‘Privacy minefield’: can businesses adapt to new contact-tracing rules?
Bars, restaurants and other venues in England instructed to record customers’ details to enable coronavirus tracking
Businesses being asked to record the names and contact details of their customers to assist with coronavirus test-and-trace efforts are facing a “privacy minefield”, campaigners are warning.
Boris Johnson has announced that the hospitality sector will be allowed to reopen from 4 July, in the next stage of easing lockdown restrictions in England.
But many bosses at bars and other venues are worried after the prime minister requested their help in “collecting contact details from customers, as happens in other countries”.
What are the privacy concerns?
Businesses including pubs, restaurants, hotels and hairdressers will be asked to keep records of customers and visitors for 21 days in order to support the NHS test-and-trace system, says the BBC.
Announcing the plan on Tuesday, along with a raft of other lockdown changes, Johnson said the government “will work with the sector to make this manageable”.
But privacy groups say hospitality businesses have been offered little guidance on collecting and storing the sensitive contact-tracing data, while potential customers have been given no assurances that their information will be kept safely.
“This sounds like an excessive and intrusive move designed to paper over the cracks of a much bigger contact-tracing failure,” Silkie Carlo, director of the Big Brother Watch campaign group, told The Guardian.
“It also poses privacy risks. Asking pubs and restaurants to become data controllers overnight is unfair – and could see personal data hoarded, lost or misused – whether for marketing or unwanted personal contact.”
Responding to these concerns, the Information Commissioner’s Office (ICO) said it was “assessing the potential data protection implications of this proposed scheme and is monitoring developments”.
The ongoing coronavirus pandemic and the instructions from the government do not exempt businesses from data protection rules, the regulator added.
“Key data protection principles must be considered so that people’s data is handled responsibly”, including “only collecting personal data that is necessary [and] making sure that it is not retained for longer than needed and keeping it secure”, an ICO spokesperson said.
Despite such regulatory measures, some other countries that have rolled out similar systems have reported privacy breaches. An Auckland woman told New Zealand’s Newshub last month that she felt “shaken and vulnerable” after a Subway worker misused her personal information to make unwanted personal contact.
“The sad reality is that people’s contact details could potentially be inappropriately handled by pub staff, opening consumers up to all kinds of privacy and security risks, including the potential of stalking or other unwanted criminal activities,” Ray Walsh, a digital privacy expert at security site ProPrivacy, told The Guardian.
“These privacy risks are particularly concerning in regards to women, minorities and other vulnerable or discriminated-against groups who could find themselves targeted or harassed.”
Other critics have been even more scathing of the customer registration plan.
Ralph Findlay, chief executive of the Marstons pub chain, told The Telegraph that the new requirements were “bonkers”.
“It is an infringement on people’s liberties and it will be very difficult to practically manage,” he said.
Will the measures really help in tracing infections?
Similar requirements were imposed on businesses in New Zealand in March, with venues that didn’t offer online bookings asked to manually record customers’ full names and phone numbers or email addresses on paper forms.
The system was later updated to allow customers to use their phones to scan a QR code when they enter a hospitality outlet. When a new Covid-19 case is registered, a central database storing this data is then used to contact any customers who have been in the same venue as the infected person.
However, unlike the New Zealand model, the UK government has not mentioned any app or digital database to collect the information. Instead, hospitality outlets are apparently expected to record the information manually, and to share it if contacted by government contact tracers.
Despite the lack of an automatic system to alert customers who many have come into contact with the virus, recording their details “could help contain clusters or outbreaks”, according to UK government guidance.
“Many businesses that take bookings already have systems for recording their customers and visitors – including restaurants, hotels, and hair salons,” says the official government website. “If you do not already do this, you should do so to help fight the virus.”
–––––––––––––––––––––––––––––––For a round-up of the most important stories from around the world - and a concise, refreshing and balanced take on the week’s news agenda - try The Week magazine. Start your trial subscription today –––––––––––––––––––––––––––––––
What are businesses’ other concerns?
As well as the privacy worries, many bosses have voiced fears about the practical challenges and costs associated with the change.
Andy Wood, chief executive of pub operator and brewer Adnams, told the Telegraph that he would “implore” the government to speed ahead with the launch of a contact-tracing app in order to avoid layering “another level of bureaucracy for an already hard-pressed pub and hospitality sector”.
Concerns about the health of both staff and customers have also been raised ahead of the relaxing of social distancing rules.
Business Secretary Alok Sharma this week he expected people to continue to use “common sense” and follow government guidelines, but added that businesses had a “legal duty” to keep their employees safe.
Frances O’Grady, general secretary of trade union TUC, argues that the more government relaxes lockdown, “the tougher it needs to get on health and safety at work”.
O’Grady told the BBC Today programme that the government should make it a legal requirement for businesses to publish risk assessments on their website, because too many companies were “not doing the right thing”.