Contact tracers working on Sitel’s test and trace operation were told to use their personal email addresses to share information about cases with their managers.
Staff at Sitel, which runs a large portion of NHS Test and Trace's call centre operations, were instructed to use their personal email accounts to handle individuals’ health data in what has been described as a “shocking” breach of privacy regulations, CSW's sister title PoliticsHome has revealed.
One former staff member has now reported the Dutch outsourcing giant to the Information Commissioner's Office after she was left "horrified" by the practice.
In internal messages seen by this website, staff working on test and trace were advised to use their personal emails to share details of cases despite concerns being raised about potential breaches of the General Data Protection Regulations.
The incident, which occured in January, saw a manager instruct call handlers to use their own email accounts to send case information for review because Sitel's internal systems made it "unmanageable" for details to be shared securely via its online platform.
Responding to a conversation with her team about the practice, the whistleblower, Helen Wilkie, raised concerns, saying there was "probably a GDPR problem with sharing personal information via personal email".
The manager rejected her warnings, saying they emailed personal agents "every day".
It is understood that strict restrictions on the Sitel platform meant junior staff were unable to send internal emails to anyone other than their direct line manager, resulting in frequent problems when temporary managers were put in charge of teams of contact tracers.
In a further private chat session, Wilkie was told that if staff had security concerns she should "take it up with the tech department".
"I don't understand your issue, the agents have signed NDAs (non-disclosure agreements) within their contracts, if you have a security issue please take it up with the tech department," the manager wrote.
"Given the agents cannot [private message] me and cannot [internal] mail me, I have no other option, unless with your extensive knowledge you have another way the agents can send case numbers for me to deal with."
Wilkie, who informed her manager she had a background in computer science, said she was "pretty horrified that we are using personal emails for work and discussing cases".
She added: "If this gets out it would be big news... they could be using very unsecure accounts, shared accounts, anything."
But those concerns were dismissed, with the manager saying staff could "at any time screenshot or take photos of the screen with their phones of cases, and there is nothing I can do to stop this".
"Given I am looking after many rooms that would fast become unmanageable."
They added: "Please concentrate and worry about cases. This kind of chat could insight [sic] a problem in the chat room."
Following the incident, the contact tracer said she had raised the issue with a senior manager at the firm who apologised for the "misunderstanding" but that no changes or additional training were provided to halt the practice.
In February, following her dismissal from the company as part of the scaling back of NHS Test and Trace, she reported the company to the ICO, which is responsible for monitoring data compliance.
Speaking to PoliticsHome, Wilkie said she had reported the incident because she was "shocked that we were not just allowed to, we were actually instructed to use third party email addresses, private email addresses".
She warned that it was likely that the informal “workaround” could lead to additional information being sent via personal emails, including an individual's name, date of birth, phone number and possibly even their NHS number.
An ICO spokesperson said: "We have received a concern relating to Sitel and are looking into the details."
Wilkie said while she was upset with the response from her manager that they were "not to blame", saying instead that a lack of training and the restrictive internal systems had led to the practice.
Meanwhile, Pascale Robinson, campaigns officer at We Own It said the allegations were "shocking, but sadly they're not surprising".
"Contact tracing is delicate, sensitive work, and it requires the utmost commitment to best practice of data protection,” she said.
“It's disappointing to see that this appears not to have been followed by one of the companies directly involved in the management of the system.
"Time and again we've seen that private companies are ill suited and ill equipped to manage the contact-tracing system. It's time we kicked them out for good and put our experienced local public health teams in charge of the system instead."
A Sitel spokesperson said: "We are currently investigating the suggestion that certain team members have used personal email accounts in the course of their work.
"This is something we take very seriously and multiple controls are in place to prevent this from happening. Any actions taken by team members that are not in compliance with our controls will be addressed through the appropriate channels and consistent with our internal policies."
John Johnston is a reporter at CSW's sister title PoliticsHome, where this story first appeared.