BY Shanti Das for The Sunday Times

Companies collecting data for pubs and restaurants to help them fulfil their contact-tracing duties are harvesting confidential customer information to sell.

Legal experts have warned of a “privacy crisis” caused by a rise in companies exploiting QR barcodes to take names, addresses, telephone numbers and email details, before passing them on to marketers, credit companies and insurance brokers.

The “quick response” mobile codes have been widely adopted by the hospitality, leisure and beauty industries as an alternative to pen-and-paper visitor logs since the government ordered businesses to collect contact details to give to NHS Test and Trace if required.

Any data collected should be kept by the business for 21 days and must not be used “for any purposes other than for NHS Test and Trace”, according to government guidelines.

But some firms used by businesses to meet the new requirements have clauses in their terms and conditions stating they can use the information for reasons other than contact tracing, including sharing it with third parties. The privacy policy of one company used by a restaurant chain in London says it stores users’ data for 25 years.

Gaurav Malhotra, director of Level 5, a software development company that supplies the government, said data could end up in the hands of scammers. “If you’re suddenly getting loads of texts, your data has probably been sold on from track-and-trace systems,” he said.

One of the firms claiming to offer a privacy-compliant QR code service is Pub Track and Trace (PUBTT), an organisation based in Huddersfield charging pubs £20 a month to keep track of visitors, who are asked to provide their name, phone number and email address.

Despite its claim to be a “simple” service, its privacy policy, which users must accept, explains how personal data of people accessing its website can be used to “make suggestions and recommendations to you about goods or services that may be of interest to you” and shared with third parties including “service providers or regulatory bodies providing fraud prevention services or credit/background checks.”

It may also “collect, use, store and transfer” records of access to certain premises including “time, ID number and CCTV images”.

PUBTT, which works with pubs in England and Wales, said users agreed to its privacy policy before using the service and claimed it had not passed data to third parties. A spokesman, identified only as Adam H, said: “The data we collect is only for use of the Test and Trace service or where a user has agreed for the venue to use their information for marketing purposes.”

Ordamo, which provides track and trace services for restaurants, states that data from website visitors is “retained for 25 years”, a duration Hazel Grant, head of privacy at Fieldfisher, a law firm, said would be “very difficult to justify”. Ordamo did not respond to requests for comment.

The Information Commissioner’s Office is assessing 15 companies that “provide services to venues to collect customer logs”.

Contact-Tracing Data Harvested From Pubs and Restaurants Being Sold On