Earlier this week, the government announced that it will make systems for the collation of NHS Test and Trace data mandatory for hospitality businesses such as restaurants and pubs from next Friday (18th September).
Although participation by the customer is still voluntary, hospitality businesses must have the supporting systems to allow those who wish to participate the opportunity to provide their details.
Having been out to dinner a few times in recent weeks, I have experienced some interesting methods of Test and Trace data capture in businesses. As a lawyer who deals with data protection for my clients, it is clear to me that many businesses have seriously considered their obligations and have done their best to comply with laws and guidance. However, others have frankly got it completely wrong or have abused the purpose of the system.
Data protection law requires collection of personal data to be lawful, fair and transparent. You must consider the principles of data protection law when designing your Track and Trace system. That means you must make sure the information you collect is adequate to serve the purpose intended, relevant and limited to what you need. It must be accurate and not used for anything else. You should also keep it secure, so you minimise the risk of data abuse, accidentally loss or destruction.
Here’s a reminder for businesses about the ABC(and DEF) of Test and Trace.
A – Ask for only what’s needed
The government requires you to build a system to collect the following information for customers and visitors:
- the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group. If the visitor is a child, use the accompanying adult as the ‘lead member’.
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date of visit, arrival time and, where possible, departure time
- if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer
Nothing further should be requested, nor should the business demand sight of ID verification or use some other intrusive methods. The only time this is suitable is where such methods are legally mandated such as age verification or money laundering checks.
B – Be transparent with customers
You should be clear, open and honest with people about what you are doing with their personal information. This includes updating your privacy policies and notices, and making sure information relating to your data collection activities are made clear and available to your customers (and your staff!).
Many businesses have opted to use their existing appointment or booking systems as their record of attendance to forward to NHS Track and Trace in the event of an outbreak. These businesses must inform their clients and visitors of this additional purpose when collecting the data and also inform them of the data sharing activity with the NHS for contact tracing purposes.
C – Carefully store the data
You must look after the personal data you collect. This applies to both digital data and paper data. One of the most frequent issues I have seen is the dreaded open access contact tracing clipboard being handed around the premises for self-completion by customers. This list contains every attendee’s personal data for all to see.
You must also have rules and staff training in place to make sure information isn’t lost, stolen or destroyed. This week already there has been a story of an employee using the data to contact a customer to ask for a date!
Training must also include what to expect if the NHS contacts the business seeking information so that they can ensure that the caller is genuine.
D – Don’t use it for other purposes
I cannot emphasise enough – test and trace data DOES NOT EQUAL marketing data!
You cannot use the personal information that you collect for contact tracing for other purposes, such as direct marketing, profiling or data analytics. Set up separate, transparent methods of collection of marketing data using an appropriate lawful basis.
E – Erase it in line with government guidance
You should not keep the personal data for longer than the government guidelines specify. Typically, this is 21 days unless sectoral requirement demands otherwise. It’s important that you dispose of the data securely to reduce the risk of someone else accessing the data. Shred paper documents and permanently delete digital files from your recycle bin or back-up cloud storage, for example.
And a bonus one courtesy of Cartridges Law in addition to the ICO’s advice…
F – Fees for registration may apply
Unless you are exempt, organisations and sole traders that process personal data must register with the ICO. You may already be registered, but it is best to double check. As covered in our data protection fees blog, fines will be payable by businesses that do not comply with this requirement. Use the ICO self-assessment tool to calculate your registration fee.