Experts have warned of a “privacy crisis” in the United Kingdom as contact tracing data collected in pubs and restaurants is reportedly being sold on to third parties for advertising and other purposes.

Data collected for tracking the China virus is mandated by the government to be held by businesses for only 21 days and not be used “for any purposes other than for NHS Test and Trace”. However, some contractors are using QR codes to pilfer names, addresses, email information, and phone numbers — which they, in turn, sell to advertising and credit card companies, as well as insurance brokers.

Speaking to The Times, the director of software development company Level 5, Gaurav Malhotra said: “If you’re suddenly getting loads of texts, your data has probably been sold on from track-and-trace systems.”

One company supplying the hospitality industry with a QR code-based tracking system is Pub Track and Trace (PUBTT), which states in its privacy policy that by using the system users agree for the company to “make suggestions and recommendations to you about goods or services that may be of interest to you” as well as sharing data with “service providers or regulatory bodies providing fraud prevention services or credit/background checks.”

PUBTT, which works with pubs in England and Wales, also said in its user agreement that it is allowed to “collect, use, store and transfer” data pertaining to people entering certain areas through the use of “time, ID number, and CCTV images”.

A spokesman for the company said: “The data we collect is only for use of the Test and Trace service or where a user has agreed for the venue to use their information for marketing purposes.”

A company that provides track and trace services for restaurants, Ordamo, said that the data it collects is “retained for 25 years”.

The head of privacy at the Fieldfisher law firm, Hazel Grant, said that keeping users data for such a long time period would be “very difficult to justify”.

On September 24th the government mandated that some businesses display an official NHS QR code for the government’s official coronavirus tracking app, however, other businesses such as pubs, restaurants, museums, gyms, and hair salons are still required to record their own customer data.

Following the passage of the requirements, the Executive Director of Open Rights Group, Jim Killock, said: “This Government’s failure to conduct the legally required data safety assessment means that no-one knows how people’s details will be safely and legally collected, stored and protected by bars, restaurants, and coffee shops.

“No-one knows what will happen if things go wrong and this Government doesn’t seem to have thought this through,” he added.

“This Government has had 6 months to fix the test and trace programme and on the eve of the launch of this app one thing is for certain; this Government is flying by the seat of its pants,” Killock concluded.

Follow Kurt Zindulka on Twitter here: @KurtZindulka