Women are reporting troubling stories of texts from strangers who used their test and trace details

Libby Watt was enjoying a lazy Saturday morning in front of the TV when a buzz on her phone alerted her to a message.

Not giving the unfamiliar number a second thought, she opened it. But the content was more than surprising, given she is happily living with her long-term partner. It went something like this: ‘It was really nice meeting you last night, do you fancy going out for a drink or something? You were really good fun.’

Libby, a 29-year-old copywriter, had been out for a few drinks with a female friend the night before, but she had no trouble remembering the events of her Friday evening, which definitely hadn’t involved giving her phone number to any would-be suitors.

Libby Watt, a 29-year-old copywriter, (pictured) had been out for a few drinks with a female friend the night before in Winchester when she received a text from a bartender who had got hold of her phone number from track and trace

‘I thought somebody had given someone a wrong number on purpose or something, and it just happened to be mine,’ says Libby. ‘So I politely told the sender they had the wrong number.’ When the sender insisted that, to the contrary, he knew her name and what she had been wearing the previous evening, Libby was more than a little unnerved.

But after speaking to her friend it dawned on her what had happened: it was the man who had served them their drinks at a small bar in her home city of Winchester.

The only explanation was that he had taken her number because she had been required to write it down, along with her name, as part of the NHS Test and Trace drive to try to curtail Covid-19.

Because, as anyone who has ventured out in the weeks since restaurants and bars were allowed to reopen knows, handing over your name and number on a night out is part and parcel of the new normal. And it’s not just hospitality. 

Any venue in the tourism and leisure industry, or close contact services such as hairdressers or barbers are all required to gather and store this information. All business owners and event organisers are supposed to ensure there is a system to record personal data. 

That way, if someone tests positive for Covid, everyone who may have come into proximity with them can be contacted quickly in the hope of preventing a localised outbreak.

Dancer and personal trainer Lucy Dixon, 32, (pictured) provided her details on a night out with friends by scanning a QR code — not the Government’s newly- launched system, but the bar’s own electronic data collection. She was soon contacted by a male member of staff who used the data the system had collected about her

Dancer and personal trainer Lucy Dixon, 32, (pictured) provided her details on a night out with friends by scanning a QR code — not the Government’s newly- launched system, but the bar’s own electronic data collection. She was soon contacted by a male member of staff who used the data the system had collected about her

Venues are only supposed to share the information with Test and Trace teams and, according to guidelines, data is supposed to be stored safely, then destroyed after 21 days.

Which is all well and good in theory. But in reality, it’s a system ripe for exploitation.

What happens when a member of staff decides to use the data to make unsolicited contact with a customer?

There are widespread fears among data security experts and privacy campaigners that the national effort to try to stop the spread of coronavirus could open up the prospect of an additional penalty: potential harassment.

While nobody doubts the importance of being able to contain cases, is there potential for Test and Trace to become a stalker’s charter?

The Information Commissioner’s Office has made plain that, ‘You cannot use the personal information that you collect for contact tracing for other purposes’.

Yet social media is buzzing with customers who have received unsolicited messages after handing over their contact details in good faith.

Venues are only supposed to share the information with Test and Trace teams and, according to guidelines, data is supposed to be stored safely, then destroyed after 21 days but it is still ripe for exploitation. Picture: Stock

Venues are only supposed to share the information with Test and Trace teams and, according to guidelines, data is supposed to be stored safely, then destroyed after 21 days but it is still ripe for exploitation. Picture: Stock

An ITN editor wrote on Twitter about the restaurant manager who got in contact after a meal out, texting: ‘The Government has fully endorsed you as a potential match for me so next step is to arrange a drink, NHS Test and Trace.’

Even consumer champion Martin Lewis, founder of MoneySavingExpert, has recounted his experience of receiving a marketing message from his barber after giving his number.

Libby is still unnerved by her experience in mid-August. ‘I’d been out a few times since lockdown and I didn’t think much of it when the bartender took our details,’ she says.

I felt violated for following Government guidelines – Libby Watt

‘We joked about my surname, chatted about the nice weather (we’re British after all), which beers were on draught and the normal chatter you have with upbeat bar staff. That was it.

