Some UK companies have been selling on customers’ private data for profit, after gathering their information via track and trace check-in systems to monitor the spread of the coronavirus.
In the UK, an effective COVID-19 contact tracing system was supposed to allow the nation to return to a level of normality. It’s been mandatory for UK venues including pubs, restaurants, and concert halls, to collect visitor details since June. But, as the UK’s official NHS Track and Trace app wasn’t released until August 12, there was a long period where venues were, essentially, on their own with finding a solution for gathering such data.
This lack of control, somewhat inevitably, led to some companies taking advantage of the data that was being gathered.
How Were Businesses Able to Sell User Data?
When Brits were first allowed to venture out post-lockdown in June, the UK government mandated that all venues report who had been inside them, and when. This data was then used by the NHS Track and Trace system — which itself has been fraught with problems.
Upon creating the new rules for venues, the government said that user information could only be retained by venues for 21 days — a week longer than the UK’s recommended two-week isolation time in the event of displaying symptoms.
In some cases, the terms of use saw punters unwittingly agreeing to sharing their information for up to 25 years.
But, according to the Times, some businesses have been creating QR codes which extract more information than is strictly necessary, and then selling it on. These same businesses have covered their backs by creating their own terms of use. In some cases, these saw punters unwittingly agreeing to sharing their information for up to 25 years.
As businesses were able to create their own QR codes and tracking systems, they were, essentially, free to do as they saw fit with customer data. Sadly, this sort of data packaging and selling does technically comply with the EU’s GDPR regulations. Companies are allowed to sell customer data on but only if customers are informed — whether customers were properly informed or not is still up for debate.
Doesn’t the UK have an Official Track and Trace App?
It does now. But, as we explained back in June, it hasn’t been smooth sailing for contact tracing in the UK.
Initially, the government tried to create a completely bespoke app. It – seemingly – didn’t realise that Android and iOS systems do not allow apps to simply blast out Bluetooth notifications non-stop. This led to an abortive trial on the Isle of Wight, costing millions of pounds before the government decided to take advantage of the exposure notification system baked into Android and iOS.
Meanwhile, Serco, a British-based public service outsourcing company, has been running the UK’s track-and-trace system and has allegedly pocketed around £35 million (around $45.6 million) for the privilege. Infamously, Serco’s track and trace system fell over when the number of cases exceeded the maximum number of columns on an Excel spreadsheet, consequently leading around 16,000 cases going missing.
To be clear, the issues with selling punters’ details to third parties has nothing to do with the official contact tracing app.
Can the US Learn Anything from these Systems?
There are plenty of lessons that the US could learn from the UK’s mishandling of coronavirus contact tracing, if it chose to.
But of course, it will require serious political will and top-down competence to implement federal contact tracing measures across a nation as vast as the US.
In fact, given the widespread mistrust of public figures of any political persuasion in the US at the moment, it seems unlikely than anyone would download an official government contact tracing app in the first place.
