DHSC finds that Serco ‘processes have been strengthened’ after contact-tracing data breach
Department says investigation into leaking of email address has been satisfactorily closed
Credit: Daniel Reinhardt/DPA/Press Association Images
The Department of Health and Social Care has confirmed it undertook an investigation into a data breach by the major government contractor Serco, which accidentally shared hundreds of coronavirus contract tracers’ email addresses last month.
In a letter to shadow Cabinet minister Rachel Reeves on 1 June, innovation minister Lord Bethell said both Serco and DHSC’s data protection officer were performing internal investigations into the breach, which the department has now confirmed has been completed.
The outsourcing giant, which is recruiting, coaching and managing staff for the contact tracing programme that will support the easing of coronavirus lockdown measures, apologised in May after it shared the email addresses of 296 people it had recruited to join the contract tracing programme. The addresses were visible to all recipients of an email about training for the new recruits.
The error appears to be a failure to use the BCC email function – the same error that led to emails of EU settlement scheme applicants and Windrush victims being shared by the Home Office last year.
- Serco assents to £20m fine for fraud after probe into MoJ electronic tagging scandal
- Test and trace scheme to keep citizens’ personal data for 20 years
- ICO alerted to breach of EU citizens’ data
Some 25,000 contact tracers have been recruited so far to identify and inform people who have come into contact with someone who has coronavirus. People contacted through the programme – which reports today suggested will not be fully up and running until September – must then self-isolate to prevent further spread of the infection.
A DHSC spokesperson said: “We have closed an investigation into a minor error, and are satisfied processes have been strengthened to prevent this happening again.”
Immediately after the breach, Serco said it was not planning to report itself to the Information Commissioner’s Office – the watchdog that oversees compliance with data-protection legislation – over the incident.
In his letter to Reeves, Bethell said he wanted to “clarify” that despite its earlier statement, the company had reported itself to the regulator.
“We expect Serco to put in place remedial measures to stop this error being repeated, including technological control and staff training,” he added.
When the breach became public, a spokesperson for Serco said the company had apologised and reviewed its processes “to make sure that this does not happen again”.
Reeves wrote to Cabinet Office minister Michael Gove on 21 May calling for an investigation into the data breach.
In the letter, Reeves said she was “alarmed” by the incident and that it was “particularly troubling that a company that is being trusted with some of the most sensitive work in our national effort against the virus seems to struggle with the most basic aspects of data privacy”.
“We need some clarity from the government about why and how Serco came to be awarded this contract; and we need reassurances that the contract tracing programme is in safe hands,” she said.
The shadow minister asked Gove to set out the consequences Serco would face for the breach; the assurances the company had given the government to demonstrate that it could be trusted with the data of its workers and the public; and the details of DHSC’s contract with Serco.
'Only shared when necessary'
Responding on behalf of Gove, Bethell said that “no programme data relating to members of the public will be held on Serco systems as the data will be accessed via government-owned systems".
He said all data held in the NHS’s Covid-19 data store would remain under the control of the NHS “at all times”.
“Only information relevant to stopping the transmission of Covid-19 – specifically, the information needed to identify close contacts of cases and provide them with advice – is collected through the contact tracing system. This information will be entered into a secure system operated by PHE and will only be shared when necessary for public health purposes. It would not be used for questions relating to immigration status or benefits,” he said.
"We need some clarity from the government about why and how Serco came to be awarded this contract; and we need reassurances that the contract tracing programme is in safe hands."
Rachel Reeves, shadow Cabinet Office minister
In the past, there has been significant controversy over data sharing between public services and the Home Office, under the hostile environment policy, and the Department for Work and Pensions to identify people who are in the UK illegally or who may be misusing the welfare system.
Addressing Reeves’s questions about the contract, Bethell said: “I can assure you that the relevant procedures were followed in relation to both the procurement process and the assessment of Serco’s ability to deliver, and their suitability for this role.”
He added that Serco was an approved contact centre supplier on the Commercial Services Contact Centre framework – a process that included “due diligence and evaluation on their capability to deliver contact centre services”.
He said DHSC had not yet finalised the value of its contract with Serco for the tracing programme, but would release more information “in due course”.
Cabinet Office annual report shows digital agency also brought in more than £2m in extra revenue
PublicTechnology research shows a big spike in the number of contracts awarded to IT security specialists by public-sector buyers
Public Health Wales says leak that affected more than 18,000 people to have tested positive was attributable to ‘human error’
Businesses urged to prepare for 24 September