Data Protection Guidance for Test and Trace Schemes

Photo of a shop window with a sign stating that the shop is closed due to covid-19.
Photo taken by Erik Mclean.

Since the easing of lockdown, during the summer of 2020, many organisations have implemented new measures so that they can re-open safely to the public. For most businesses, this included collecting customers’ and visitors’ personal information to support the UK Government’s approved contact tracing scheme.

The Government has dictated that “Designated venues in certain sectors must have a system in place to request and record contact details of their customers, visitors and staff to help break the chains of transmission of coronavirus.” However, in July, the government admitted that the NHS Test and Trace Scheme had breached GDPR requirements by not having a full Data Protection Impact Assessment performed before it was launched.

What is a Data Protection Impact Assessment (DPIA)?

A DPIA is an exercise that is designed to identify potential risks to an individual’s rights and freedoms regarding processing of their personal data. They must be performed where processing of personal data is likely to result in a high risk. These DPIAs need to include such things as:

  • A description of the nature, scope, context, and purposes of the processing.
  • An assessment of the necessity of the processing, its proportionality, and compliance measures.
  • A list of identified risks and likely impacts to individuals.
  • Any additional measures to mitigate those risks.

The impact of a DPIA not being performed is already being felt. There is a growing concern regarding alleged sharing of details via WhatsApp, Facebook, and other social media platforms. The alleged information being shared includes names, NHS numbers and contact details. Since July there has been very little information around what has changed regarding the lack of initial DPIA. What we do know is that the NHS have clearly learnt from their mistakes and have already produced a draft DPIA in relation to the ‘early adopter trial’ for their new “NHS COVID-19 App”. This DPIA was performed under guidance from the Information Commissioner’s Office (ICO).

For all other businesses wishing to stay open and compliant with GDPR, below are five simple steps that are in-line with the Information Commissioner’s guidance to help ensure that data protection is upheld:

1.    Ask for only what is needed.

You should only ask people for the specific information that has been set out in government guidance. For example, this may include things like their name, contact details, and time of arrival.

You should not ask people to prove their details with identity verification, unless this is a standard practice for your business, e.g. ID checks for age verification in pubs.

2.    Be transparent with customers.

You should be clear, open and honest with people about what you are doing with their personal information. Tell them why you need it and what you will do with it. You could do this by displaying a Privacy Notice in your premises, including it on your website, or even just telling people.

If you already collect customer data for bookings, you should make it clear that their personal data may also be used for contact tracing purposes.

3.    Carefully store the data.

You must look after the personal data you collect. That means keeping it secure on a device if you are collecting the records digitally or, for paper records, keeping the information locked away and out of public sight.

4.    Do not use it for other purposes.

You cannot use the personal information that you collect for contact tracing for other purposes, such as direct marketing, profiling, or data analytics.

5.    Erase it in line with government guidance.

You should not keep the personal data for longer than the government guidelines specify. It is important that you dispose of the data securely to reduce the risk of someone else accessing the data. For example, shred paper documents, and permanently delete digital files from your recycle bin or back-up cloud storage.

Tacita recommends drafting a Privacy Notice for your Organisation’s involvement with the NHS’s Test and Trace scheme. Not only is it another GDPR requirement to have for any activity where processing of personal data is concerned, but it will also allow your establishment to answer any questions from customers and staff surrounding the nature of your data processing. For guidance on how to create a Privacy Notice in line with the Test and Trace scheme, see this link. The ICO have published further guidance for businesses on how to ensure that collection and sharing of data is lawful. If you need more help, follow this link.

About Us: Tacita are GDPR compliance experts. Tacita help clients achieve and maintain GDPR compliance. Get in touch to explore our range of GDPR services including the Tacita GDPR Audit, GDPR Consultant Service and the GDPR Toolkit.

Share this article: