The Prime Minister announced on Wednesday 9 September that “premises and venues where people meet socially will be legally required to request the contact details of a member of every party, record and retain these details for 21 days and provide them to the NHS Test and Trace without delay when required”. Soon afterwards, Government announced the roll-out of their new, decentralised NHSX App. Notably, users will also be able to scan QR codes to log their visits to hospitality venues. Businesses will still be asked to keep their own recording systems for those who do not own a smartphone, or are not willing to use the App.
The announcement came after a surge of contagion from Coronavirus, and Government willingness to trace costumers which may have been exposed while in pubs and restaurant is understandable. On the other hand, Open Rights Group (ORG) already argued how collecting contact tracing data without a clear and purpose limited mandate may have consequences for our privacy.
As these guidelines are about to be made compulsory, Government should take the opportunity to catch up, and provide the safeguards that the public needs to confidently hand their personal data to the hospitality industry. Here is our vision of how this could be done in practice.
NHSX App and QR codes
ORG welcomes that the NHSX App will extend its decentralised approach to contact tracing for pubs and restaurants. With the new App, users will be allowed to scan QR codes exposed in a given venue, and log their “check-in” into their phone.
This inherently keeps your personal data away from staff members and other threats (such as businesses trying to reuse your data for marketing purposes). Also, the new Data Protection Impact Assessment for the NHSX App indicates that this “diary” of your QR codes remains stored in your phone, and is never shared with a central database. The law may need to be clarified to ensure this is clearly legal.
However, it is worth noting that the adoption of the NHSX App should be voluntary, and ensuring that alternatives for those who choose to opt out have an acceptable level of security is no less important. In this respect, we have some further recommendations.
Data minimisation and purpose limitation
Government should make compulsory for pubs and restaurants to collect only the data which are required by Test and Trace. In other words, the data listed in current Government guidelines should be turned into a exhaustive list, and asking for further information should be forbidden.
This data should be used only for contact tracing purposes, and should not serve as a gateway to build commercial databases. As such, Government should prohibit businesses to reuse the data they collect for other purposes than contact tracing.
Finally, businesses should clearly separate contact tracing forms from other, commercially driven data collection schemes, in order to avoid confusion and ambiguities — for instance, direct marketing opt-in boxes at the bottom of Test and Trace forms should not be allowed.
Security and confidentiality
A number of journalistic reports have shown how contact tracing data can be easily abused, for instance by staff members using contact details to harass women. We believe that Government could lower this risk by mandating baseline security standards for the hospitality industry.
For instance, hard copy records should at least be locked, and their access prohibited unless for destruction or disclosing this data to the NHS. In a similar fashion, electronic records should at least be protected by passwords or other technical means (for instance, encryption) to prevent staff members from using them. Finally, staff members who are handling this data should undergo some data protection training, to make sure they understand their responsibilities.
These should be intended as minimum requirements, and set the floor for complying with the law. It follows that these requirements should not be meant to override the stricter GDPR duty of ensuring a higher level of security, based on the specific circumstances that each businesses face.
Staff members and unauthorised accesses are not the only threats contact tracing data would face. Reasonable concerns may surface about Government collecting contact tracing records for surveillance purposes.
Needless to say, contact tracing can only work if the public cooperates and does not provide fake data. In turn, this demands a high level of confidence and clear assurances against hostile uses of this information. Clear legal safeguards should be put in place, to limit access to these records to the NHS and other entities which are involved in Test and Trace. Businesses should be given clear instructions regarding who they are authorised to disclose contact tracing data they collect, and be able to refuse if relevant conditions are not met.
ORG has been scrutinising Government data processing practices from the very beginning, and we aren’t done yet with Test and Trace. As the need for contact tracing expands, we will keep fighting for a more responsible and thoughtful use of our data.