A government-approved Covid testing provider is being investigated by the UK’s data privacy watchdog over plans to sell customer’s DNA for medical research.
Cignpost Diagnostics, which trades as ExpressTest, said it intended to analyse samples from swabs to “learn more about human health” or to sell information to third parties, documents seen by the Sunday Times show.
Though individuals are usually required to give informed consent for sensitive medical data to be used, it is understood that customers were blindsided when booking through the company.
When purchasing tests, they were asked to tick a box agreeing to a 4,876-word privacy policy which links to another document outlining the research programme.
The reference was removed by Cignpost last week after evidence of its activities were passed onto the Information Commissioner’s Office (ICO), which is now investigating.
However, it is not known how many samples have been stored by the firm or if they have been sold or used for research already. The policy said that data belonging to those providing swabs was retained indefinitely.
Cignpost was founded in June last year and is understood to have sold up to three million tests. It currently supplies pre-departure and arrival tests for travellers, with walk-in centres at sites including Heathrow and Gatwick.
The “research programme information sheet”, seen by the Sunday Times, says the company keeps hold of data including “biological samples…and the DNA obtained from such samples”.
It also states that it may share DNA samples and other personal information with “collaborators” including universities and private companies and that it “may receive compensation” in return”.
ICO deputy commissioner Steve Wood said the body was looking “carefully” at the information gathered by the newspaper.
“There is no personal data more sensitive than our DNA. People should be told about what’s happening to it in a clear, open and honest way so they can make informed decisions about whether they want to give it up,” he told the newspaper.
Cignpost said it worked in “full compliance” with data privacy laws. A spokesperson said: “We have invested significantly in robust systems and processes to ensure we protect our customers.
“Because we are testing our customers for a potentially serious condition, protecting that data is paramount for our organisation.”
Maurice Saatchi: I used to adore capitalism – then I had lunch with Margaret Thatcher