On July 10th, Griffin Law’s managing director had dinner at the Goudhurst Inn. On arrival, he provided his name, email address and mobile number and was told that he would be contacted, if required, in line with the government’s track and trace rules. He provided his contact details on that basis.
On August 2nd, he received an email from The Goudhurst Inn. His heart sank. Had there been a local Covid-19 outbreak where an infected person had been traced to that restaurant on the same night that he had dined there? Was he now at real risk of having been infected too, and did he need a test and should he self-isolate?
In fact, a few seconds later the nature of the email from The Goudhurst Inn became apparent. Instead of using his personal data for the sole purpose for which he had provided it, he was being asked to review the restaurant on Tripadvisor.
The Information Commissioner’s Office has published clear guidance for the protection of customers’ details obtained to support contact tracing.
That guidance clearly states: “You cannot use the personal information that you collect for contact tracing for other purposes, such as direct marketing…”
Griffin Law has asked The Goudhurst Inn to show where consent was given to the processing of personal data for marketing purposes when it had been provided for the sole purpose of contact tracing in line with the law.
So far, we have heard nothing. We have therefore raised the matter with the ICO.
If restaurant customers are going to have their data misused, they will be more reluctant to provide it. Contact tracing will only work if data that is provided is not misused.
If you have had your personal data misused, please contact Griffin Law. In appropriate circumstances, it may be that you might even be entitled to compensation.