Watchdog says most companies kept within the law
A firm established last year to provide businesses with digital contact-tracing services has been fined by the Information Commissioner’s Office for breaching data laws.
Based in St Albans, Tested.me Ltd was incorporated in June 2020. The NHS Covid-19 app did not launch until late September and, during last summer and autumn, the firm was one of many external providers that allowed businesses around the country to display QR codes that could be scanned by customers for the purposes of contact-tracing.
Having assisted in gathering personal data of citizens, the Hertfordshire company then broke data-protection laws by sending them – without adequate consent – about 84,000 marketing emails between September and November, according to the ICO.
The regulator has fined the company £8,000 for doing so.
The ICO claimed that it has also engaged with a range of other commercial QR code providers that have supported businesses during the pandemic “to ensure they were also handling people’s personal information properly”.
“The checks, which took place over the past six months, found that most of the companies understood the relevant laws and the importance of processing personal data fairly and securely,” the watchdog added. “ICO experts also met with some of them to help improve their practices.”
As the economy begins to open up and more contact-tracing info is gathered, businesses unsure of their obligations can turn to ICO guidelines, which advise them to store data no longer than 21 days, and not to use it for any marketing purposes.
Firms are also encouraged to “adopt a data protection by design approach from the start when they develop new products… [and to] make privacy policies clear and simple so that people understand how their information will be handled”.