Since its launch in late May, the UK government’s Test and Trace service has been contentious. Not only has its efficacy been thrown into question by reports it’s failing to contact thousands who may have contracted COVID-19, but the Department of Health has also been forced to admit it launched the initiative without accounting for privacy. While the Education Secretary, Gavin Williamson, may feel the need to get the system “up and running at incredible speed” is a justification for these failings, it’s really an admission that a rushed test and trace service is placing consumer privacy and health at risk.
Guest registers are symptomatic of broader test and trace privacy failings
The UK government’s willingness to sacrifice consumer privacy during the pandemic has been exemplified by the guest registers they have required the hospitality sector to keep to support the test and trace service.
Their motivation for having pubs and restaurants keep a record of guests’ personal data – such as their names, email addresses and phone numbers – is undeniably good; they want to protect customers’ physical health. However, if this data is handled improperly it could create significant privacy issues for establishments and the punters visiting them.
Unfortunately, the likelihood that this could happen is high. The hospitality sector had a mere two weeks notice to create and deploy their guest register systems in June. For those with experience in development and data privacy this would be an adequate length of time to prepare. However, many businesses lacked, and still lack, the requisite knowledge to develop a secure system for gathering and retaining data. As the volume of sensitive data these businesses are collecting grows so too does the chance of a third-party data breach or internal misuse. For example, there have been numerous reports of employees stealing contact details from their company’s test and trace registers to harass customers.
In the event of this form of breach, or any other kind, there could be crippling financial implications for the business involved. Not only could it be charged with a sizable fine for breaching privacy regulations, such as General Data Protection Regulation (GDPR), but it could also severely damage consumers’ faith in the business, reducing the likelihood of repeat custom. These are two serious examples of the threat poor privacy poses to businesses after months of lost revenue during lockdown.
Consumers value privacy, organisations need to as well
The importance the public places in privacy must not be underestimated by any organisation, including the government. In fact, consumer interest in privacy is growing, 75 percent of consumers report being concerned with the security of the personal information they share with businesses, according to IDEX Biometrics.
If these consumers don’t trust the test and trace system to keep sensitive information secure their confidence in passing over their data and that of their family and friends will be shaken. This will reduce their engagement with the programme, decreasing the likelihood it will be effective at minimising COVID-19 transmission.
There is evidence to show this is already happening. Figures published by the Department of Health and Social Care in late June show that 25 percent of people transferred to the tracing system following COVID-19 testing said they had no recent contacts the government should also reach out to about self-isolating. It is possible that a number of these individuals chose to not disclose their contacts’ details due to the mistrust caused by the government’s failure to keep data secure. If people don’t trust the government enough to share their details, the track and trace initiative could collapse; to be effective 80 percent of an infected person’s close contacts must be instructed to self-isolate within 48-72 hours.
It’s time for privacy to become a top priority
To turn the tide on test and trace, privacy needs to become a top priority. The government must not only invest in shoring up the privacy of their own test and trace systems but provide businesses with technological assistance for developing their own, so that they don’t have to resort to risky measures such as using free apps or paper sheets. Both parties should also invest in simple tools, such as cryptographic pseudonymisation, so that consumers can be contacted without the organisation ever being able to view their email addresses. This will prevent sensitive data being misused by workers or made being unscrambled by hackers in the event of an attack. Finally the government must clearly communicate with the public on how they are safeguarding personal data and what their plans are for using it.
These steps must be enacted immediately to restore public confidence. Afterall, the government may have rushed out test and trace in good faith, but if people can’t trust the system with their data, the biggest loser will still be our health if and when a second wave arrives.
Contributed by Rich Vibert, cofounder and CEO, Metomic