Data protection and contact tracing

March 5, 2021
by Triston

As Pubs, Restaurants and other similar businesses in hospitality re-opened at the weekend, providing a safe environment for visitors has been a top priority.

Alongside the social distancing, hand sanitiser and perspex screens is a recommendation to capture visitor (and staff) contact details for contact tracing purposes. This is performed by the NHS track and trace team in the event of a positive case.

In this article:

What information should you collect?
How long do we need to keep this information for?
Do I need to see ID?
What about data protection, does GDPR apply?
Can someone refuse to provide their contact details?
How can I capture contact details safely?
Where can I find further information?
How can Shout Cyber help?

What information should you collect?

Detailed in government guidance (but summarised here for ease) the following information should be captured if you operate in industries such as hospitality, or where you may spend a long time in close contact with customers:

staff
- the names of staff who work at the premises
- a contact phone number for each member of staff
- the dates and times that staff are at work
customers and visitors
- the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date of visit, arrival time and, where possible, departure time
- if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer

How long do we need to keep this information for?

This information needs to be held for 21 days in order to help trace any potential contacts in the event of a positive case.

Do I need to see ID?

You only need to capture the details covered in the list above. You do not need to capture further information or see further ID unless it’s part of another purpose such as age verification.

Yes, contact details you take from visitors and staff are considered personal details and to protect their privacy GDPR applies. This means you need to protect the information you capture, handle it correctly and make sure individuals can exercise their rights.

When considering how to implement contact tracing, consider the following:

Make staff and visitors aware that you are operating contact tracing to aid NHS track and trace teams, such as a notice or part of a form used to capture contact details.
You can only use the details captured for contact tracing for this purpose only, you cannot use it for marketing or any other purpose.
You must keep the details captured secure, for example:
- Keep the details in a locked box or safe after being captured.
- If you are capturing the details electronically make sure you use good security practises such as strong passwords, two-factor authentication, encryption etc.
- Monitor and restrict who has access to contact details.
Make sure you are allowing visitors and staff to exercise their rights such as their ability to request a copy of the information you have about them or allow them to update your records if they are inaccurate.
Be aware of what legal reason you are using to capture contact details, the ICOs guidance, in this case, is consent is not required unless you are capturing contact details for a place of worship otherwise, legitimate interest may be used. You should make customers aware of this as part of your notice to customers.

Can someone refuse to provide their contact details?

There is no legal requirement to capture contact details currently. As such someone can object to their personal information being captured. In that case whilst they should be given some reassurance that their details will only be used for this purpose and encouraged to help, you should not pass their details on as part of a track and trace investigation.

How can I capture contact details safely?

Depending on your business there’s a number of ways you may capture contact details, for example:

Paper form or sign in sheet
Diary or Booking sheet
Booking system
Online form or application

Update: We’ve been busy researching the best and safest methods to capture contact details in our latest blog post.

Where can I find further information?

The ICO has published detailed guidance to help businesses with further questions:

https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/collecting-customer-and-visitor-details-for-contact-tracing/

https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works

How can Shout Cyber help?

We’re here to help businesses during and through the recovery of the pandemic. We can help your business to:

Develop and deliver a secure and compliant means of capturing contact details for contact tracing.
Provide staff training in data protection legislation and requirements specifically suited to this situation, for example how to recognise when someone is requesting their data as part of a data subject access request
Help you to document and develop your processes around contact details capture such as data protection notices.
Provide support and advice on how to improve your businesses security.

Get in contact with us or book in a FREE COVID catchup to find out more about how we can help.

COVID-19 – stay secure and stay safe.

Contact tracing: How to capture details safely?

Triston

Beard sporting, food lover who’s passionate about protecting businesses. Combining his practical 15 years’ experience with a supportive and holistic approach to managing cyber risks, compliance and data protection. His goal? Building great security cultures and practises, giving businesses something to shout about when it comes to their information security.