Sunday, October 11, 2020
Data security issues may fuel lack of trust in UK Government
A lack of trust in Ministers is one of the biggest obstacles to the UK Government's attempts to tackle this pandemic. fuelled by their one-rule-for-us-another-for you attitude and the many inconsistencies in their messaging. Rhetoric has replaced assurance and that has turned many people off.
And now we have reason to mistrust the government's track and trace system that they are depending on to turn the infection rate around. The Times reports that companies collecting data for pubs and restaurants to help them fulfil their contact-tracing duties are harvesting confidential customer information to sell.
The paper says legal experts have warned of a “privacy crisis” caused by a rise in companies exploiting QR barcodes to take names, addresses, telephone numbers and email details, before passing them on to marketers, credit companies and insurance brokers:
The “quick response” mobile codes have been widely adopted by the hospitality, leisure and beauty industries as an alternative to pen-and-paper visitor logs since the government ordered businesses to collect contact details to give to NHS Test and Trace if required.
Any data collected should be kept by the business for 21 days and must not be used “for any purposes other than for NHS Test and Trace”, according to government guidelines.
But some firms used by businesses to meet the new requirements have clauses in their terms and conditions stating they can use the information for reasons other than contact tracing, including sharing it with third parties. The privacy policy of one company used by a restaurant chain in London says it stores users’ data for 25 years.
Gaurav Malhotra, director of Level 5, a software development company that supplies the government, said data could end up in the hands of scammers. “If you’re suddenly getting loads of texts, your data has probably been sold on from track-and-trace systems,” he said.
One of the firms claiming to offer a privacy-compliant QR code service is Pub Track and Trace (PUBTT), an organisation based in Huddersfield charging pubs £20 a month to keep track of visitors, who are asked to provide their name, phone number and email address.
Despite its claim to be a “simple” service, its privacy policy, which users must accept, explains how personal data of people accessing its website can be used to “make suggestions and recommendations to you about goods or services that may be of interest to you” and shared with third parties including “service providers or regulatory bodies providing fraud prevention services or credit/background checks.”
It may also “collect, use, store and transfer” records of access to certain premises including “time, ID number and CCTV images”.
PUBTT, which works with pubs in England and Wales, said users agreed to its privacy policy before using the service and claimed it had not passed data to third parties. A spokesman, identified only as Adam H, said: “The data we collect is only for use of the Test and Trace service or where a user has agreed for the venue to use their information for marketing purposes.”
Ordamo, which provides track and trace services for restaurants, states that data from website visitors is “retained for 25 years”, a duration Hazel Grant, head of privacy at Fieldfisher, a law firm, said would be “very difficult to justify”. Ordamo did not respond to requests for comment.
The possibility that information provided by customers to companies as part of efforts to contain the pandemic might fall into the hands of scammers, or be used to spam them is inevitably going to lead to people refusing to use the system. The Information Commissioner’s Office must step in and sort this out urgently.
And now we have reason to mistrust the government's track and trace system that they are depending on to turn the infection rate around. The Times reports that companies collecting data for pubs and restaurants to help them fulfil their contact-tracing duties are harvesting confidential customer information to sell.
The paper says legal experts have warned of a “privacy crisis” caused by a rise in companies exploiting QR barcodes to take names, addresses, telephone numbers and email details, before passing them on to marketers, credit companies and insurance brokers:
The “quick response” mobile codes have been widely adopted by the hospitality, leisure and beauty industries as an alternative to pen-and-paper visitor logs since the government ordered businesses to collect contact details to give to NHS Test and Trace if required.
Any data collected should be kept by the business for 21 days and must not be used “for any purposes other than for NHS Test and Trace”, according to government guidelines.
But some firms used by businesses to meet the new requirements have clauses in their terms and conditions stating they can use the information for reasons other than contact tracing, including sharing it with third parties. The privacy policy of one company used by a restaurant chain in London says it stores users’ data for 25 years.
Gaurav Malhotra, director of Level 5, a software development company that supplies the government, said data could end up in the hands of scammers. “If you’re suddenly getting loads of texts, your data has probably been sold on from track-and-trace systems,” he said.
One of the firms claiming to offer a privacy-compliant QR code service is Pub Track and Trace (PUBTT), an organisation based in Huddersfield charging pubs £20 a month to keep track of visitors, who are asked to provide their name, phone number and email address.
Despite its claim to be a “simple” service, its privacy policy, which users must accept, explains how personal data of people accessing its website can be used to “make suggestions and recommendations to you about goods or services that may be of interest to you” and shared with third parties including “service providers or regulatory bodies providing fraud prevention services or credit/background checks.”
It may also “collect, use, store and transfer” records of access to certain premises including “time, ID number and CCTV images”.
PUBTT, which works with pubs in England and Wales, said users agreed to its privacy policy before using the service and claimed it had not passed data to third parties. A spokesman, identified only as Adam H, said: “The data we collect is only for use of the Test and Trace service or where a user has agreed for the venue to use their information for marketing purposes.”
Ordamo, which provides track and trace services for restaurants, states that data from website visitors is “retained for 25 years”, a duration Hazel Grant, head of privacy at Fieldfisher, a law firm, said would be “very difficult to justify”. Ordamo did not respond to requests for comment.
The possibility that information provided by customers to companies as part of efforts to contain the pandemic might fall into the hands of scammers, or be used to spam them is inevitably going to lead to people refusing to use the system. The Information Commissioner’s Office must step in and sort this out urgently.
