The U.K.’s Information Commissioner’s Office (ICO) has fined a contact tracing service provider Tested.me for misusing users’ personal data. In an official notice, the data regulator announced that it imposed an £8,000 fine (approximately USD 11,300) under section 55A of the Data Protection Act 1998, after the company ran email marketing campaigns without users’ consent.
Based in St. Albans, Tested.me provides digital contact tracing services to businesses by offering users a QR code to scan on arrival at business premises. Several people provided their personal details to businesses via Tested.me.
The ICO claimed that Tested.me sent over 84,000 unwarranted marketing emails between September and November 2020. According to the ICO, Tested.me violated data protection laws by exploiting users’ personal data without the consent of the people who had provided their information for contact tracing.
The issue came to light when a user reported an email sent by Tested.me regarding a digital health passport to the ICO. “The mail thanked the individual for scanning into a business using TML’s QR code and promoted a related app. The person who received the email said they had not provided consent to be sent it,” ICO said.
In addition to Tested.me investigation, the ICO revealed the rise in the use of QR code technology and asked 16 QR code providers to ensure they were processing people’s personal data securely.
“The checks, which took place over the past six months, found that most of the companies understood the relevant laws and the importance of processing personal data fairly and securely. ICO experts also met with some of them to help improve their practices,” ICO added.
ICO Guidelines to Businesses
The ICO also created guidelines for businesses to follow to ensure users’ data privacy. According to it, organizations in the U.K. should:
- Adopt a data protection by design approach (DPBD) from the start when they develop new products
- Make privacy policies clear and simple so that people understand how their information will be handled
- Not keep any personal data they have collected for more than 21 days — in line with regulations brought in last year for the collection of information for contact tracing
- Not use the personal data for marketing or any other purpose
The ICO also imposed five steps for businesses to follow when collecting customers’ details. These include:
- Ask for only what’s needed
- Be transparent with customers
- Carefully store the data
- Don’t use it for other purposes
- Erase it in line with government guidance
“We understand that organizations have lots of new measures to put in place so that they can re-open safely to the public. For many, this includes collecting customers’ and visitors’ personal information for the first time, to support the various contact tracing schemes in the U.K. Whilst asking for contact details has been voluntary so far, new measures have been brought in to oblige certain organizations to ask for this information,” ICO added.
Related Story: Think Before You Scan! Malicious QR Codes in the Wild