Legal experts are warning of a “privacy crisis” after it was revealed the companies collecting track and trace data for pubs and restaurants are selling on data to marketers, credit companies and insurance brokers.
According to a Times investigation there has been a rise in companies exploiting QR barcodes to take names, addresses, telephone numbers and email details before passing them on to companies.
The concerns do not relate to the official NHS Covid contact-tracing app, but many firms use private sector solutions to meet the new requirements.
Government guidelines dictate that data collected by businesses should be held for 21 days before being disposed, and must not be used “for any purposes other than for NHS Test and Trace”.
But by hiding terms in the small print, some firms may have found a work-around that allows them to keep data for several years and even farm it out.
“Suddenly getting loads of texts”
Gaurav Malhotra, director of Level 5, a software development company that supplies the government, said data could end up in the hands of scammers. “If you’re suddenly getting loads of texts, your data has probably been sold on from track-and-trace systems,” he said.
One of the firms claiming to offer a privacy-compliant QR code service is Pub Track and Trace (PUBTT), an organisation based in Huddersfield charging pubs £20 a month to keep track of visitors, who are asked to provide their name, phone number and email address.
Another company, Ordamo, states that data from website visitors is “retained for 25 years” rather than the 21 days outlined by the government.
The Information Commissioner’s Office is assessing 15 companies that provide such services, it has been reported.