Covid Contact Tracing – Quick 7 Privacy Steps Reminder

June 2021

Contact tracing looks set to be around for the foreseeable future, so have you got matters sorted from a privacy perspective?

The Prime Minister has announced a delay to the lifting of remaining restrictions, but even as and when all social distancing restriction are lifted, contact tracing is likely to continue.

This means hotels, pubs and many other establishments continuing to collect details from staff, contractors, customers, visitors, volunteers and so on.

We still see examples of organisations going about this in the wrong way, so what are the key things you need to consider from a privacy perspective?

Here’s our quick 7-step reminder:

1. Only ask for what’s needed

You are only likely to need to collect details such as name, contact details plus time of arrival and departure. It’s worth noting in England the government has asked organisations to only collect details for the lead member of a group for contact tracing purposes.
If you run a restaurant in England you don’t need to collect details for the whole table. (Note this may differ in Wales, Scotland and Northern Ireland).

You don’t need to ask people to prove their identity, unless this already is your standard practice. For example, you would routinely conduct ID checks for age verification in a pub, or membership of a private club.

Many establishments might already be collecting contact details, via an online booking form for instance. For others, like pubs, you may have never needed to collect your customers’ contact details before.

Think about how you are going to keep the information safe and secure. Are you going to store it on paper list or digital? We would recommend the digital – or you could use an app (while making sure the app is secure).

2. Tell people why you need their details

The golden rule is tell people why you’re collecting their personal information and what you’ll do with it.

You need to be open with people that you’re using their personal details for contact tracing. This really shouldn’t be hard to do in the circumstances and applies equally to employees, volunteers and contractors as well as customers or visitors.

If you already collect information via your booking form, you should also make it clear if it’s necessary to use the contact details for contact tracing purposes.

You can tell people over the phone, put up notices in your premises, include information on your online booking forms and / or simply tell people when they arrive.

3. You probably don’t need ‘consent’

I don’t want to bore you with data protection law, but you do need to confirm a lawful basis for collecting personal data for any purpose – including contact tracing. While many might be forgiven for thinking GDPR meant you needed people’s consent for everything, this is simply not the case.

Contact tracing is a perfect example of where ‘legitimate interests’ are likely to be the most appropriate lawful basis if you’re a private organisation.

It’s in your ‘legitimate interests’ as a business to support public health efforts and care for your staff, plus its very likely to be in the interests of the individual. In short, if you’re relying on legitimate interests you don’t need to ask for their ‘consent’ but will need to give them a right to object.

If you are a public authority you are likely to be able to rely on ‘public task’ as your lawful basis.

Which organisations might need to ask for consent?

If you are an organisation (or have a job) which by its very nature may infer sensitive information about your customers or visitors, it’s recommended you collect consent. For example, political members clubs, churches and physiotherapists.

Why is this? Under data protection law ‘special category data’ is given specific protection. This is any information that reveals or might infer ethnicity, race, religious beliefs, political opinions, sexual preferences or could reveal health information about an individual. The ICO (regulator of data protection) recommends collecting consent in these circumstances. It’s guidance gives the following example;

In the context of contact tracing, we recommend using consent if you are logging details in places of worship, for example. You should also use consent if you provide a service to small groups or on a one-to one basis, like tailoring or sports massage. That’s because the information you may be asked to share for contact tracing purposes may only apply to one or two people – rather than a roomful – making it more likely that you’d make assumptions about your customer’s health.

4. Store personal details carefully

Here are some simple rules to follow:

a) It is preferable to have securely protected digital records if you can. But if you use a sign-in book, don’t leave it open where people’s details can be seen by everyone.
b) If you have to use paper records, keep the lists locked away when not in use.
c) Tell your staff the lists must be kept secure and must not be shared with anyone, unless part of the contact tracing programme.
d) Make sure only those that need access to the list have access and be very clear they cannot use the list for any other purpose.

5. Only share the information when requested

The ICO makes it clear;

a) You should only share the information you have collected for contact tracing purposes when you are asked to do so by a legitimate public health authority.
b) If you are contacted by the contact tracing scheme you must make sure the caller is genuine. Be cautious of scammers who may pretend to be a contact tracing agency.
c) Once confident the request is legitimate, make sure you share the information securely. (Another reason why digital records would be preferable).

The Regulator stresses if you become aware of someone who has tested positive for COVID-19 you should not report them to the contact tracing scheme, nor should you seek to contact people who have visited your premises yourself. The ICO guidance states;
If there is more than one case of COVID-19 on your premises, you should contact your local health protection team to report the suspected outbreak.

6. Don’t use the personal details collected for anything else

You must not use the details you’ve collected for contact tracing for any other purpose. For example, you can’t use an email address to send marketing if you collected it for contact tracing. That’s unless of course you previously or separately collected the very same email address for direct marketing. This is an important message to get across to your staff.

7. Delete the information securely

You shouldn’t keep personal details you have collected for longer than necessary. Public health authorities have issued guidance on how long this should be for contact tracing – in England it’s 21 days.

So, after 21 days you must dispose of the information securely. For example, permanently deleting digital files or shredding paper records..
The only reason you would keep personal data for longer is if this is in line with other sector-specific guidelines.

Many organisations will want to continue playing their part in supporting contact tracing. It’s an example where the collection of personal data is in all our interests.

It doesn’t need to be complicated, just make sure you tell people what you’re doing and have these few checks and balances in place.