‘He walked past a couple of times during the evening, smiling and being polite and when he served us later he cheekily gave us an extra drink on the house “for making his shift brighter” — we didn’t think much of it, neither of us felt it was particularly flirtatious.’

The bartender, however, clearly felt otherwise. At first, Libby thought his overtures were inappropriate, but just the banter of someone ‘a bit young’ who perhaps didn’t understand the importance of data protection. 

‘I told him I was very flattered but that I have a partner.’ But the sender wouldn’t take no for an answer and was persistent enough to keep sending messages over the course of the following two weeks. ‘It was things like, “Why won’t you go on a date with me? Just try me, we had a really good connection…”

Libby (pictured) said she is still unnerved by her experience in mid-August. She did not believe her interactions with the bartender were flirtatious but it was clear he had interpreted it differently

Libby (pictured) said she is still unnerved by her experience in mid-August. She did not believe her interactions with the bartender were flirtatious but it was clear he had interpreted it differently

It started to feel like harassment, but I didn’t say that, I was just firm and polite, because I didn’t know him or how he would react.’

Libby finally told him: ‘Please can you stop messaging me’. But he continued until she blocked his number.

After the first couple of messages, Libby says she emailed the venue, but had no reply. She then followed up with a message via social media, to which she was told someone would ‘review’ her complaint. She is still waiting.

I got jumpy when people knocked on my door 

A bright, confident, gregarious young woman, Libby is not going to stop going out, but having suffered the intrusion of a stalker while at university, she says she feels deeply unsettled. ‘It brings back memories of feeling quite violated, feeling exposed,’ she says.

‘For a while I got really jumpy when people were knocking on my door, which I know is because of my prior issues. But what if this happens to someone who is younger, more naïve, more vulnerable than me?

‘I felt violated for having followed Government guidelines then being harassed.

‘Now I refuse to give my number and shy away from anywhere which doesn’t take QR codes (a code a customer can scan on their phone) or something easier via an app. I turn around on my heels at paper test and trace now.’

Unfortunately, it would seem there can be problems with digital records, too.

Dancer and personal trainer Lucy Dixon, 32, provided her details on a night out with friends by scanning a QR code — not the Government’s newly- launched system, but the bar’s own electronic data collection.

When the bartender had messaged her a few times she decided to contact the venue but did not receive a reply. When Libby (pictured) followed up via social media she was told they would 'review' her complaint

When the bartender had messaged her a few times she decided to contact the venue but did not receive a reply. When Libby (pictured) followed up via social media she was told they would ‘review’ her complaint

The next day she received text messages from a man who said his name was Tom and that he had been working in the bar. ‘Hey gorgeous, hope you’re well?’ he said, before adding it had been fun seeing her. She replied, ‘who is this?’ to which he said: ‘Tom.’ She responded: ‘I actually don’t know who you are.’

Sending a selfie, the man then admitted he was ‘working the night you came in’. ‘How did you get my number?’ wrote Lucy, who was on her way home to Leamington Spa with a friend after a work visit to the North West. ‘Off Insta. Hope that’s ok?’ came the reply.

Lucy says: ‘That’s when the penny dropped and my friend said “he’s got your number from test and trace”.’ Tom’s response when quizzed was non-committal, but damning: ‘Maybe’ and a gritted teeth emoji.

When Lucy told him ‘you know that’s against the law’, he apologised and that was that. Lucy remains baffled. She says: ‘I was out with three work friends. We’d gone out for a lunch then continued for drinks. We were served by a female all night and didn’t come into contact with any males.

‘We walked in, were taken to our table by a female, who explained in order to be there and to order drinks we had to scan the QR code, provide our details and order our drinks by the same app — and that’s what we did, or I did, for all of us. I don’t remember any of us even speaking to any men.’

After scanning a QR code which took her details, Lucy (pictured) was contacted by a man named Tom who said he was working in the club she had been in the night before

After scanning a QR code which took her details, Lucy (pictured) was contacted by a man named Tom who said he was working in the club she had been in the night before

Lucy is matter-of-fact about the experience and keen to stress that Tom probably just made a mistake out of ignorance.

