Labour demands investigation of data breach by outsourcing firm Serco

Labour has demanded an investigation by the government into the data breach by outsourcing firm Serco that saw the email addresses of almost 300 coronavirus contact tracers accidentally shared.

In a letter to opposite number Michael Gove, Labour’s Rachel Reeves has asked that the government publishes details of the coronavirus contracts handed to Serco and of the impact of the breach.

The Shadow Chancellor of the Duchy of Lancaster has pressed Gove on the consequences that Serco will face for the error, the reasons for using the outsourcing firm and the basis on which it can be trusted.

She has described it as “troubling” that Serco has been “trusted with some of the most sensitive work in our national effort” against Covid-19 but “seems to struggle with the most basic aspects of data privacy”.

Reeves said: “To ease the lockdown restrictions, a proper system of test, trace and isolate needs to be in place. The government needs to make sure… that the public have faith in it. It has never been clear what expertise or specialist knowledge Serco can bring to contact tracing.”

The government has chosen to use Serco for its coronavirus response despite the company being investigated by the Serious Fraud Office in 2019 – a probe that led to two individuals being charged with fraud and false accounting.

The outsourcing giant had to pay £22.9m to the UK’s Serious Fraud Office after understating the level of profitability of its electronic monitoring contract in its reports to the Ministry of Justice.

Reeves has also noted the “performance of Serco’s existing contracts with the Home Office and the Department for Work and Pensions”. Although the firm has been penalised repeatedly, it keeps being awarded new contracts for asylum accommodation.

Serco has been caught up in numerous controversies, including alleged abuse in immigration detention centres, but continues to run Yarl’s Wood and this month is taking over Brook House and Tinsley House.

But the government has chosen the firm to train staff to trace cases of Covid-19. The training, also run by contact centre company Sitel, has reportedly been beset by problems raised with The Guardian.

Commenting on Labour’s new demands, Reeves said: “We need some clarity from the government about why and how Serco came to be awarded this contract; and we need reassurances that the contract tracing programme is in safe hands.

“The Prime Minister has promised it will be up and running by the 1st of June; if we are to ease lockdown safely, then it is essential that the government gets this right.”

Below is the full text of the letter from Rachel Reeves to Michael Gove.

Dear Michael,

I am writing to you again, further to my letter of 14th May.

In that letter, I raised a number of concerns about the role of outsourcing specialists in delivering key parts of our response to the coronavirus, the lack of transparency around the value and details of the contracts involved, and in particular the ability of those companies to carry out essential work to the required standard.

One of the issues raised was around Serco, who have a prominent role in the delivery of contact tracing. As I signalled in the letter, Serco’s involvement in this task was already a cause for concern – in particular given the previous Serious Fraud Office’s 2019 investigation into Serco, and also because of the performance of Serco’s existing contracts with the Home Office and the Department for Work and Pensions.

An effective system of contract tracing relies on a high level of trust and public confidence. People need to be willing to share their personal information, in order for us to be able to locate who they have been in contact with and by extension who is at risk of spreading the virus further.

Therefore, any fear that information will not be secure or may be used in relation to issues around immigration status or benefits claims threatens to compromise our effort to trace, and contain, the virus.

Given these pre-existing concerns, I was alarmed to see reports yesterday that Serco had inadvertently shared the names of 300 contact tracers over email. It is particularly troubling that a company that is being trusted with some of the most sensitive work in our national effort against the virus seems to struggle with the most basic aspects of data privacy.

It seems fair to expect that any organisation handling sensitive personal data should have watertight data control and security practices and protocols across the whole organisation. Surely government should have assessed the organisation’s capability to maintain the highest levels of data security before awarding such a contract.

Given that Serco are refusing to refer themselves to the ICO in relation to this breach, please could you explain:

• By what process will this breach be investigated?
• What sanctions, if any, will be applied to Serco?
• What assurances has Serco been able to offer that the company can be trusted not only with the data of its own workers, but also of the general public?
• What conversations have you had with the Information Commissioner regarding this this incident, concerns rising from it, and wider concerns about Serco’s ability to handle sensitive data on behalf of the government?
• What, if any, impact will this incident have on the tracing strategy?

This data breach underlines the importance of government provided transparency around the nature of its agreement with Serco – and with other private companies including Deloitte and KPMG. So, I would ask that you set out, without further delay:

• Details of the procurement process undertaken in order to appoint Serco;
• Details of any assessment made of the organisation’s capability to deliver and what alternatives were assessed;
• The scope, value, payment terms and length of the contract.

Without an effective system of contact tracing, our efforts to contain this virus, minimise loss of life, and gradually ease the lockdown will be severely compromised. Without trust in the process and in those charged with delivering contact tracing, there is no chance that it will succeed.

I look forward to your response, to the queries contained within this letter and in my original letter of 14th May regarding contracts to Serco, Deloitte, Edenred and others. Now, more than ever, it is vital that the public can have confidence in government.

Yours sincerely,

Rachel Reeves