It’s Super Saturday, the pubs are open and it’s a privacy nightmare

Getty Images / WIRED

Pubs are back! But they’re also not. From 6am today thousands of pubs, bars and restaurants in England can reopen their doors for the first time since the lockdown forced them to close in March. But if you are heading out, don’t expect a return to normality.
To start serving punters again pubs have put in place a raft of new rules and measures. The starkest changes include reducing the number of people allowed inside to ensure social distancing, table service instead of bar service, plastic screens and staggering entrance times. And these measures will vary pub by pub. Some pubs may only allow bookings while others are planning on a one-in-one-out queuing system.


Underpinning all these changes is the extra burden placed on businesses which have to spend time and money on putting these systems in place. But there’s one government request to pubs that carries risks to customer’s privacy and poses a data-heavy bureaucratic problem for landlords. They’ve been asked to record customer details that can be used as part of the NHS Test and Trace scheme, which can be used to identify people in the result of an outbreak.
The idea is simple but the execution is tough. The government says pubs, restaurants and cafes – as well as hotels, museums, cinemas, zoos and hairdressers when they reopen – should collect information about every single person who has visited.
This includes names, contact numbers, date of the visit and arrival and departure times and in the cases of businesses where customers only interact with one staff member. A group can provide just one phone number instead of contact details for everyone. However, when combined this data can give a sense of who individuals interact with, where and for how long. The data should be stored for 21 days and provided to the NHS if it is required.
The scheme is voluntary: neither businesses nor customers are required to collect or provide this information by law. But there’s plenty of potential for things to go wrong. The data protection regulator the Information Commissioner’s Office has issued some guidance on how businesses should collect information but general advice is relatively sparse.


“Based on my experience I suspect a lot of people will over-interpret and collect too much because they’re scared of not doing enough,” says Rowenna Fielding, head of individual rights and ethics at data protection consultancy Protecture.
Pubs should keep it very simple. The information they collect should only be gathered to help Track and Trace and not used for anything else, Fielding says. If it is, there may be GDPR ramifications. Data shouldn’t be added into marketing databases, incentives to hand over data shouldn’t exist and people shouldn’t be signed up for loyalty schemes. Using Track and Trace as a way to harvest information for other uses is a red flag.
But, as the scheme isn’t mandatory, people will inevitably use false names or refuse to provide pubs and other businesses with their contact details “You could call yourself Eleanor Roosevelt as long as you gave an accurate mobile number,” Fielding says. “When the NHS Track and Trace people phone up, you can tell them your real name and where you live and who you’ve talked to and all that because the NHS Track and Trace people are much safer to give that info to.”
Nevertheless, there are risks to handing out your phone number. “Your mobile number is a key identifier for you,” Fielding says. “With a phone number, you can search social media for that person’s accounts. You can upload the information to advertising micro-targeting tools. And you can harass people: stalk them, commit fraud or identity theft, spam them.”


The risks are not hypothetical. In New Zealand, which had a similar system of businesses collecting customer details, one Subway customer was harassed after handing over her personal details. It was reported a customer identified as Jess received an email, text, and Facebook and Instagram requests from a man who had served her. “I felt pretty gross, he made me feel really uncomfortable,” she said. “He’s contacting me, I didn’t ask him to do that, I don’t want that.”
Despite pubs being allowed to reopen, the threat of the pandemic is still very real. In England, Leicester has moved into local lockdown. It is unlikely to be the last area to face such measures. But, despite the financial implications, some pubs have decided not to reopen.
Pubs and restaurants have been some of the last businesses to reopen in England because they carry greater risks of coronavirus transmission. It’s for this reason that extra measures are being introduced to help with tracking down patrons.
People spend extended periods in pubs and restaurants and are in close contact with those around them, noisy atmospheres where shouting is common could also result in the virus spreading more easily. One pre-print scientific study, which has yet to be peer-reviewed, shows the risks of entertainment venues. In one super spreading incident in Japan, a cluster of 106 Covid-19 cases came from a small collection of bars and the musicians performing in them.
“Of the 73 primary bar cases, 39 customers, 20 staff, and 14 musicians were infected,” the researchers found, adding that a further 33 people were then infected by people those that had been in the bars passing coronavirus onto other people they interacted with. “Targeted interventions should therefore focus on reducing extreme numbers of social contacts at high-risk venues such as bars, nightclubs and restaurants,” the paper’s authors add.
Pubs in England are taking varied approaches to collecting people’s information. J.D. Wetherspoon, the largest chain in the country, says that customers will be asked to fill out a short form every time they visit, which will contain a name, telephone number and arrival and departure times. They will be asked to leave it in a box as they leave. The Mitchells & Butlers group, which owns brand such as Toby Carvery, Harvester, O’Neill’s and All Bar One, says one member of groups that visit will be asked to provide a contact number and email address, plus the time of arrival, date and the name of the business. “We will not be taking home addresses,” a spokesperson says.
It’s unclear how effective the overall system will be as the government has not made it compulsory, either for individuals or businesses. “If visitors are not legally required to give their contact details or even genuine contact details, this may of course undermine NHS Track & Trace efforts,” says Hazel Grant, the head of the privacy, security and information group at law firm Fieldfisher. “But clearly the UK government doesn’t wish to go that far. It remains to be seen how effective these ‘voluntary’ measures on the part of both businesses and their visitors will be.”
But collecting customer information won’t be new for many pubs and restaurants. “It is not unusual for small businesses like pubs, restaurants and the hospitality industry generally, to use different media for collecting data,” says Vinod Bange, head of data practice at international law firm Taylor Wessing. “Some will use a system or app to collect the data and often to manage the data too. Others rely on an old fashioned booking diary.”
Bange adds that there will be risks for pubs and other businesses whether they adopt a low-tech paper approach, such as that of Wetherspoons, or use an app to collect data. The government’s guidelines for pubs to collect this sort of information has been picked up on by startups, who have developed tools to help businesses gather this information. DUSK, which describes itself as the UK’s largest “nightlife app,” has launched a system that lets people enter their contact details by signing in to a venue when they arrive.
But businesses quickly adopting new technology may present more risks than low-tech approaches. The government guidance on collecting information for contact tracing has only been available for a couple of weeks and this doesn’t allow much time for data protection issues of new technology be considered. “Systems-based data collection would attract more risk because more data could be collected and a broader use of that data is possible as it is digitised,” Bange says.
People going to pubs should be conscious of the information they give establishments. Providing enough information to be contacted in the future should be appropriate to help NHS Test and Trace if required. Pubs shouldn’t say it is a legal requirement for customers to provide their contact details or demand that this happens. If a pub uses CCTV it should have notices informing customers of their rights and the purposes of the cameras and if it has a Wi-Fi network for customers this shouldn’t automatically sign people up for marketing emails.
If you’re unsure of how information is being handled, ask the pub. “Ask questions about how is it going to be stored? What are you going to do with it? How are you going to delete it?” Fielding says. “And if those questions aren’t or can’t be answered, then maybe you’re better off having a drink somewhere else.”
Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1
More great stories from WIRED
☢️ Nine years on, Fukushima’s mental health fallout lingers
🦆 Google got rich from your data. DuckDuckGo is fighting back


😷 Which face mask should you buy?
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn

Get The Email from WIRED, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm sharp.

by entering your email address, you agree to our privacy policy

Thank You. You have successfully subscribed to our newsletter. You will hear from us shortly.
Sorry, you have entered an invalid email. Please refresh and try again.

Like this article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest

Leave a comment

Why You Need A Website