Test and Trace staff told to use personal email accounts to share information

Already under fire for its multi-billion pound cost, the government's Test and Trace programme may also have breached GDPR

Sitel employees working on the government's Test and Trace programme were instructed to use personal email addresses to share case details with managers.

Despite concerns being raised around GDPR - of which this almost certainly constitues a breach - an internal message, seen by PoliticsHome, told staff to use their own email accounts to handle citizens' health data.

A former staff member, Sarah Wilkie, reported the practice to the Information Commissioner's Office, saying she was "horrified."

She told PoliticsHome she was "shocked that we were not just allowed to, we were actually instructed to use third-party email addresses, private email addresses."

In January, Wilkie's manager told call handlers to use personal email accounts to send them case information for review, due to restrictions in Sitel's internal systems.

The outsourcing giant apparently only allows junior staff members - such as contact tracers - to email their direct line manager, leading to issues where they were unable to communicate with temporary managers.

Wilkie's manager appears not to have realised the legal implications of the differences between correspondence and health data. When she raised the issue of the GDPR, the manager told her they emailed personal agents "every day".

Later in the discussion they told Wilkie that agents had signed non-disclosure agreements and she should "take it up with the tech department" if she had an issue.

They added, "Given the agents cannot (private message) me and cannot [internal] mail me, I have no other option, unless with your extensive knowledge you have another way the agents can send case numbers for me to deal with."

After brushing off Wilkie's concerns, the manager added, "Please concentrate and worry about cases. This kind of chat could insight [sic] a problem in the chat room."

Wilkie said she was upset but that the manager was not to blame. Instead, she pointed to a lack of training and overly restrictive internal systems - neither of which were changed, even after raising the issue with a senior manager.

Wilkie reported the issue in February, after she left Sitel as Test and Trace is being scaled down. The ICO says it is 'looking into the details'.

A Sitel spokesperson said, "We are currently investigating the suggestion that certain team members have used personal email accounts in the course of their work.

"This is something we take very seriously and multiple controls are in place to prevent this from happening. Any actions taken by team members that are not in compliance with our controls will be addressed through the appropriate channels and consistent with our internal policies."