Due to the coronavirus pandemic, it is now a legal requirement for some organisations to collect customer, visitor and staff contact details for contact tracing purposes.
These businesses have had to adhere to strict measures to ensure they are keeping customers and staff safe. They are also being asked to collect information from their customers, visitors, and staff to enable contact tracing for the NHS.
Guidance from the government has asked these businesses to keep temporary records of all staff, visitors and customers that attend their premises for a period of 21 days following their visit. This is to assist the NHS with the contract tracing. There is also a new NHS Covid-19 contact tracing app that businesses and individuals can use.
For those businesses who regularly take bookings, the collection of this data will not be a new concept, but for those businesses that are more relaxed who do not normally collect data they will need to have new policies and procedures put in place to collate the information.
Businesses will need to ensure that they comply to data protection to prevent any breaches of data protection legislation.
Compliance with Data Protection
Any information that is collected must be adequate, relevant and limited to what is needed. It must not be used for anything else other than contact tracing. It cannot be used to market products for the organisation or be kept indefinitely.
The information should be kept securely and out of the public sight to minimise the risk of someone else seeing it or losing it. Any sign in sheets or books containing personal data of customers should not be left on view for other customers to see.
Once data has been collected from people it must be stored in a safe manner to ensure it cannot be compromised or passed on. Once the 21-day period for test and trace purposes has passed, the data needs to be disposed of confidentially.
Any information collected electronically will need to be deleted, and information collected by paper should be shredded to at least DIN 66399 Level 3 standard.
Telling customers and visitors
Businesses should display signs to explain to their customers and visitors what information they will be collecting, how long they will keep it for and how they will dispose of that information.
Businesses must be open and honest about why they are collecting information and specify that it is for the contact and trace purposes.
Data being collected
Visitors and customers – name, telephone number, date and time at the venue and name of staff member present.
Staff members – name, telephone number, date, and time present at the venue.
For groups of visitors, the data collected can just for the group’s leader.
Some visitors or customers may not wish to provide their information; this will need to be respected due to it not being a mandatory requirement.
Data being collected manually
If businesses are collecting data manually then it is important that basic measures are put in place. These include:
- Making sure staff understand what they should and should not be doing with customer information. All employees need to be aware it is a criminal offence under the data protection act to obtain or disclose customer information without consent;
- Open access sign-in books where anyone can see personal information should not be used;
- Any paper records need to be kept out of sight and in a secure place;
- Limit the number of employees who have access to the information.
NHS Contract Tracing App
The use of the NHS contract tracing App is voluntary, businesses can have a QR code and customers and visitors can check in using the app, instead of providing their personal details to the company. No one should be forced to download the app to be used.
Information Commissioner’s Office (ICO)
The ICO will support organisations and will not hesitate to act against any business if they discover that they are not adhering to data processing practices.
There are five key principles business must adhere to:
- Only ask for what is needed;
- Be transparent with customers;
- Carefully store the data;
- Do not use it for other purposes;
- Erase it in line with government guidance found on www.gov.uk.