Limited functionality available
I was in a café at the weekend, and as is the new norm, I had to provide my details for contact tracing. In this case, I used a QR code. Intrigued, I took a screenshot of the page the code landed me on to enter my details. There was nothing there telling me how my data would be used. No T&Cs. No privacy statement. Nothing for me or other diners to educate ourselves on how our data would be collected and used.
Make no mistake, this is entirely at odds with some of the most basic privacy principles.
This year, our Australian Privacy Index revealed 60% percent of surveyed respondents had backed out of purchasing a product or using a service, or closed an account completely, due to privacy concerns in the past. So, it’s no surprise that the general public are openly expressing concern about their contact tracing data. People are asking questions; worried their private details are exposed to other customers, or third parties online. Diners are equally uncomfortable with their details being visibly available on paper for all to see. While some may say they’ve nothing to hide, that’s no deterrent for opportunists to use personal details in an undesirable or even criminal manner. For example, someone takes a photo of a restaurant check-in sheet and then uses the names to look up social media accounts. If you think this is unlikely, have a look at recent news articles, or consider the last time you used the internet to have a ‘sneaky stalk’… you might not have stolen details to do so, but you get my point.
Now, if you’re a business owner, you may find yourself liable for the theft of contact tracing information. It’s arguable that should someone suffer harm as a result of your negligent handling of their information, you’ve breached your duty of care to your customers. Even if your business is too small to be covered by our privacy laws – you may still be subject to litigation.
Sadly, it appears that some data collection companies are exploiting people by means of COVID-19. Abusing both fear and trust, they collect information to make money rather than to protect. And it’s entirely unethical. These companies are undermining trust at a time when we all need to trust one another – and destroying trust for the businesses out there who are trying to survive by doing the right thing. There needs to be action against this – and I’ll get to that. But what can you do right now if you’re a business owner?
You can’t be complacent. Collecting customer information is purely for contact tracing (should it be required) and not for any other reason. Cost, lack of clear direction on how to execute, not understanding the relevant state or federal privacy legislation, or assuming it doesn’t apply because of the size of your business, are no excuse. Even if you don’t have a regulatory risk you still have a duty of care to your customers. By law, the data must be destroyed after a certain amount of time, and if you want to be trusted, under no circumstances should it be used without express, singular, opt-in permission, for any other purpose including marketing or sold to third parties. Furthermore, insurance companies should be checking on their business clients – because if their clients are negligent in how they go about handling their patrons’ information and someone suffers harm as a result, this could lead to a successful claim for damages in civil lawsuit, which insurance companies may have to wear.
When it comes to contact tracing for COVID-19, the current methods aren’t ideal. And unfortunately, when margins are so tight, free options look attractive and will remain attractive, even though some providers are doing the wrong thing with their customers’ data. Australians are generally willing to comply because we understand the importance of contact tracing to protect our communities and the economy, but for how long if these practices are not tightened up? Current execution is not great. Perhaps the government can work toward or subsidise a solution, or a reputable brand can look to run a platform that is genuinely, and not at the expense of privacy, run for free. There is an enormous opportunity here to step up and create a secure and ethical capability for venue attendance tracing – if it’s not happening already, it needs to be on the menu.
This year we have examined the behaviours of the top 100 brands in Australia where they operate using ‘consent’ as the basis for processing personal information. We have then compared this behaviour against what 1000 Australian consumers told us constitutes meaningful consent to them. Find out more by downloading the full report or get in touch.