Unlawful? Or - far worse - dangerous?

Test and trace relies on trust. Undermine it, and people’s lives are at risk. If the Times is to be believed, companies gathering customers’ data on behalf of restaurants and bars are doing just that.

If there’s one thing that the nations which have succeeded in containing Covid have in common, it’s that a robust, successful and trusted test/trace/isolate system.

Technical skill and fearsome logistics are critical, of course. But trust is the key. If citizens don’t trust the system, they won’t comply with it – or won’t even participate to start with. And then we’re stuffed.

Which is why today’s Times story (paywalled) is so disturbing. It alleges that companies which run services gathering details of customers for restaurants, bars and pubs via QR codes are holding onto the customer data and selling it on. If that’s the case, the companies (and the outlets they’re hired by) are not only acting in a way that’s potentially unlawful. What’s in some ways worse is that they’re undermining the trust without which a test-and-trace system is useless. And that puts us all in genuine danger.


Of course, I don’t know if the story is true. I haven’t seen the T&Cs that allegedly customers are being asked to sign up to. And I don’t know how transparent the process is.

But let’s work on the hypothesis that the story is essentially true, but also that there’s at least a nod to data protection rights by the companies concerned. Let’s therefore assume the following:

  1. Customers snap a QR code;
  2. They’re taken to a web page on their device which asks for their personal details;
  3. there’s either a privacy policy on the page, or a link to one;
  4. customers are asked to consent to the policy as they provide their personal details.

Note that it isn’t clear whether consent to the policy is a condition of providing details through this service (and thus a refusal means they can’t come in), or whether the system allows customers to provide their details (and thus permits entry) even if they refuse to consent to the privacy policy.

For the purposes of this analysis, I’m going to assume it’s the latter. (Consider this a form of steel-manning.) I’m also going to ignore the distinction between data controllers and processors. Without seeing the contractual arrangements between (say) pub and QR firm, I don’t for certain know who’s in which box. For this purpose, though, it doesn’t really matter. Both roles need a lawful basis on which to process customers’ personal data, and that’s the focus of this analysis.

Is it lawful?

Let’s start with the easy bit. Collecting customers’ personal data for the purposes of supporting NHS Test and Trace is not only lawful. For restaurants and so on (I’m going to just say “restaurants” from now on), it’s been obligatory since 18 September under the Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020. Of course, these regulations also require the NHS QR code to be displayed as the primary option – so it’s hard to see why anyone would snap a private sector code instead of that one. (Despite justified earlier concerns, the current NHS app is in fact pretty privacy-friendly, working as it does – at long last! – on the Apple/Google keep-it-on-the-phone basis instead of the abortive, and thoroughly arrogant and foolish, previous centralised approach.)

But if someone doesn’t want to use the NHS App, the restaurant is still obliged to collect the data another way. Whether through a QR code, or otherwise. And till 18 September, restaurants were doing so because they were asked to, although it wasn’t a legal requirement.

Which is where the data collection firms stepped in. Paper forms are a pain. Unless you pre-book everyone (in which case you’re collecting the data in any case) far better to allow the walk-in customer to snap a QR code, fill in a few details and bingo! All done. With the bonus that your own staff aren’t harassing and annoying your customers, to their detriment and yours.

But here’s the problem. Clearly collecting someone’s name and contact details means processing their personal data. And to do that under the Data Protection Act 2018 and GDPR, you need a lawful basis: at least one out of consent, a contractual requirement, a legal obligation, the data subject’s vital interests, a public task, or your legitimate interests.

Note that each purpose for processing needs its own lawful basis. So just because one purpose is fine, that doesn’t mean others will be too.

If all you’re doing (or were doing prior to 18 September) is to take records for Test and Trace purposes, holding them solely for that, and junking them after the recommended 21 days (or even a bit longer if need be), I don’t see a problem. As of now, it’s both a legal obligation and likely a public task, and a fair argument can be made for it being in the vital interests (that is, protection of life) of the data subject as well. Honestly: I can’t see a challenge on this basis holding up.

But what about keeping the data for marketing or onward sale?

