Breweries, pubcos, restaurants and other venues rushing to reopen on 4 July 2020 after the latest easing of lockdown regulations in England, could be putting the data of their customers at risk by implementing poorly thought-out, insecure check-in technology.
Over the weekend of 20-21 June, health secretary Matt Hancock said that to enable such venues to reopen while minimising the risk of customers contracting Covid-19, people may be required to check in and provide their personal details so they can be quickly identified in case of a second wave of cases. The proposals were later branded “bonkers” by the boss of brewer and pub chain Marston’s.
ProPrivacy’s Ray Walsh described the rules as a red flag for privacy. “The potential for pubs to mismanage, mishandle or lose that data in breaches or leaks has the potential to put the pub-going public at massive risk,” he said. “People’s contact information is extremely sensitive, and it is important for strict measures to be put in place to ensure that data is handled in accordance with the GDPR [General Data Protection Regulation].”
Richard Vibert, CEO and co-founder of privacy specialist Metomic, warned that it would be very easy for pubs, bars and restaurants to fall foul of the UK’s strict privacy laws.
“Widespread collection of punters’ personal contact information, including their email addresses, leaves businesses susceptible to internal misuse, accidental or otherwise, or third-party data breach,” he said.
Walsh said there were a number of ways the data might be misused, and that the risks were particularly concerning for women, minorities and other vulnerable groups. In New Zealand, where similar guidance is in place, a customer of a Subway sandwich franchise was harassed by an employee who stole her contact details.
Conor Hogan, global information governance manager at the BSI, said the easiest and simplest method of reopening was probably the one most business owners would take. Given the short timescales involved, only the largest breweries and chains will consider technology, so for independent pubs and family-owned restaurants, contact tracing will involve a physical paper-based record.
“Making sure tech controls are in place for apps can be difficult and may be harder for smaller venues,” said Hogan. “Technology can introduce complications, such as procurement, engaging with a vendor, compliance obligations flowing from data protection law, and cyber security concerns.”
Because it is unlikely that many chains will develop their own contact-tracing apps but will use those developed by third parties, organisations must also consider the risks around compliance, said Hogan, and should be particularly wary of free apps.
“If it is free, why is it free?” he said. “What value is attributed to the information? Do advertisers get access to it? If so, potentially your organisation is on the hook as a data controller under data protection law.
“Realistically, the obligation will be on you and your business to make sure the information doesn’t leak, or get used to retarget customers for advertising.”
Hogan added: “If I was to advise organisations on what they should do, they need to be very transparent, tell people what information they require, not to collect more than they actually need, and have a procedure in place to securely delete, whether the data is on paper at front of house, or whether you’re using something like an app.”
Metomic’s Vibert said there were several steps hospitality businesses could take to mitigate risk when facilitating contact tracing, and they do not need to be overly expensive or time-consuming.
“Simple measures, such as introducing technology to cryptographically mask customers’ email addresses, will play a key role,” he said. “Using these systems, pubs, bars and restaurants will be able to directly email customers without being able to view their email address. This will give businesses peace of mind on security and satisfy regulatory requirements, such as GDPR.”
ProPrivacy’s Walsh added: “It is crucial that businesses have a proper data protection officer in place to ensure they are solely responsible for the collection, storage and eventual deletion of all personal information.”
Walsh and Vibert agreed that the government also had a duty of responsibility to ensure its guidelines were strict and not open to misinterpretation, and that the collection of data by venues will be secure for the general public.
“Boris Johnson pledged to support the hospitality sector and he needs to do so in a tangible way,” said Vibert, “for instance by offering tech support for app development or introducing a period of no fines for businesses as they get their systems up and running.
“If the government wants the economic boost that opening up the hospitality industry will provide, they need to be willing to invest in it first.”