Track and Trace Data Protection Considerations
As of Monday 14 September 2020 it will become compulsory for pubs and restaurants in England to collect the contact details of their customers.
They had been encouraged to do this, but now it has become a mandated legal requirement.
All businesses must though still comply with data protection laws. A pub or restaurant collecting the required personal data for the purpose of contact tracing will have a legitimate reason for doing so under the Data Protection Act 2018. This exemption is referred to as ‘legitimate interest’. As a result, the business will not need written consent from those whose data they collect. However, this data cannot be used for other reasons, you cannot start using this data to send marketing materials or promotional offers, it must be kept secure and you must only retain it for a reasonable period of time.
You should look to put in place a proper policy governing how this data will be collected, used, stored and destroyed. It is also advisable to keep evidence of the collection of such data in case this comes under future scrutiny. If this is the case a well-considered policy will help to demonstrate how you have complied with the new mandatory requirements to keep contact details within the wider data protection framework. This should include training your staff, monitoring and taking action if required.
Ensure that you are only getting the specific information that is required. Make sure that you are not getting more information than you need, to ensure the risk of a breach is lowered.
You should inform your customers that you are collecting the data for track and trace purposes. Let them know why you need it and what you will do with the information you collect. The key thing to remember is transparency!
Storage of the data
After you have collected the personal data you must ensure that it is stored securely and safely. If you are using a paper form of data collection then ensure your records are kept securely locked away, if you are using it online then make sure you use a secure storage device and take appropriate steps to ensure the safeguarding of the information from physical and digital theft.
Basic advice includes using strong passwords and providing adequate training to staff on the correct storage procedures are adhered to. This should also all be covered in staff policies.
Usage of data
It is essential that you do not use the data you collect for any purpose other that contact tracing. This means that any profiling or marketing is not permitted.
You should ensure that you check government guidelines and destroy the data in line with Government advice, in the timeframe they specify. Make sure that when you destroy the data it is done without risk of theft and you should document this. Methods such as shredding and secure/permanent digital deletion should be used. You should only be collecting the data for as long as you need it. Ensure you consider deletion on this basis when you are creating a policy to use.
You should only share the information when it is requested by a legitimate public health authority. Ensure that the caller or representative is from a legitimate public body and share the data with them securely.
Why does this matter?
It is important that sight is not lost that any new measures are done strictly in line with the current data protection framework. An individual has a number of rights to ensure that their data is properly looked after and you may find yourself at the receiving end of a data subject access request or being called to account for how you have dealt with someone’s data.
There are considerable penalties for breaching data protection regulations and non-compliance. Whilst we hope a pragmatic approach will be taken given the context of the pandemic it is still imperative that security of personal data remains key and if scrutinised you can clearly evidence what you have done and why.
At A City Law Firm, we are experts in data protection. Please reach out to our team for a free initial conversation on how we can assist you in achieving compliance. firstname.lastname@example.org