NHS App users get privacy; other visitors get nothing

Today the Government launched its England and Wales COVID App, and its new rules to ensure that bars and restaurants keep records of customers who visit. If you don’t have the NHS App, then the venue has to keep a record of who you are. Unfortunately, the Government has done nothing to ensure that people’s data is treated properly by these venues.

Yesterday, we wrote with Big Brother Watch through our lawyers at AWO to the Government to demand answers. The Government has not explained how bars and restaurants are meant to keep data, what the legal liabilities are, nor if any data protection impact assessment has been made.

The Government is in our view clearly just as responsible for your personal details as the bar or club that collects it. The Government cannot simply pretend this is not its problem.

The concerns we have with pubs and bars are real of course. They have abused data for marketing purposes and in some cases staff have even stalked customers. There is a myriad of potential abuses that flow from this.

These concerns should have been flagged months ago in the Data Protection Impact Assessment for Test and Trace – which the Government admitted to us that they did not conduct, in breach of their legal duties.

Thus, today, as the NHS COVID App launches we have a very curious approach to privacy. On the positive side, the NHS have adopted the widely respected approach designed by Apple and Google to ensure Bluetooth contact events are matched on your own phone, so that privacy is preserved to a very high degree. (This approach has already been adopted in Scotland and Northern Ireland, which have their own apps.)

Likewise, if you use the England and Wales App and scan a QR code for a venue to record that you were there, any notification of infection risk is done by checks on your phone, meaning Government never receive lists of people in places and who they might meet there.

However, if you don’t have a modern smartphone, and hand your data to the pub or restaurant, then you are given little or no privacy protection. No thought has gone into your privacy and risks, it seems, even though those risks are very tangible.

The impression that is given is that the Government will deal with privacy concerns if forced, or if people shout loud enough. But if not, then privacy is just ignored, even to the point that the law is breached.

We still cannot be confident that the Test and Trace system has resolved its privacy and security issues. Indeed, the Welsh programme recently leaked vast amounts of personal patient data, and nearly failed to follow up when alerted by a member of the public.

Perhaps the most disappointing aspect of this is the continued absence of clear demands for standards from the Information Commission, who appears to be working as a privacy consultancy to the Government, rather than its regulator. 

The ICO now promise they will “audit” Test and Trace. When exactly, we wonder, and to what effect? Unless the ICO take firm action in the face of Government failings, the Government has little incentive to improve, and the public lacks an institution capable to holding them to account. 

And Open Rights Group will be forced to step in, as best we can, to get answers where they are needed.

Our important work is made possible because of the generous support of our members and supporters. Please consider becoming an ORG member today.

Become a member

Join our movement to protect our digital rights.

Join ORG