Image Credit: Pxhere
Contact tracers working on Sitel’s test and trace process have been directed to use their personal email addresses to share information about cases with their managers.
Employees were ordered to use their personal email accounts to process individuals’ health records in what has been described as a “shocking” breach of privacy law. This was first reported by PublicTechnology’s sister publication PoliticsHome.
A former employee has now reported the outsourcing giant to the Information Commissioner’s Office (ICO) after she was “horrified” by the practice. PoliticsHome internal messages advised Test and Trace staff to use their personal emails to share details on cases, despite concerns about possible breaches of the General Data Protection Regulation (GDPR).
In the January incident, a manager instructed call handlers to use their own email accounts to send case information for review as Sitel’s internal systems made the secure sharing of details through its online platform “unmanageable”.
When whistleblower Helen Wilkie responded to a conversation with her team about the practice, she raised concerns, saying there was “likely a GDPR issue with sharing personal information via personal email”.
The manager declined their warnings, saying they emailed personal agents “every day”.
It is believed that severe restrictions on the Sitel platform prevented trainees from sending internal emails to anyone other than their line manager, which was a common problem when temporary managers were blamed for teams of contact tracers .
In another private chat session, Wilkie was told that if employees had any safety concerns, she should “contact the technical department.”
“I don’t understand your problem. The agents have signed NDAs (Non-Disclosure Agreements) as part of their contracts. If you have a security problem, please contact the technical department,” the manager wrote. “In the face of the agents can’t (private message) me and can’t [internal] Email me I have no other option unless with your extensive knowledge of how the agents can send case numbers to deal with. “
Wilkie, who told her manager that she had a background in computer science, said she was “quite appalled that we use personal email for work and discuss cases”.
She added, “If this comes out it would be big news … they could be using very insecure accounts, shared accounts, and everything else.”
However, those concerns have been denied, and the manager said staff could “take screenshots or photos of the screen with their phones of cases at any time and there is nothing I can do to stop it”.
“In view of the fact that I take care of a lot of rooms that would quickly become unmanageable.”
They added, “Please focus and worry about cases. This type of chat could provide insight [sic] a problem in the chat room. “
Following the incident, the contact tracer said she raised the problem with a senior manager at the company, who apologized for the “misunderstanding” but offered no changes or additional training to end the practice.
“Unfortunately not surprising”
In February, she reported the company to the data protection authority ICO following her release from the company as part of the test and trace reduction.
Speaking to PoliticsHome, Wilkie said she reported the incident because she was “shocked that not only were we allowed to do this, we were actually instructed to use third-party email addresses and private email addresses.”
She warned that it was likely that the informal “workaround” could result in additional information being sent via personal email, including people’s names, date of birth, phone number, and possibly even their NHS number.
An ICO spokesman said, “We have received concerns about Sitel and are looking into the details.”
Wilkie said while annoyed by her manager’s response, it was “not to blame” and instead said that a lack of training and the restrictive internal systems had led to practice.
Meanwhile, Pascale Robinson, campaign manager at We Own It, said the allegations were “shocking but unfortunately not surprising”.
“Contact tracing is delicate, sensitive work and requires the highest level of commitment to data protection best practices,” she said. “It is disappointing to see that this has apparently not been followed by any of the companies directly involved in the management of.” the system. “Time and again we have found that private companies are ill-suited and ill-equipped to manage the contact tracing system. It’s time to turn them off for good and let our skilled local health teams run the system instead. “
A Sitel spokesperson said, “We are currently investigating the suggestion that certain team members have used personal email accounts in the course of their work. We take this very seriously and there are several controls in place to prevent this. All actions taken.” Team members who do not comply with our controls will be contacted through the appropriate channels and in accordance with our internal guidelines. “