Free from fear or favour
No tracking. No cookies

Genomic Marketing of COVID Testing Company Without People’s Affirmative Consent

Privacy International has warned of a potentially ‘serious breach’ of privacy regulations by a firm that has been awarded £169.4 million in Government contracts

Prime Minister Boris Johnson visits Public Health England Porton Down labs to see scientists working on COVID testing. Photo: Pippa Fowles/No 10 Downing Street

Genomic Marketing of COVID Testing Company Without People’s Affirmative Consent

Privacy International has warned of a potentially ‘serious breach’ of privacy regulations by a firm that has been awarded £169.4 million in Government contracts

Privacy campaigners have raised concerns over a Government-approved Coronavirus testing company using customer data to market its own genomics services without affirmative consent, the Byline Intelligence Team and The Citizens can reveal. 

In contracts first revealed by Byline Times in November 2020, Dante Labs has been commissioned by the Government to deliver £169.4 million worth of COVID-19 testing services.

Speaking to Byline Times, Privacy International’s legal officer Lucie Audibert said that “COVID-19 testing providers should not be exploiting the various mandatory testing requirements for their own marketing” and that “the contact details people provide to receive results of their tests should be used for just that – not to contact you at a later date to try and sell you other services”.

“Without providing sufficient information and obtaining valid consent, this can be a serious breach of privacy laws,” she added.

When taking the details of customers who are purchasing its tests, Dante pre-populates the tickbox consenting to marketing emails. According to guidelines from the Direct Marketing Association, under GDPR rules, a person gives consent “by a statement or by a clear affirmative action”. That affirmative action could include “ticking a box when visiting an internet website”. It goes on to say that “pre-ticked boxes or inactivity should therefore not constitute consent”.

The Information Commissioner’s Office (ICO) is also clear, telling companies: “Don’t use pre-ticked boxes or any other method of default consent.”

A screenshot of the Dante Labs website, when the Byline Intelligence Team and The Citizens attempted to purchase a PCR test

A Dante customer, who was subsequently targeted by the firm with marketing emails, said that they “immediately felt like my data and samples might be used for something else or for something that I might not really be aware of” and that “when you take a PCR COVID test with Dante Labs, they ask you many questions, including your ethnicity”. 

Under the UK’s General Data Protection Regulation (GDPR) and PECR regulations, it is not permissible for companies to use data gathered for one purpose to then be used for another without the individual’s consent. Further, companies need to obtain explicit, informed consent to market other services to customers.

Dante Labs’ privacy policy states that “based on your consent, Dante Labs can, furthermore, process your email address to send you newsletters and marketing communications”.

One email promoted Dante’s “Kurix Premium” service, a whole genome sequencing test. It was sent to customers who had ordered a Dante PCR COVID test when travelling abroad.

A spokesperson for the Information Commissioner’s Office said: “Businesses should only contact individuals for electronic marketing purposes where consent has been provided or, in limited circumstances, where they have an existing relationship with a customer. If anyone has concerns about how their data has been handled, they can report these concerns to us.”

The Government is at the start of proposing a new data regime to replace GDPR, a law introduced by the EU. The digital rights organisation, Open Rights Group, has warned that “Government plans would grant unprecedented freedom to collect, use, and share information regarding buying habits, social relationships, creditworthiness, lifestyle, hobbies, and personality of parents and children for marketing purposes”.

If data protections in the UK are watered-down, stories like this could become far more frequent.

Government Contracts

Dante Labs and the company it owns, Immensa Health, have both won large contracts to deliver COVID-19 testing services. In this way, the firms are able to collect data from large numbers of people who are dependent on taking PCR tests to go about their daily lives, including to travel. 

This access to a wide and captive customer base is behind the concerns that Dante may be “exploiting mandatory testing requirements” – as suggested by Audibert.

In July, Dante Labs took over one of the Government’s ‘Lighthouse Labs’, designed to fast-track COVID-19 testing. BusinessLive said that Dante Labs would be “delivering COVID-19 testing and clinical whole genome sequencing on a large scale” at the lab. 

Immensa Health has won two Government contracts for PCR testing worth £169,435,000. The largest of the two contracts – worth £119,035,000 – was awarded without competition under emergency contracting regulations. At the time, Immensa Health had only been founded four months previously.

Immensa has been named as a preferred company in a number of Department of Health and Social Care framework contracts, including as one of 50 suppliers listed in a £15 billion framework agreement for clinical laboratory diagnostic testing services. Immensa is also listed as a supplier in two smaller microbiology framework contracts worth a total of £4 billion across numerous suppliers.

Dante Labs has been expanding significantly in the UK, buying Cambridge Cancer Genomics – “a leader in machine learning for clinical oncology” – and is investing £30 million in the UK “to run a global surveillance programme of the new variants of the SARS-CoV-2 virus”.

A Dante Labs spokesperson told Byline Times: “We do not share genetic data with any parties beyond Immensa, a Dante Labs company, and Public Health England, as per Government requirements. The sharing of relevant data with PHE is mandatory and is helping the UK to track the progression of potential COVID-19 variants which, unless monitored closely, could cost many thousands of lives. We do not sell this data, whether individual or aggregated.”

Dante Labs did not respond to multiple requests for comment regarding its internal use of customer data. However, after the Byline Intelligence Team contacted the firm, it appeared to have deleted the page that was featured in its marketing emails about Kurix Premium. 

Dante is also under investigation by the Competition and Markets Authority (CMA), due to concerns over its treatment of customers. There have been complaints that Dante has been not delivering PCR tests and/or results on time or at all; that it has been failing to respond to complaints or provide proper customer service; refusing or delaying refunds when requested; and using T&Cs which may unfairly limit consumers’ rights.

It was further revealed on 15 October that at least 43,000 people in the UK may have been wrongly given a negative COVID test by a private laboratory in Wolverhampton, run by Immensa Health Clinic. Operations have now been suspended at the lab.

This article was produced by the Byline Intelligence Team – a collaborative investigative project formed by Byline Times with The Citizens. If you would like to find out more about the Intelligence Team and how to fund its work, click on the button below.

Written by

This article was filed under
, , , , , , ,