The Contact Tracing Crunch — last orders for Covid ‘guestbooks’?

Image for post
Image for post
Denny Muller via Unsplash

The window for relying on pen-and-paper guestbooks or digital marketing forms and booking systems is closing fast; for security, data rights and safeguarding, that’s a good thing…

The clock is ticking: the UK government recently announced collection of contact details for NHS Test & Trace requirements will be mandatory for many venues from 18 September, including:

· Hospitality: pubs, bars, restaurants and cafés

· Tourism and leisure: hotels, museums, cinemas, zoos and theme parks

· Close contact services: hairdressers, barbershops and tailors

· Facilities provided by local authorities: libraries, town halls and civic centres

· Places of worship, including use for events and other community activities

A big change is in the basis by which venues obtain this data, going from consent or legitimate interest to ‘legal obligation’, meaning patrons can no longer refuse to co-operate with the process.

This means an added burden for staff, a fresh opportunity for bad actors and unless handled correctly, a new vector of risk for businesses and charities: ‘business as usual’ will need to change.

As outlined here by trade organisation the DMA, this means collecting just the data required, using it only for the intended purpose, and operating a ‘quarantine’ policy around access and disposal.

In this light, the fewer physical and digital touchpoints an organisation uses to meet its Covid-secure responsibilities, the better. There is no question of ‘pivoting’ the data people submit into marketing or sales collateral, so using technology designed to harvest and spread data amongst the adtech ecosystem isn’t worth the risk.

With people increasingly aware of state and corporate surveillance you also need the tools for people to exercise their rights, control and delete data while you act as custodian, and to know the data is accessible only to those who need it to safeguard health.

At Tapmydata, we adapted our existing app and secure data rights channel to this challenge. Our solution allows people to submit contact details and still keep control of their data across multiple locations with their ‘phone.

All businesses need to do when onboarded to the web platform is inform visitors of the requirements and display a unique QR code on premise and in their marketing materials. Autoresponders can push updates on safety guidance to visitors and there are no further data touchpoints from the point of collection, until it is auto-deleted 21 days later.

Neither Tapmydata (nor anyone else) has access to the users or data shared. An authentication protocol is used with NHS Test & Trace should they need to be in contact, eliminating the risk of human error or data being used at collection point for ‘stalking’ or social engineering fraud.

Update: since I started this post, the government announced its own, long-delayed app will be live by end of September and features venue check-in; let’s see if they have taken all this on board…

Written by

Privacy Technologist, Entrepreneur, CEO @tapmydata, Privacy Spokesperson @techlondonadv, lapsed Archaeologist, SE London, bass guitar in @Ton50Band

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store