If you’re the restaurant itself, and you make clear to the customer that they have the option of allowing you to use the data for you to stay in contact with them – and, critically, they can say no as easily as saying yes without being barred from entering or otherwise inconvenienced – there’s not a huge problem. So long as you explain really clearly, in plain English, what you’re doing, make it easy for customers to opt out later, and don’t abuse the data for other purposes.

In other words, you’re relying on consent. There really isn’t any other basis that works. Legitimate interest is a non-starter, since your interest in hanging onto the data for marketing purposes without consent is dwarfed by their interests in privacy; your contract with them to serve them food in exchange for money can easily happen without contact details; and the others are just ludicrous. (Sending them emails about your Winter menu will save their life? Please.)

And consent is tricksy. It has to be (by Article 4(11) GDPR) a “freely-given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by a statement or a clear affirmative action signifies agreement”. It has to be possible to get the service in question without consenting to the data processing (Art 7(4)). And the data subject has clearly to be able to distinguish between the processing they’re being asked to consent to, and other matters.

I can imagine how a restaurant could write a request for customers to allow it to retain the test-and-trace data with sufficient clarity and choice.

But I really struggle to see how the business running the collection on their behalf could do so, in any meaningful sense. Or at least, in any way that wouldn’t drive away the vast majority of customers.

Let’s take the best-case scenario. ([Steel-manning], after all, is a good intellectual and ethical practice.) Let’s say the QR code landing site says, in capital letters (to paraphrase): You’re filling this in for health protection purposes. But alongside that, we’d like to hang onto the data you provide, sell it to data brokers and other customers, and to keep doing so for the next 20 years. Please tick this box if you’re OK with that. But you don’t have to, because it’s totally optional. So feel free not to bother.

Good luck getting anyone to tick that. And even that’s arguably non-GDPR compliant, since it’s hard to work out how anyone could meaningfully later opt out.

What seems rather more likely is either a link to a lengthy privacy policy, coupled with a box that asks people to confirm they’ve read it, or at best something mealy-mouthed about “other purposes” or “providing you with information and services you may like”. In either case, I don’t think this comes close to sufficing.

And consider the context. People are providing their data for what they think is a vital health protection purpose. Against that context, satisfying the Article 7 requirement for consent to a collateral purpose to be clearly distinguished from “other matters” is, in my view, a pretty high hurdle. Nothing short of crystal clarity is likely to suffice.

So if the Times is right, I suspect the 15 firms that ICO is apparently investigating could have an interesting time.

Why do you say it’s dangerous?

Lawfulness, or rather a lack of it, is bad enough.

But what really concerns me is the trust factor. We’ve had enough trouble in the UK with people mistrusting the Government’s actions and motives. Whether it’s people claiming the North is being treated far worse than the South as far as lockdowns are concerned, or the furore over the infamous Cummings odyssey in May, or the frustration of the UK Statistics Authority over what it saw as misleading or even manipulated test statistics, it’s clear that for many the predominant response to Coronavirus restrictions is now suspicion, rather than acceptance or support.

And that’s the public sector. The private sector, meanwhile, is being asked to police the restrictions – restaurants, for instance, have to refuse entry (under regulation 16 of the Regulations linked to above) to anyone who refuses to use the NHS QR code and won’t give their information otherwise. This is hard enough for restaurant staff. Imagine how much worse it could be if the refusenik customer thinks their data’s being stolen at the same time.

The real threat, though, is to broader trust. As I said earlier, the countries who are coming through this nightmare without terrible social and economic damage (not to mention, of course, with far fewer deaths and debilitating illnesses) are those with political leaders who have played it straight. Who haven’t exaggerated or appeared to use Covid as a tool for other political ends. Who’ve shown that this isn’t just the highest policy priority, but the only one that matters. And who’ve shown that competence is more important than ideology or loyalty.

In other words: those whose leaders have taken trust seriously, and done everything in their power to earn it, every day. It’s not that they haven’t made mistakes. It’s that they’ve been recognised and learned from.

We have a trust deficit. It’s killing people. Anyone deliberately or recklessly (as opposed to accidentally or inadvertently) undermining that trust is playing with lives.

And when you do something that discourages people from engaging with test/trace/isolate, you’re doing just that.