ICO assessing 15 contact-tracing companies for data protection approach

A number of companies that provide contact-tracing services to pubs and restaurants are being assessed for how they are “approaching their data protection responsibilities”.

The Information Commissioners Officer confirmed it has written to 15 companies to asses their data protection practices including “direct marketing”.

It comes amid reports companies which collect data for pubs and restaurants for track and trace purposes are potentially selling customer information.

A spokesperson for the ICO said: “The rules are clear. Collecting personal details for customer logs must not be a way to develop vast marketing databases by the backdoor.

“We have written to 15 organisations that provide services to venues to collect customer details for contact tracing so we can assess practices in the industry and how businesses are approaching their data protection responsibilities, including on direct marketing.”

Companies are said to be exploiting QR barcodes to harvest confidential information including names, addresses and contact details before passing them on to marketers, credit companies and insurance brokers, according to The Times.

QR codes have been widely adopted across the hospitality sector in response to government requirements to provide customer contact details to NHS Test and Trace.

Government guidelines state any data collected should be kept for 21 days but should not be used “for any purposes other than for NHS Test and Trace”.

Since September 24 businesses including pubs, restaurants, bars, hairdressers and cinemas have been required to display and NHS QR code that allows people to check in using the NHS Covid-19 App.

It is designed to allow NHS Test and Trace to contact customers with public health advice should there be a Covid-19 outbreak.