The Times – by Shanti Das, George Greenwood
A large Covid-19 testing provider is being investigated by the UK’s data privacy watchdog over its plans to sell swabs containing customers’ DNA for medical research.
Cignpost Diagnostics, a government-approved supplier trading as ExpressTest, said it intended to analyse the samples to “learn more about human health”, to develop drugs and products or to sell information to third parties, company documents show.
Analysis of sensitive medical data can typically be carried out only with explicit informed consent. But customers booking tests through expresstest.co.uk were not clearly told their data would be used for purposes beyond Covid-19 testing. Instead they were asked to tick a box agreeing to a 4,876-word privacy policy, which links to another document outlining its “research programme”.
The company is reported to have delivered up to three million tests since it was founded in June last year and charges between £35 and £120 for a PCR test. It is likely to have generated tens of millions of pounds from test fees alone.
The government-approved supplier of pre-departure and arrival tests for international travellers has 71 walk-in locations across the UK including at shopping centres and Heathrow and Gatwick. It has also provided testing services to the Wimbledon tennis championships, the PGA European golf championships and a Premier League football club as well as the BBC, Netflix and Amazon, according to its website.
Its data-usage practices came to light during an analysis of the privacy policies of government- approved testing providers.
Its “research programme information sheet” — last updated on October 21 — states that the company retains data including “biological samples … and the DNA obtained from such samples”, as well as “genetic information derived from processing your DNA sample … using various technologies such as genotyping and whole or partial genome sequencing”.
It combines this with “self- reported health and trait data” — such as information voluntarily shared by customers about their medical history — and “information we obtain from other sources, such as publicly available demographic information”.
The policy also says Cignpost may share customers’ DNA samples and other personal information with “collaborators” working with them or independently, including universities and private companies, and that it “may receive compensation” in return.
The UK’s data protection laws require organisations to have informed consent to process personal data. New rules brought in last week require testing firms to declare that they comply with minimum standards, including confirming that they operate with the oversight of a registered medical director or clinical scientist.
Last week Cignpost removed references to its research programme from its privacy policy after evidence of its activities was passed to the Information Commissioner’s Office (ICO) and the Human Tissue Authority. The ICO is investigating.
Steve Wood, the ICO’s deputy commissioner, said people “must have trust and confidence” in how their data is used by testing providers and that their practices must be “fair and transparent”. He said: “There is no personal data more sensitive than our DNA. People should be told about what’s happening to it in a clear, open and honest way so they can make informed decisions about whether they want to give it up. We’ll look carefully at the information gathered by The Sunday Times.”
The findings have sparked concern about the lack of oversight of testing providers, many of which sprang up last year and have profited heavily from the pandemic. Cignpost at first charged lower prices than its rivals.
Genetic data is valuable to drug developers because it contains DNA markers associated with health conditions. There is also high potential for misuse and discrimination.
Tim Turner, a data protection expert and founder of 2040 Training, which advises firms on the regulations, said: “Consent for special-categories data has to be ‘explicit’, which means people have to agree, using specific words, to what the company wants to do. They don’t have consent — it’s a straightforward breach. It’s common to bury surprises in the small print, but this is shocking because of the sensitivity of the data.”
Cignpost has secured access to senior politicians. Steve Whatley, one of three directors of the firm, helped set up the all-party parliamentary group (APPG) on business in a pandemic world last September, three months after co-founding Cignpost Diagnostics, and the firm is its sole sponsor. It has helped give Whatley access to government officials such as Kwasi Kwarteng, the business secretary, and Rishi Sunak, the chancellor, according to the APPG’s minutes.
Cignpost said it “is in full compliance with all laws related to data privacy”, adding: “We have invested significantly in robust systems and processes to ensure we protect our customers. Because we are testing our customers for a potentially serious condition, protecting that data is paramount for our organisation.”