Track and Trace – don’t forget data protection
In taking the necessary steps to reopen your business and remain open, it’s important to not trip over the avoidable hurdle of the GDPR.
The government has made clear that businesses in the hospitality, leisure and tourism industries are now expected to keep fluid and regularly update records of customers, staff and other people who visit their premises so that they can provide NHS Track and Trace with useful and accurate information if anybody displays or reports symptoms or reports a positive test result.
Keeping effective records requires collecting and storing personal data. In the same guidance, the government has therefore confirmed that the GDPR applies to these initiatives. This is not unexpected and is consistent with the position taken by the Information Commissioner’s Office (the UK data protection regulator).
So, when compiling and maintaining your Track and Trace records, what are the key GDPR obligations you need to comply with?
- Transparency – it is likely that your customer and staff privacy notices need to be amended and that you will need to change how you present them to people.
- Storage – your data retention policy should be amended with new purpose-driven categories. You should also work out how to delete information securely once no longer required, given the potential ramifications of acting on inaccurate information.
- Minimisation – are your measures for collecting and recording the required information set up in a way that ensures staff/software only collect(s) the minimum amount of personal data required to satisfy the government guidance?
- Software – if you are using third party software to collect this information, you will need to enter terms required for contracts with third-party processors.
- Security – how is information collected physically and in person kept away from other customers or staff who do not need to see it? If information is collected online, how is it kept secure (especially bearing in mind the increase of cybercrime-related to the pandemic)?
- Cookies – if you collect the required information online, it is likely that you are (or your software provider is) using cookies to do it. Does your cookie notice contain the required information and user options? Have you collected adequate consent?
- Sensitive information – if anyone reports their own or someone else’s symptoms or a positive test, this is “special category” personal data under the GDPR. Enhanced security is required and you may need to update the appropriate policy document.
While it is not an obligation, it is also worth considering whether there is any basis under the GDPR to oblige all individuals visiting your premises to provide the required information. A consistently applied system with the most accurate and complete information will be the most effective in keeping customers, staff and visitors safe and keeping your premises open for business.
Lucas Atkins is a Senior Associate at law firm Greenwoods GRM and is a recognised specialist in data privacy and e-privacy law.