28
Sep 2020
Contact Tracing: Data Protection issues for businesses
From 18th September certain businesses are required by law to obtain customers details for the purpose of contact tracing, and from 24th September to display the QR code. It is well known that businesses subject to these requirements include pubs, bars, restaurants, and cafes but they apply equally to a significant number of others in the leisure and tourism services (please see below*). Those businesses in hospitality should note that the requirement includes where customers are in an area adjacent to the premises.
If you are in doubt as to whether your business is required to take customers’ details then you should probably do so. Even if it is not a legal requirement you may wish to consider implementing a track and trace system for the safety of your own staff as well as your customers. The purpose behind the requirement is to enable contact to be made in the event that a customer becomes a victim of Covid-19 and enables the business, or the authorities, to make contact with anyone else on the premises at the time to enforce self-isolating.
If a customer scans the QR code there is no requirement for the business to also take their details. Customers cannot be forced to scan the code nor refused entry on the basis that they refuse to do so.
What data should be recorded?
Of course, retaining customers’ contact data brings about issues to ensure compliance wih the General Data Protection Regulation and the Data Protection Act 2018. The personal data taken (being that which enables an individual to be identified) does not need to be extensive and should be limited to the name of the individual (or in the case of a group, a lead name) and their contact telephone number. The time and date of the visit should also be noted.
If a customer unreasonably refuses to provide the data then reasonable steps can be taken to refuse entry.
There must be a lawful basis under the Data Protection legislation for obtaining and retaining the data. This should be the legal obligation to which the business is subject under the regulations.
What should businesses tell their customers?
Individuals should not be asked for more than is necessary for the purpose of contact and trace as to do so would go beyond the purpose for which the data is obtained and be unlawful. Equally, people should not be asked to prove the information given (unless this is necessary or standard practice for your business, such as proving someone is over the age of 18 to buy alcohol).
People should be told why their data is required, what will be done with it, and how long it will be retained by your business. Individuals then have a number of legal rights under the Data Protection legislation in relation to that data (such as the right to access it, to know whether it is still held, and to correct it. They also have the right to request that it be erased, although such request can be refused where the requirement to hold the data for a defined period applies). Any such request must be dealt with within 28 days – however if the procedures and timescales set out below are properly applied then the response at that stage should be that the data has been destroyed.
How long should the data be retained?
The data should only be retained for as long as is required. The requirement for track and trace means essentially that the data should be destroyed after 21 days (after which essentially it goes beyond the time period necessary for which the data was taken in the first place). In disposing of the data, businesses must ensure that it is securely destroyed so as not to be accidentally and unlawfully divulged.
The data taken must not be used for any other purpose other than the lawful basis for the reason it was taken, and the reason that you inform the individual it has been taken. For example, businesses should not retain the data for marketing purposes.
Security
Businesses are also responsible for ensuring that the data is kept safely and securely. It is important that staff know the reasons why the data is collected, and what their obligations are. It is a criminal offence if the data is unlawfully disclosed. Businesses should therefore ensure that the data is securely locked away if on paper records and password protected, with appropriate cyber security measures in place, if held electronically. You should certainly avoid having the data in a form of open book visible to other customers.
Consideration should also be given to who in the organisation reasonably needs access to the information. You should ensure that someone has overall responsibility for the data, for its retention,
security and for secure disposal of it at the appropriate time. Ideally, the name of this individual should be made available to customers – this would be easier if a written privacy notice was used.
If the data should be unlawfully divulged to any third party, whether by accident or otherwise, then businesses need to investigate and take appropriate steps to rectify the situation and ensure that there is no repetition. The Data Protection legislation provides that the Information Commissioner must be informed within 72 hours if the disclosure is significant and / or is likely to have a fundamental impact on the individual or individuals concerned. You must also consider whether to protect the individual or individuals they should be informed.
When the data should be disclosed
Your business may also be contacted by the authorities for details of the data you hold to enable them to activate the track and trace procedure. You must exercise extreme care before divulging the
information and ensure that it is a legitimate request. Undoubtedly there will be many looking to use this new requirement for their own illegitimate means.
Privacy Notices
The Data Protection legislation states that ordinarily all of the above should be made available by way of a privacy notice provided to the customer. Whilst further guidance is awaited, it does not seem that for the purposes of track and trace this is the case, but businesses may find it helps and it would in our view be good practice to have a notice available, whether handed to the customers, on the wall of the premises, and / or on a website.
How we can help
The legal requirement for businesses to apply the Data Protection legislation as a result of track and trace can be confusing if your business is not familiar with its obligations under the legislation. Chadwick Lawrence Regulatory team can provide help and assistance – please contact nicholasworsnop@chadlaw.co.uk or harveyblake@chadlaw.co.uk
*hairdressers and barbers; beauticians; dress fitters and tailors; nail bars and salons; sports and massage therapists; tatooists; community centres; youth centres; village halls; amusement arcades; art fairs; betting and bingo halls; casinos; clubs providing team sporting facilities; sports stadia; facilities for use by professional sportspeople; heritage locations and attractions open to the public; hotels and other guest accommodation on a commercial basis (including campsites etc); indoor sport and leisure centres; outdoor swimming pools; museums and galleries; music recording studios open for public use; libraries. Full list available under Schedule to The Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020.
- Like this ? Share with friends