Brits shouldn’t need to give up personal data for a pint, data watchdog says

Non-pharmaceutical interventions introduced during the heights of the pandemic to limit community transmission included extensive use of apps for ordering, collecting and paying for food and drink as an alternative to queuing at bars and conversing with service staff.

With many of these tools likely to remain after other pandemic-era restrictions are loosened, the ICO has warned businesses that they must “get the balance right” and continue to comply with data protection law by only collecting personal data that is necessary and relevant.

Companies are also being urged to provide customers with alternative safe payment options so that nobody is excluded, such as customers without smartphones or with older models.

“We understand and appreciate the challenge that many small businesses have faced during the pandemic,” said Paul Arnold, deputy chief executive of the ICO. “Our focus is on supporting and enabling them to handle people’s data responsibly from the outset and to help the thousands of businesses that are doing their best to continue to keep recovering from the pandemic.”

The ICO has advised people to check privacy notices of apps used for ordering from specific businesses in order to find what the business intends to do with their data, such as what it will be used for and whether it will be accessed by other organisations.

“People are excited to be going out again and the innovations that have emerged through the pandemic can make that experience safer, easier and more enjoyable,” said Arnold. “But you shouldn’t have to give up too much of your personal data to order a pizza or a pint.

“Businesses should keep it simple, fair and transparent and we’re here to help.”

Data protection has been a key point of contention as governments take a wide range of approaches to managing the pandemic. For instance, some countries have adopted contact-tracing apps which centralise storage and processing of user data on contact with other users and infection and vaccination status, while others have adopted a decentralised model – in which an anonymised database is regularly downloaded to users’ phones – using a Google-Apple API based on Europe-wide research.

The UK government initially announced that it would pursue a centralised model for data storage, only to perform a U-turn some weeks later under pressure from academics and campaigners. For instance, Amnesty warned that a centralised model could open the door to “pervasive state surveillance and privacy infringement”.