Track and Trace – how to support it safely

Track and Trace – how to support it safely

If you are gathering other people’s personal data, you need to protect them and your business from data breach.

As we all know Track and Trace has not been without its controversy.  From early arguments over the technology, to significant issues being raised with the effectiveness of the system such as only 72% of coronavirus sufferers' contacts being reached.  During the Summer a key issue surrounding the system was data privacy. It emerged in July that the NHS Track and Trace app had been operating since May without a Data Protection Impact Assessment (DPIA) having been performed, meaning the government have not abided by the GDPR laws in place to protect people’s personal data.

In recent months many small businesses have been required to gather customers’ data to support track and trace. If complying with the rules is hard for the government, then it must be difficult for many of the operators out there suddenly asked to gather this information.  Solicitors specialising in data breach claims have not been slow to catch onto this, and a simple search will find numerous firms offering support in obtaining compensation for those who feel their data rights have been breached by track and trace.  So, if you are a business required to gather personal data from customers, in order to operate, what should you do to ensure you protect both your customers and your business?

• Collect the minimum amount of personal data necessary – Data minimisation should be central to any contract tracing system, reducing the amount of data held reduces the potential of data being misused, lost or shared without permission.
• Only store data for the minimum amount of time possible – Only store the data for as long as it is required, decide how long this period will be then stick to it rigidly. Reducing the length of time data is stored for reduces the risk to that data. Ensure that disposal processes are in place for physical and digital data – this is key.
• Ensure data is processed securely through privacy by design – If processing data digitally, implement cryptographic and security controls to secure the data both at rest and in transit. For physically held data, ensure there are clear processes in place for the storage and transmission of data.
• Conduct a Data Protection Impact Assessment – A Data Protection Impact Assessment will identify where the key risks in your system lie and where they can be mitigated. For any risks that cannot be mitigated the ICO can be consulted with for assistance.
• Resist any desire to use the data for marketing – Data must only be used for the reason for which it was gathered.

For further information on how to comply with GDPR when gathering personal data from customers in order to operate, please contact a member of our Business Technology Consulting team or your usual Azets contact.