A leading COVID-19 test firm is planning to sell swabs containing their customer’s DNA.
Cignpost Diagnostics, also known as Express Test, is now being investigated by the United Kingdom’s data privacy watchdog.
Company documents obtained by the Sunday Times revealed that they are planning to analyze used swab samples and sell the information to third parties.
According to the report, Cignpost Diagnostics claimed that they will use the medical data to “learn more about human health” and develop new drugs and products.
The “research programme information sheet,” which was updated on October 21, states that the company retains data including “biological samples … and the DNA obtained from such samples”, as well as “genetic information derived from processing your DNA sample … using various technologies such as genotyping and whole or partial genome sequencing.”
The documents assert that the DNA information will be compiled along with “self- reported health and trait data” — like information about their customer’s medical history, and “information we obtain from other sources, such as publicly available demographic information.”
Customers were not expressly informed about the possibility of their information being sold or used for anything other than COVID testing.
“Analysis of sensitive medical data can typically be carried out only with explicit informed consent. But customers booking tests through expresstest.co.uk were not clearly told their data would be used for purposes beyond Covid-19 testing. Instead they were asked to tick a box agreeing to a 4,876-word privacy policy, which links to another document outlining its ‘research programme,'” the Times reports.
The lengthy policy also states that “data belonging to all those providing a swab is retained indefinitely” and there is no minimum age listed in the policy, implying that children will not be exempt.
Cignpost Diagnostics is reported to have delivered up to three million tests since June of last year under Express Test. They charge anywhere from £35 and £120 each, meaning that they have already likely made tens of millions of dollars in fees.
Tim Turner, a data protection expert and founder of 2040 Training, told the Times that “consent for special-categories data has to be ‘explicit’, which means people have to agree, using specific words, to what the company wants to do. They don’t have consent — it’s a straightforward breach. It’s common to bury surprises in the small print, but this is shocking because of the sensitivity of the data.”
In a statement responding to the paper, Cignpost said it “is in full compliance with all laws related to data privacy.”
“We have invested significantly in robust systems and processes to ensure we protect our customers. Because we are testing our customers for a potentially serious condition, protecting that data is paramount for our organisation,” the company said.
They did not deny their intentions to sell customer data.
