We understand Serco did report the data breach to the Information Commissioner’s Office.
Serco also alerted the NHS Test and Trace service immediately. The breach was caused by including email addresses of new contact tracing recruits in the carbon copy (cc) rather than blind carbon copy (bcc) field. Serco apologised to staff affected and reminded colleagues of the need to always use the ‘bcc’ feature rather than ‘cc’ feature in future.
Ensuring the privacy of users and security of their personal data is a priority for the National Health Service and the Government. We follow cyber security best practice to help protect this data and comply with the law around the use of data, including the Data Protection Act 2018.