The Information Commissioner’s Office appears to have forgotten its own pledge to come down hard on anyone profiteering from Covid after fining a firm just £8,000 for sending marketing emails to tens of thousands of people who provided their personal data for contact tracing purposes.
Tested.me (TML) of St Albans provides digital contact tracing services which work by offering people a QR code to scan when arriving at businesses’ premises.
The company was incorporated on June 26 2020 during the first lockdown. There are currently three directors, Simon Osman, Andrew Reid and Katherine Reid, all of whom were appointed on June 26; Osman and Reid are the directors of multiple other companies and describe themselves as entrepreneurs.
TML first came to the ICO’s attention after an individual submitted a complaint to regarding an unsolicited received on November 6 2020. The complaint concerned an email from TML regarding a “digital health passport”. The email thanked the individual for scanning into a business using TML’s QR code, and marketed an app which could be used to “register at open businesses using Tested.me more quickly and securely, share your Covid-19 test results and track how you’re feeling on a daily basis”.
The individual stated that they did not consent to receiving this email and did not believe they had any relationship with TML. The ICO investigation found that TML did not have adequate consent for nearly 84,000 emails it sent to push its services between September and November last year – at the height of the pandemic – when businesses were using private QR code providers to collect personal data to meet the Government’s contact tracing rules.
The ICO says it fined the firm for using personal data for marketing without adequate valid consent, which is in breach of the Privacy & Electronic Communications Regulations (PECR).
However, the penalty is a far cry from the regulator’s tough posturing at the beginning of the outbreak last year when it said that, while it would take into account the impact of the crisis on organisations, it would focus its attention on those incidents which suggested serious non-compliance.
At the time, the ICO warned: “We will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis.”
Alongside the investigation into Tested.me, the regulator says it also responded to the rise in the use of QR code technology by contacting 16 other QR code providers to ensure they were handling people’s personal information properly.
The checks, which took place over the past six months, found that most of the companies understood the relevant laws and the importance of processing personal data fairly and securely.
ICO executives also met with some of them to help improve their practices, although none were deemed serious enough to warrant further action.
Bristol firm pummelled for ‘profiteering from Covid-19’
Denham plays ‘good cop, bad cop’ in ICO rule shake-up
FCA plots campaign to combat the return of the rogues
Senior judge suspends all appeals against ICO rulings
ICO warns supermarkets over Covid-19 data retention
Regulator gives the green light for mobile data tracking
ICO pledges ‘light touch’ over coronavirus privacy fears