Your role in track and trace: Don’t forget data protection
In taking the necessary steps to reopen your business and remain open, don’t trip over the avoidable hurdle of the GDPR.
The government has made clear that businesses in the hospitality, leisure and tourism industries are now expected to keep fluid and regularly updated records of customers, staff and other people who visit their premises. This is so that you can provide NHS Track and Trace with useful and accurate information if anybody displays or reports symptoms or reports a positive test result.
Keeping effective records requires collecting and storing personal data. In the same guidance, the government has therefore confirmed that the GDPR applies to these initiatives. This is not unexpected: it is consistent with the position taken by the Information Commissioner’s Office (the UK data protection regulator).
So, when compiling and maintaining your track and trace records, what are the key GDPR obligations you need to comply with?
- Transparency: it is likely that your customer and staff privacy notices need to be amended and that you will need to change how you present them to people.
- Storage: your data retention policy should be amended with new purpose-driven categories. You should also work out how to delete information securely once no longer required, given the potential ramifications of acting on inaccurate information.
- Minimisation: are your measures for collecting and recording the required information set up in a way which ensures staff/software only collect(s) the minimum amount of personal data required to satisfy the government guidance?
- Software: if you are using third party software to collect this information, you will need to enter terms required for contracts with third-party processors.
- Security: how is information collected physically and in person kept away from other customers or staff who do not need to see it? If information is collected online, how is it kept secure (especially bearing in mind the increase of cybercrime-related to the pandemic)?
- Cookies: if you collect the required information online, it is likely that you are (or your software provider is) using cookies to do it. Does your cookie notice contain the required information and user options? Have you collected adequate consent?
- Sensitive information: if anyone reports their own or someone else’s symptoms or a positive test, this is “special category” personal data under the GDPR. Enhanced security is required and you may need to update your “appropriate policy document”.
While it is not an obligation, it is also worth considering whether there is any basis under the GDPR to oblige all individuals visiting your premises to provide the required information. A consistently applied system with the most accurate and complete information will be the most effective in keeping customers, staff and visitors safe and keeping your premises open for business.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org