A QR code provider used by businesses for contact tracing has been fined by the data privacy watchdog for allegedly sending more than 80,000 nuisance emails.
The Information Commissioner’s Office (ICO) has issued St Albans-based Tested.me an £8,000 penalty for using the personal data of those who scanned QR codes to send marketing communications “without adequate valid consent”.
QR codes have become a common sight in enclosed public spaces during the pandemic, used as a convenient alternative to paper for places such as restaurants and pubs to gather contact details, should a person who was there at the same time later test positive for coronavirus.
The QR codes involved do not concern the Government-issued Test and Trace posters to check into venues via the NHS Covid-19 app.
“People handed over their information as part of the national effort to control the Covid-19 pandemic – they did not expect that information to be used to send them unwanted marketing messages,” said Natasha Longson, the ICO’s group manager of investigations.
“The health crisis is not an excuse for mishandling people’s data and Tested.me Ltd should have known better.”
The firm allegedly sent almost 84,000 nuisance emails between September and November last year.
Tested.me said it had only sent emails out twice to people who had ticked a communications opt-in, designed to make checking into places quicker.
It has agreed to pay the fine.
“Tested.me built and developed a free QR based test and trace solution prior to the NHS Test and Trace roll out,” the firm said.
“During the summer of 2020, we sent two emails to anyone who had used the solution and had ticked a communications opt-in to let them know there was an app which would make the process quicker to check in to their local.
“We subsequently learnt that this was not allowed as part of Test and Trace solutions and immediately removed that option and have agreed to pay the fine issued by the ICO.”
It comes as the ICO carried out checks over the past six months, contacting 16 QR code providers to ensure they are handling people’s personal information properly.