Are COVID-19 contact tracing technology services legitimate?

October 2020

Contact Tracing: Are concerns about tech providers justified?

“Contact-tracing data harvested from pubs and restaurants being sold on”

This was a recent headline from a national newspaper which featured an article about some of the automated contact tracing services that are being provided to pubs and restaurants.

The article noted there are concerns these services providers have clauses in their Terms and Conditions stating personal information can be used for reasons other than contact tracing “including sharing it with third parties”

This sounds terrible – how could such disreputable companies be allowed to scam customer data like that? How are they allowed to operate given there is such a high level of scrutiny on the collection of any COVID-19 related data?

On closer examination of the privacy notices of these suppliers, things aren’t quite as simple as they seemed. It may well be the case the activities of these companies are perfectly innocent. Why?

Who are these companies and what do they do?

Many suppliers of contact tracing services are operating in the hospitality sector providing a range of services from contact-less menus, wi-fi sign in services, guest services and so on. There is a burgeoning industry in providing technology solutions in this sector. Contact tracing is just one small part of their product range.

Who are these suppliers talking to?

Suppliers of tracing services are contracting with restaurants and other hospitality outlets. Their T’s and C’s and Privacy Notice may well relate to the relationship between the tracing service provider and the restaurant not the restaurant and the customer. This is often not clear as the privacy notice will refer to “you” without specifying who “you” is.

Who is the Data Controller and who is the Processor?

It’s important to check whether the service provider is a Controller or Processor. It is quite likely that the service provider is a Processor and the restaurant is the Data Controller. If that is the case, it’s important to examine the restaurant’s privacy notice to see what they are doing with the data.

Are these companies assuming a B2B relationship?

Probably yes. Suppliers of tracing services are business to business providers to restaurants. This means that there might be differences in the way that personal data is collected and used. In fact, some of their activities may look positively alarming if you’re viewing them through a COVID-19 contact tracing filter.

Do these providers work with third parties?

Yes they do. Developers of services will often license software from other companies and evolve/brand them into a new service. If this is not explained clearly, it can be very difficult for the untutored eye to establish who is doing what with whose data.

What about data retention policies?

It was commented in the article that some of these service providers plan to retain data for 25 years! Whether this privacy notice is or is not addressed to restaurant goers this is a long time and hard to justify. On the assumption that this retention policy relates to technology service providers and their restaurant/hospitality clients it would be more realistic if the time frame was nearer to 2 years. And, of course, if it relates to COVID-19 tracking data it should be 21 days.

What does this all tell us about Data Protection?

Sadly, one might conclude that our Data Protection Laws are too complicated. How is a layperson expected to navigate their way through all this complexity and understand what is really happening to their data? Having said that, too few businesses spend too little time explaining in clear language what they’re really up to. That is an important communication opportunity.