Are we sharing more data than ever before?

May 2021

During lockdown and the subsequent gradual re-opening, there’s been a significant increase in the number of online forms we have to fill in.

Going out for dinner, entering a pub, getting your Covid vaccination, health forms for osteopaths, forms for dentists, hairdresser appointments forms – the list goes on.

The fact is everywhere we go right now seems to involve filling in an online form. And sometimes this includes collecting sensitive health-related information.

Inevitably all these forms are online, to save us catching the lurgy from pencils, pens or pieces of paper!

As collectors and consumers of these forms what should we be concerned about?

1. What data is being collected? It should be limited to what is needed to do the job and no more!

2. Why’s it needed? It should be clearly explained to the customer, event attendee, patient (and so on) why this information is required.

3. How long will it be kept? If visiting the pub, it will only be needed for track and trace purposes, so should be securely deleted after 21 days (under England guidelines). If it’s a trip to the dentist, is it clear this information is being added to your health file or not?

4. What will it be used for? In certain obvious instances data will be collected for health screening purposes. The key question is to establish whether there’s any reason to retain the information after the check-in moment.

5. What other purposes is data collected for? Often pubs or restaurants may ask people to register with their app for table service. As part of this service there may be a request to create an account. Any marketing permissions should be separate and should not be a condition of registering.

6. What privacy notices are displayed? It should be easy to access further privacy information.

7. Is the form secure? Many organisations, especially smaller ones such as beauticians and hairdressers are likely to be using a third party’s software to create the form. Such providers should be subject to a level of scrutiny. Remember the data breach from Typeform in 2018? In their case they hadn’t synchronised back-ups with clients and had retained large quantities of personal data. Lots of companies’ customer and other personal data was affected.

In addition to the above, there’s also the scanning of the Government app QR codes. After a couple of false starts, the NHS is starting to look like a useful resource. It will store Covid test results, a record of vaccinations, as well as other test and trace information. Is it clear how long this is kept for and under what lawful basis?

What about data sharing? The government has been free with public interest as their lawful basis for collecting and sharing data. We have no idea how much has been shared and also no real idea as to how useful this sharing has been.

In conclusion, the pandemic has been extremely good cover for an explosion in data capture and given the public health card has been played so many times no-one really knows how much data is being retained.


Data protection team over-stretched? Get in touch to find out more about how we can help with no-nonsense, practical privacy advice and support. Contact us