Data Protection Implications for Contact Tracing Records

However, as part of the easing of social and economic lockdown measures, there are a range of requirements being placed on organisations to help reduce the threat of the spread of Coronavirus and support the NHS Test and Trace initiative.

These measures include practical steps to minimise transmission such as the creating of a safe and hygienic working environment and following social distancing guidelines. But companies are also being asked to assist by keeping temporary records of customers and visitors for 21 days. Although unquestionably an important necessity, this has implications for customer service protocols and systems, but also data protection and compliance.

The understandable aim of this measure is that the information obtained, which includes records of staff, customers and visitors, could be used to help control an outbreak of COVID-19 by identifying those who may have come into contact with the virus. But concerns have been raised about the rate of compliance amongst businesses and their customers when it is voluntary to share your details – and also the use of this information, even though it should be maintained and handled in accordance with General Data Protection Regulation (GDPR).

Affected Businesses

These requirements are also focussed predominantly where there is seen to be a higher risk of transmitting the virus, where people are potentially spending longer periods in closer contact with those outside of their household. However, the measures don’t apply for example to takeaway businesses – only where customers or visitors are staying and using services on the premises.

Organisations within the following sectors, whether indoor, outdoor or mobile venues are therefore being asked to maintain records:

• Hospitality (including pubs, bars, restaurants and cafes);
• Tourism and leisure (including hotels, museums, cinemas, zoos and theme parks);
• Close contact services (including hairdressers, barbershops and tailors);
• Local authority services (including town halls, civic and community centres, libraries and children’s centres);
• Places of worship.

The Information Required

The Government’s guidance for these organisations includes:

• What data to record – including the names of staff, customers and visitors; contact numbers and the arrival and departure times of their visit and interaction with members of staff.
• The data can be taken in advance through normal booking procedures, or at the point of the visitors arrival. Digital record is preferred, but paper records are also acceptable.
• Organisations are asked to encourage visitors to share their information for the benefit of NHS Test and Trace. However, people can opt-out and if they do their information should not be shared. The accuracy of any information provided will be the responsibility of the customer who provides it, with companies not having to verify identity for the purpose of these records.
• Records should be held for 21 days, reflecting the incubation period of Coronavirus, which can be up to 14 days and then allowing an extra week for testing and tracing. Organisations should then delete and dispose of this information in a secure way after the 21 days. However, records which are made and kept for other business purposes do not need to be discarded after 21 days – but all data collection must comply with GDPR.
• Being open with visitors is also deemed important and although establishments will not need to seek consent from each person to share their information with NHS Test and Trace, the guidance requests that it is made clear why the information is being collected and what will happen with it. This could be done on an individual basis, but this is not necessary – a display notice at the venue or on an organisation’s website are allowed. Consideration should also be given to how those with visual impairment or who can’t read English can access the information.

Test and Trace Guidance

In the guidelines the Government states that, “NHS Test and Trace will handle all data according to the highest ethical and security standards and ensure it is used only for the purposes of protecting public health, including minimising the transmission of COVID-19.” However, although the majority of the public may well be happy to do their bit in overcoming this pandemic and comply with providing their information – it remains important to know that individuals are able to exercise their data protection rights. This includes the right to erasure and the right to rectification.

Personal data which is collected for NHS Test and Trace, and not through the normal course of the business, must only be used to share with the initiative. To prevent a breach of GDPR, this data should not be used for any other purpose such as marketing, profiling or analysing. Organisations are also requested to consider the safety and storage of this data depending on whether it’s keep electronically or in hard copy.

As well as the guidance produced by the Department of Health and Social Care, the Information Commissioner’s Office (ICO), who regulate data protection, have also provided some helpful guidance in relation to this area.

If you have any questions regarding contact tracing and your data protection obligations, or the processing of data within your business, please do not hesitate to contact our Business and Commercial team on 01603 620508.