Quick guide to collecting data for Contract Tracing
As lockdown measures eased, my husband ventured out last week after nearly four months of braving little more than a trip to Tesco. He met a couple of old friends in a London bar. Before settling down for a cool pint in the garden, he was asked to give his name and email address.
He wasn’t told why, but guessed it was likely (and hopefully) to be for contact tracing purposes.
From holiday cottages to theme parks, hotels to pubs, many are looking to play their part in stopping the spread of COVID-19 and helping the Government’s contact tracing effort. This means collecting details from staff, contractors, customers, visitors, volunteers and so on.
So, what are the key things you need to consider from a privacy perspective? The ICO has published detailed contact tracing guidance. Here’s our quick 7 step guide.
1. Only ask for what’s needed
You are only likely to need to collect details such as name, contact details plus time of arrival and departure. It’s worth noting in England the government has asked organisations to only collect details for the lead member of a group for the purpose of contact tracing.
So, if you run a restaurant in England you don’t need to collect details for the whole table. (Double check as this may differ in Wales, Scotland and Northern Ireland).
You don’t need to ask people to prove their identity (unless this is standard practice, for example, you would routinely conduct ID checks for age verification in a pub, or membership of a private club).
For many you might already be collecting contact details via an online booking form or , for others like pubs you may have never needed to collect your customers’ contact details before.
Think about how you are going to keep the information safe and secure. Are you going to store it on paper list or digital (we would recommend the latter) or perhaps use an app? For example, Tapmydata has developed an app specifically for the hospitality sector and no doubt there will be others.
2. Tell people why you need their details
The bar my husband went to failed at the first hurdle; they collected his name and email address but didn’t tell him why. The golden rule is tell people why you are collecting their personal information and what you’ll do with it.
You need to be open with people that you’re using their personal details for contact tracing. This really shouldn’t be hard to do in the circumstances and applies equally to employees, volunteers and contractors as well as customers or visitors.
Even if you already collect information via your booking form, you should also make it clear contact details will if necessary be used specifically for contact tracing.
You can tell people over the phone, put notices up on your premises, include information on your online booking forms and / or simply tell people when they arrive.
3. You probably don’t need ‘consent’
I don’t want to bore you with data protection law, but you do need a lawful basis for collecting personal data for any purpose including contact tracing. While many might be forgiven for thinking GDPR meant you needed people’s consent for everything, this is simply not the case.
Contact tracing is a perfect example of where legitimate interests are likely to be the most appropriate lawful basis if you’re a private organisation.
It’s in your ‘legitimate interests’ as a business to support public health efforts and care for your staff, plus its very likely to be in the interests of the individual. (My husband, for one, would want to know if there was a COVID-19 outbreak in the bar he was in last week). In short, if you’re relying on legitimate interests you don’t need to ask for their ‘consent’ but will need to give them a right to object.
If you are a public authority you are likely to be able to rely on ‘public task’ as your lawful basis.
Which organisations might need to ask for consent?
If you are an organisation (or have a job) which by its very nature may infer sensitive information about your customers or visitors, it’s recommended you collect consent. For example, political members clubs, churches and physiotherapists.
Why is this? Under data protection law ‘special category data’ is given specific protection. This is any information that reveals or might infer ethnicity, race, religious beliefs, political opinions, sexual preferences or could reveal health information about an individual. The ICO recommends collecting consent in these circumstances, it’s guidance gives the following example;
In the context of contact tracing, we recommend using consent if you are logging details in places of worship, for example. You should also use consent if you provide a service to small groups or on a one-to one basis, like tailoring or sports massage. That’s because the information you may be asked to share for contact tracing purposes may only apply to one or two people – rather than a roomful – making it more likely that you’d make assumptions about your customer’s health.
4. Store details carefully
Here are some simple rules to follow;
a) Don’t use an open sign-in book where people’s details can be seen by everyone.
b) If you have to use paper records, keep the lists locked away. It would be preferable to have securely protected digital records.
c) Tell your staff the lists must be kept secure and must not be shared with anyone, unless part of the contact tracing programme.
d) Make sure only those that need access to the list have access.
5. Only share the information when requested
The ICO makes it clear;
a) You should only share the information you have collected for contact tracing purposes when you are asked to do so by a legitimate public health authority.
b) If you are contacted by the contact tracing scheme you must make sure the caller is genuine. Be cautious of scammers who may pretend to be a contact tracing agency.
c) Once confident the request is legitimate make sure you share the information securely. (A reason why digital records would be preferable).
The regulator also stresses if you become aware of someone who has tested positive for COVID-19 you should not report them to the contact tracing scheme nor should you seek to contact people who have visited your premises yourself. The ICO guidance states;
If there is more than one case of COVID-19 on your premises, you should contact your local health protection team to report the suspected outbreak.
6. Don’t use the information for anything else
You mustn’t use the details you’ve collected for contact tracing for any other purpose. For example, you can’t use an email address to send marketing if you collected it for contact tracing. Unless of course you previously and separately collected the very same email address for the purpose of direct marketing.
This is an important message to get across to your staff. The Spectator (pay-wall article) is reporting this may already be being abused – with fears bartenders could be using details provided for contact tracing to ask customers out for a drink!
7. Delete the information securely
You shouldn’t keep personal details you have collected for longer than necessary. Public health authorities have issued guidance on how long this should be for contact tracing. In England it’s 21 days. So, after 21 days you must dispose of the information securely. For example, shredding paper records or permanently deleting digital files.
The only reason you would keep personal data for longer is if this is in line with other sector-specific guidelines.
As said, many organisations will be wanting to play their part in supporting contact tracing. It’s an example where the collection of personal data is in all our interests. It doesn’t need to be complicated, just make sure you tell people what you’re doing and have a few checks and balances in place.
Philippa Donn, July 2020
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.