ICO logoThe Information Commissioner’s Office (ICO) has today reported it has fined a Hertfordshire company for sending direct marketing emails to people who provided their personal data for contact tracing purposes as part of the response to the coronavirus pandemic.

St Albans-based Tested.me Ltd (TML) provides digital contact tracing services which work by offering people a QR code to scan when arriving at their destination.

TML sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to comply with government contact tracing rules.

The ICO fined TML £8,000 for using personal data for marketing purposes without adequate valid consent, contrary to law.

The ICO has created guidelines for businesses to follow as the UK economy continues to open up. Providers should:

  • Adopt a data protection by design approach (DPBD) from the start when they develop new products;
  • Make privacy policies clear and simple so that people understand how their information will be handled;
  • Not keep any personal data they have collected for more than 21 days – in line with regulations brought in last year for the collection of information for contact tracing;
  • Not use the personal data for marketing or any other purpose;
  • Keep up to date with the ICO’s online guidance.