Privacy by Pandemic
Bizarrely stretched weeks and months have passed since the onset of the COVID-19 pandemic, giving a weird timeless feeling to most of 2020 and 2021 to date.
Months and seasons have blurred together more than ever and we’ve all made a joke about it being March 373rd, 2020. But still, a handful of specific dates stand out to me more than others.
On March 10th 2020 the first case was confirmed here in Jersey - just a day before the World Health Organisation declared COVID-19 to be a ‘pandemic’ according to their definitions - and a little over two weeks later, on the 29th of March 2020, a lock-down was brought into effect.
As time passed and we began our first pass through the ‘safe exit’ framework, cafes and restaurants began to open - and the requirements for the collection of contact details of visitors to business premises were brought in. Having read about these requirements - and the operation of Contact Tracing teams - in other jurisdictions, the notion that a digital solution could do this task and present significant benefits had already taken root in my mind.
I asked a few questions of contacts and colleagues in various places and saw a couple of examples of ways this was being undertaken, but took no real action as frankly, running my business with everyone at home for several weeks was hard and exhausting.
Then near the end of June, I went for a coffee with my family - a little treat as it was a sunny day and now places had been open for a while it felt safe - and I was thinking that they’d have their procedures well in place and tried and tested by now. The reality was somewhat different as, we turned up to find someone had haphazardly stuck a table by the door with a bottle of hand sanitizer on it, alongside a clipboard and biro asking us to add our names and contact numbers on the way in. I glanced down the list of about a dozen people’s contact information, cleaned my hands and in we went.
I stewed for a bit afterwards. “Really? I mean - really? Is the best we can do a <censored> clipboard and a biro?”. I’ve always been told that a good starting point for Data Protection is to ask if you’d be happy if your information was being treated the way you’re planning to treat someone else's. And I was not happy.
The next week shot past. On the 1st of July 2020 I called the Jersey Office of the Information Commissioner. Not to complain, but to ask questions. If I’m honest with you (and this seems odd to write here) I doubted I’d get any helpful answers - having dealt with the UK equivalent some years ago and found the interaction thoroughly frustrating. I was, however, very wrong. I did get helpful answers - and some recommendations and advice as well. This was critical.
This one positive conversation with a member of the JOIC [casework team] was enough to make up my mind - we were going to fix this track and trace problem. The next day I reached out to Digital Jersey to ask a couple more questions, then we got out the tools and started prototyping.
5 days later, we launched Trax.je in association with The Forum pub on Grenville Street. It was a little rough and ready (our app, the MVP - Minimum Viable Product - not the pub, which is lovely), but it worked and we got some great feedback allowing us to make some tweaks and go ahead with a full launch shortly after.
The ‘QR Code’, invented in 1994, often seen in bits of ‘adventurous’ marketing and never really understood or loved by the general public (lots of cool uses in manufacturer, stock control and other applications though) - shot to fame faster than a Simon Cowell boy band in the 1990s. Local venues adopted our solution and we were delighted. There was no excuse to leave lists of peoples details lying around!
Then mid-August we had our second interaction with the JOIC - I felt a little dread at opening this as it looked very official - and I felt that this could go one of two ways. Either we’d gotten it wrong and were in trouble, or we’d gotten it wrong and were about to be in trouble. And we’d been so careful.
I was wrong again. A member of the JOIC team who had used Trax to check in had proactively sent us some comments and recommendations on how we could improve the wording of our policies (and our stance) with regard to privacy and data protection.
This was very well received and much appreciated (as was the manner in which it was delivered) - and really helped us to cement what we were trying to do - prevent local businesses from causing themselves problems by mishandling personal information. While we couldn’t take away their responsibility and liabilities, we could provide them with tools to help them mitigate the risks (I’d also be remiss not to publicly thank a local data protection business at this point, as they also helped us enormously in doing our best to ‘get it right’ out of the gate).
Our Trax platform is now in active use in over 400 venues, processing approximately 5000 check-ins per day on average. There are two white-labelled installations out there - and we are looking firmly to the future, as the challenge of capturing visitor information neither began with nor ends with COVID-19.
But we would never have embarked on the journey without the initial advice and assistance of the JOIC - rather than a stern authority figure waiting to swoop on the first mistake, they’ve been there in the background as a vigilant, but supportive observer - always happy to help us get it right and do the best we can.
And after all, if it was your information - that’s what you’d want.
Matt Chatterley, Owner of Codentia Ltd (code.je), has been working in technology for 20 years across industries including hospitality, telecoms and price comparison.
Codentia specialise in helping businesses realise their ideas for mass market products and are most recently known for building https://get.trax.je/ during the COVID-19 pandemic.
“The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official position of the Jersey Data Protection Authority (including the Jersey Office of the Information Commissioner) (the "Authority"). The Authority is not responsible for the accuracy of any of the information supplied by the guest writer/bloggers and the Authority accepts no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.”