Privacy campaigners have voiced concerns about how safely customers’ contact details will be stored after pubs, restaurants and hotels in England open again following the coronavirus lockdown.
In announcing a 4 July reopening for the hospitality sector, Prime Minister Boris Johnson said they would have to record clients’ contact details in case they are needed to help with test-and-trace efforts in the battle against Covid-19. The information is to be kept for 21 days only.
But privacy groups claim the industry has been given no guidance on how to gather and store potentially sensitive data, while customers had been given no assurance that their information will be handled safely.
Silkie Carlo, director of the Big Brother Watch civil liberties’ group, told the Guardian: “It poses privacy risks. Asking pubs and restaurants to become data controllers overnight is unfair, and could see personal data hoarded, lost or misused, whether for marketing or unwanted personal contact. We’ll be monitoring to ensure the scheme is voluntary, safe and respects privacy.”
Ray Walsh of security site ProPrivacy commented: “The sad reality is that people’s contact details could potentially be inappropriately handled by pub staff, opening consumers up to all kinds of privacy and security risks, including the potential of stalking or other unwanted criminal activities.”
The Information Commissioner’s Office (ICO) said it is assessing the potential data protection implications of the hospitality sector reopening and is monitoring developments.
Pointing out businesses are not exempt from data protection rules, even under current circumstances, a spokesperson added: “Key data protection principles must be considered so that people’s data is handled responsibly. This includes only collecting personal data that is necessary, making sure that it is not retained for longer than needed and keeping it secure.
“Organisations must also tell people how and why they need to use their personal information.”
Ian Schenkel, Vice President, EMEA at data protection and security vendor, said: “While this week’s decision to re-open pubs and restaurants on the 4 July comes as a saving grace for hospitality business owners, the guidance to collect people’s personal data without providing any formal data protection guidelines poses a serious security risk. Many cybercriminals have already been taking advantage of COVID-19 to exploit peoples’ fears and this activity, if not conducted properly, will seem like an open door for them to steal consumers’ data. Without the right measures in place, the nonchalant collection of personal data will jeopardise both the consumer and the business.
“Ahead of July, I sincerely hope that the government does come out with very clear guidelines so business owners understand exactly what security measures they must have in place to protect their customers, and themselves against data breaches. Without the right guidance for collecting and storing data, simply gathering data at the front of a beer garden is an open invitation for malicious cybercriminals.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.