COVID-19 has seen unprecedented change across all sectors in which everyone has had to adapt and change at a speed.
The government has provided guidance in relation to contact tracing in which they state that organisations in certain sectors should collect details and maintain details of staff, customers and visitors on their premises. Test and Trace is run by the NHS and is a key part of the country’s ongoing COVID-19 response. NHS Test and Trace includes contact tracing staff working to contact everyone that has been potentially exposed to COVID-19 which will assist in eliminating the spread and controlling COVID-19. This scheme is entirely voluntary and the accuracy of the information provided is solely the responsibility of the individual who provides that data. There is no requirement for business to verify an individual’s identity for NHS Test and Trace purposes.
Therefore you may be faced with the situation of collecting personal data, but ensuring you handle it lawfully.
The Information Commissioner’s office, the regulator for data protection, has issued some guidance to organisations regarding protecting customer and visitor details. This can be summarised as follows:
- Ask for only what’s needed.
- Be transparent with customers.
- Carefully store the data.
- Don’t use it for other purposes.
- Erase it in line with government guidance.
There are some important key points to be aware of above. In particular, it may be tempting to include individuals personal data on any marketing and mailing lists. However, it is clear that this personal information cannot be used for his purpose where the collection of the data is as a result of contact tracing in line with government guidance.
Another important point is that of retention. The government guidelines currently specify that personal details should be kept for 21 days, which reflects the incubation period for COVID-19 and an additional 7 days. The personal data that is collected for the purpose of contact tracing must be deleted after this time. Please note that records which are made and kept for other business purposes do not need to be disposed of, and this only relates to that of contact tracing.
If you have any questions or are not sure about your requirements of data protection, Covid-19 or any other regulatory matter, then please contact the regulatory team at Woods Whur and we would be happy to discuss the guidelines with you in accordance with GDPR and your wider obligations. If you would like to contact us, please email firstname.lastname@example.org or email@example.com or call us on 0113 234 3055.