As businesses begin admitting people back to their workplaces, many will be logging customer and visitor information for the purposes of contact tracing. In this article, we discuss the key considerations for employers processing customer data for purposes such as the government's Test & Trace system and look at how they can collect information whilst staying compliant with data protection regulations.
Be clear on your lawful basis
The General Data Protection Regulation 2016 (GDPR) allows you to process personal data for contact tracing provided you have a lawful ground to do so.
There is currently no legal obligation to provide information to the government for contact tracing purposes. This leaves two main lawful grounds which apply to the collection of data for contact tracing; consent and legitimate interest.
The legitimate interest basis for collecting information recognises that doing so is likely to be in the interests of the individual, the business, and the public health efforts to help contain outbreak of COVID-19.
Use of the consent basis must rely on consent freely given. Visitors should be able to refuse or withdraw their consent without facing negative consequences, such as being denied access to your business services.
Communicate with visitors
Ensure you are clear with visitors about the information you are collecting, why you are collecting it and who it is shared with. This can be achieved by a clear and visible notice at your premises or website which explains that you are collecting personal information for contact tracing purposes, or simply telling them when they arrive.
Businesses who already have a data collection notice should review and update it if necessary, to note that personal information may also be used for contact tracing purposes.
Limit data collection to what is necessary
Make sure the collection of information is limited to what you need. The government suggests the records kept of customers and visitors should include name, phone number, date of the visit and arrival and departure times. For large groups of customers, the name and number of a group leader will suffice.
Use the data for the correct purpose
If you are collecting data for contact tracing which extends beyond that normally collected in your usual course of business, it must be used only to share with the government for these purposes. Using the data for purposes not related to contact tracing, including marketing or analysis, will risk being in breach of GDPR.
Data should not be kept for longer than is necessary to achieve the purpose that you are processing it for. Current government guidance suggests keeping data for 21 days, in order to allow for a 14 days incubation period for COVID-19 and 7 days to be contacted by the relevant authorities.
The data should be kept securely in accordance with usual GDPR requirements and destroyed after the expiry of this period.
Sharing the data
The Test and Trace system will ask for your collected data if necessary. This is likely because your premises have been visited recently by someone who has tested positive for COVID-19 or if been identified as the location of a potential local outbreak.