies directly involved in the management of the system.”