The Department of Health and Social Care paid McKinsey £563,400 to decide the “vision, purpose and narrative” of the NHS Test and Trace programme.

A recently published contract revealed the consultancy firm could be granted access to personal data, including names, addresses, biometric data and medical data, for up to seven years, but only if given prior written permission from the Department of Health and Social Care (DHSC).

McKinsey does not have access to the data under the deal and a DHSC spokesperson said it would be “completely wrong” to claim personal data was shared as part of the contract.

But they did not comment on the circumstances under which the firm would be granted access to such data.

“No personal data has been shared and the contract included a clause specifically to protect such information,” they said.

The clause states McKinsey is not permitted to access personal data without prior written consent from the DHSC.

“In which case the parties will agree suitable personal data protection clauses to ensure the integrity and confidentiality of the personal data obtained pursuant to this call-off contract,” the contract states.

The six-week contract commissioned McKinsey to “define options for: the vision, purpose and narrative; end-to-end journeys; organisation, roles and talent; interfaces and governance; and integrated roadmap all for the medium-term entity” of Test and Trace.

The consultancy firm was hired in May to outline the “mission and vision” of the proposed new organisation by the end of June, according to the contract.

This included the organisations data journeys, structure and departments it would work with.

The contract was published shortly before health secretary Matt Hancock announced Public Health England would be scrapped and merged with Test and Trace to form the new National Institute for Health Protection.

Baroness Dido Harding, who began her career at McKinsey, has been appointed the interim executive chair of the new organisation.

Privacy group medConfidential criticised the McKinsey contract and decision to establish a new organisation during a global pandemic.

Coordinator Phil Booth said the Test and Trace programme after months “can’t even get the right data to the right people” and called for more detail on how the new unit will work.

Latest figures from NHS Test and Trace show only 71.3% of close contacts of those tested positive for Covid-19 were able to be reached and asked to self-isolate – leaving almost 30% of those potentially exposed to the virus unaware they need to isolate.

Harding was appointed head of NHS Test and Trace in May, and is responsible for overseeing England’s testing and contact-tracing programme, including the NHS contact-tracing app.

But the decision to appoint her as interim head of the National Institute for Health Protection was met with criticism. Harding was chief executive of broadband provider TalkTalk when it was hit by a cyber attack in October 2015. Hackers were able to access the personal information of 150,000 customers, including sensitive financial data of more than 15,000 people.

The provider was later fined £400,000 by the Information Commissioner’s Office, which said the attack could have been prevented if the telecoms company had taken basic steps to provide information.