Companies collecting data for pubs and restaurants to help them fulfil their contact-tracing duties are harvesting confidential customer information to sell.
Legal experts have warned of a “privacy crisis” caused by a rise in companies exploiting QR barcodes to take names, addresses, telephone numbers and email details, before passing them on to marketers, credit companies and insurance brokers.
The “quick response” mobile codes have been widely adopted by the hospitality, leisure and beauty industries as an alternative to pen-and-paper visitor logs since the government ordered businesses to collect contact details to give to NHS Test and Trace if required.
Any data collected should be kept by the business for 21 days and must not be used “for any purposes other than for NHS Test and Trace”, according to government guidelines.
Gaurav Malhotra, director of Level 5, a software development company that supplies the government, said data could end up in the hands of scammers. “If you’re suddenly getting loads of texts, your data has probably been sold on from track-and-trace systems,” he said.
One of the firms claiming to offer a privacy-compliant QR code service is Pub Track and Trace (PUBTT), an organisation based in Huddersfield charging pubs £20 a month to keep track of visitors, who are asked to provide their name, phone number and email address.
It may also “collect, use, store and transfer” records of access to certain premises including “time, ID number and CCTV images”.
Ordamo, which provides track and trace services for restaurants, states that data from website visitors is “retained for 25 years”, a duration Hazel Grant, head of privacy at Fieldfisher, a law firm, said would be “very difficult to justify”. Ordamo did not respond to requests for comment.
The Information Commissioner’s Office is assessing 15 companies that “provide services to venues to collect customer logs”.