‘But the fact people can get your number so easily now has made me think twice about providing my details when out,’ she says.

‘Since I posted on social media about it, the amount of people I’ve heard say they give false details when they go out, to protect against this happening.

‘But how can that be right? It goes against what the Government is trying to do. If you give false information and someone you were near gets Covid, what happens then?’

 My friend said he’s got your number from Test and Trace – Lucy Dixon

Her experience remains something of a mystery because, when Lucy contacted the bar, it denied ‘Tom’ had been working at the venue. Already, however, there are incidents where employers have been forced to take action.

Only last month, a tour bus worker was sacked after using the details provided by a female passenger on her test and trace form to make contact. Kat Kingsley, 25, went on the Original Tour bus in Windsor last month.

Three days later, she received text messages from the man that said she had been ‘living in his head’ and admitted ‘knowing all the risk involved in using data that’s not supposed to be for me’.

‘He didn’t resign, he went through the disciplinary process and I think he expected to keep his job, but I got a call yesterday to say he had been fired,’ she told the BBC. ‘I think it should teach him a lesson and hopefully deter anyone else who was considering breaching data [protection].’

Confused as to how the male member of staff would have managed to get his hands on her phone number, Lucy's friend suddenly realised he must have accessed it via the QR scan data. Pictured, Lucy Nixon on her Instagram

Confused as to how the male member of staff would have managed to get his hands on her phone number, Lucy’s friend suddenly realised he must have accessed it via the QR scan data. Pictured, Lucy Nixon on her Instagram

Such breaches of GDPR (General Data Protection Regulation, to give it its full name, are not, of course, uncommon. In recent years, the circumstances in which we all hand over our mobile numbers, email addresses and names to all manner of organisations — from the supermarket when placing an order for delivery, to the local takeaway — have grown exponentially.

There has been a string of incidents in which delivery drivers have been called out, disciplined or sacked for making unsolicited — and sometimes downright creepy — contact with customers who have caught their eye.

Collecting contact details and maintaining records for NHS Test and Trace is a legal requirement and failure to comply is punishable by a fine — from £1,000 for the first offence, up to £4,000.

But as Jo O’Reilly, Data Privacy Advocate at ProPrivacy, points out, how equipped are the vast majority of small, independent venues to deal with the complexities of data protection?

‘With old-school pen and paper to take down details, you can absolutely see why this is happening,’ says Jo. ‘Staff with access to customer information need to understand there will be consequences. There should be one person on staff who is responsible for that data and it shouldn’t be transient staff with no training in looking after data.

Collecting contact details and maintaining records for NHS Test and Trace is a legal requirement and failure to comply is punishable by a fine — from £1,000 for the first offence, up to £4,000 - but has lead to some odd messages from strangers taking advantage of the data collection

Collecting contact details and maintaining records for NHS Test and Trace is a legal requirement and failure to comply is punishable by a fine — from £1,000 for the first offence, up to £4,000 – but has lead to some odd messages from strangers taking advantage of the data collection

‘If customers are being asked to write down their details, each person should be given a single piece of paper, that means no log books left on the bar filled with people’s names and numbers.

‘Any app must be secure. Misusing that data is an abuse of customer trust and a breach of data protection laws that could see the business owners liable for a fine.’

Silkie Carlo, director of privacy campaign group Big Brother Watch, says: ‘We have already had to act in one case where a young woman received an unsolicited message from a barman after giving her details for tracing.

‘The whole system has been really, really badly done and there has been no advice to bars and restaurants about how to look after data, so it’s easy to see how this can become a free-for-all.’

Two weeks ago, the Government’s long-awaited coronavirus tracing app finally launched, and venues are legally required to display the QR code for customers to use.

It does, however, require customers to have both a phone and the app. And even it has met with concern. Only last week Big Brother Watch, with privacy organisation Open Rights Group, demanded the Government clarify how people’s private data will be kept safe and secure under the new regulations.

With Covid extending its grip again, an efficient test and trace system would appear to be vital.

But as more and more organisations call upon our names and telephone numbers before providing services, we can only hope that our personal details are safe.