Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, with reference to Serco's sharing of 296 email addresses belonging to covid-19 contract tracers, for what reasons Serco was not required to refer itself to the Information Commissioner’s Office for that matter.

We understand Serco did report the data breach to the Information Commissioner’s Office.

Serco also alerted the NHS Test and Trace service immediately. The breach was caused by including email addresses of new contact tracing recruits in the carbon copy (cc) rather than blind carbon copy (bcc) field. Serco apologised to staff affected and reminded colleagues of the need to always use the ‘bcc’ feature rather than ‘cc’ feature in future.

Ensuring the privacy of users and security of their personal data is a priority for the National Health Service and the Government. We follow cyber security best practice to help protect this data and comply with the law around the use of data, including the Data Protection Act 2018.