COVID-19 has seen unprecedented change across all sectors in which everyone has had to adapt and change at a speed.

The government has provided guidance in relation to contact tracing in which they state that organisations in certain sectors should collect details and maintain details of staff, customers and visitors on their premises. Test and Trace is run by the NHS and is a key part of the country’s ongoing COVID-19 response. NHS Test and Trace includes contact tracing staff working to contact everyone that has been potentially exposed to COVID-19 which will assist in eliminating the spread and controlling COVID-19. This scheme is entirely voluntary and the accuracy of the information provided is solely the responsibility of the individual who provides that data. There is no requirement for business to verify an individual’s identity for NHS Test and Trace purposes.

Therefore you may be faced with the situation of collecting personal data, but ensuring you handle it lawfully.

The Information Commissioner’s office, the regulator for data protection, has issued some guidance to organisations regarding protecting customer and visitor details. This can be summarised as follows:

  • Ask for only what’s needed.
  • Be transparent with customers.
  • Carefully store the data.
  • Don’t use it for other purposes.
  • Erase it in line with government guidance.

There are some important key points to be aware of above. In particular, it may be tempting to include individuals personal data on any marketing and mailing lists. However, it is clear that this personal information cannot be used for his purpose where the collection of the data is as a result of contact tracing in line with government guidance.

Although the retention of data for the purpose of track and trace cannot be retained for marketing purposes, you may wish to consider whether you ask express permission for this ability and ensure it is separate and not a requirement of individuals providing their details for the purposes of track and trace. You will need to consider your privacy policy and have clear processes to ensure personal data is collected lawfully.

Another important point is that of retention. The government guidelines currently specify that personal details should be kept for 21 days, which reflects the incubation period for COVID-19 and an additional 7 days. The personal data that is collected for the purpose of contact tracing must be deleted after this time. Please note that records which are made and kept for other business purposes do not need to be disposed of, and this only relates to that of contact tracing.

Now may be the time to look at your organisations privacy policy and also ensure that customers are aware of the collection of their personal data in line with an organisation following government guidance in relation to contact tracing. With the rapid changes we have experienced recently the law in a variety of areas has changed or been relaxed. In some areas it could be said the law conflicts on certain topics. Sadly it is your burden to reconcile how it impacts all your organisation and steer a lawful course through it all!

If you have any questions or are not sure about your requirements of data protection, Covid-19 or any other regulatory matter, then please contact the regulatory team at Woods Whur and we would be happy to discuss the guidelines with you in accordance with GDPR and your wider obligations. If you would like to contact us, please email james@woodswhur.co.uk or sfrow@woodswhur.co.uk or call us on 0113 234 3055.