Date06 Aug 2020
CategoryBusiness Services, Technology Consultancy
As the country is easing out of social and economic lockdown measures, and more businesses are opening back up, businesses in certain sectors have been asked to collect data from their customers to support the Test and Trace programme (also known as Test and Protect in Scotland and Test, Trace, Protect in Wales).
This can be seen as a daunting prospect for small organisations who are not familiar with the data protection laws. In this update, we provide practical information for those businesses wanting to support the newly introduced Test and Trace programme.
On Thursday 28 May, the NHS Test and Trace service was launched and has become a crucial element of the Government’s national strategy to reduce the spread of COVID-19. The service ensures anyone who develops symptoms of COVID-19 can be tested quickly, and traces close recent contacts of anyone who tests positive, notifying them so that they can self-isolate. Further information regarding the programme can be found on the GOV.UK website.
To help with the implementation and success of the programme, the Government have set out a new business plan, a major extension to the service, requesting businesses to collect data from their staff and customers.
The purpose of collecting this data is to track the individuals entering a business’s establishment, who can, if necessary, be contacted if a COVID-19 case is reported by another customer or member of staff, or if a potential local outbreak is noted at your location.
The Government is asking businesses to collect contact details of people in their establishment, including time of entry and departure (if possible). This could be data for both staff and customers. For groups of customers attending together, they only need to collect one of the individual’s details.
When collecting the data, it is important to note that participation is voluntary – customers do not have to provide their details. However, an organisation should encourage customers and staff to participate. Ultimately, this could help contain clusters or outbreaks of COVID-19.
The sectors that need to comply with these regulations differ, depending on whether the business is located in England, Scotland or Wales. It is particularly relevant to the hospitality, tourism and leisure sectors.
Please refer to the relevant regulations for clarification or contact your local Azets advisor. You can view the relevant sector regulations, dependant on your location, here:
Businesses should only collect the minimum data necessary in order to contact someone. For example:
As this is a new activity, businesses should follow their usual data protection procedures. Specifically, they need to:
If businesses have no current data protection processes in place, this can be a daunting prospect. They should focus their attention on the following:
The Scottish Government have produced an example privacy notice for organisations in tourism / hospitality sectors to use in the context of contact tracing.
In certain instances, and only when necessary, the NHS may ask for a copy of the data collected by a business. This is either because someone has tested positive for COVID-19 who listed the business’s premises as a place they visited recently, or because the premises has been identified as the location of a potential local COVID-19 outbreak.
Businesses should only share data with the NHS when asked to do so and only the limited amount that is requested. They must make sure they are speaking to a bona fide member of the Test and Trace team. When sharing data, make sure this is done through a secure method.
The guidelines for sharing the collected data with the NHS can be found here:
Businesses should only keep the data they have collected for the time period requested – currently this is 21 days. After this period, they should completely delete this data. If it is then still held on back-up systems, businesses need to document this in their information asset register or data flow documentation.
We all need to do our part to bring this virus under control, and contact tracing is a key component of doing this. Collecting any personal data does, however, put certain obligations on a business, not just according to laws such as the GDPR, but also to foster trust with their customers.
Being transparent and keeping details secure will help businesses comply with the Government’s request in a safe and privacy-conscious manner.
If you are unsure or concerned about any of the above and need clarity on the next best step for your business, please get in touch with a member of our Business Technology Consulting team.
Please also refer to our insights page for further information, which is regularly updated with the latest news, insight and details of the economic support and measures as they are announced by our Government.