ICO releases guidance for mandatory collection of track and trace data

Following the UK Government’s tightening of track and trace measures last week, it is now mandatory for various organisations, including public authorities, to collect contact information for those visiting their establishments such as hotels, cafes, community centres or local libraries. These records can be called upon by contact tracing schemes such as the NHS Track and Trace Service to identify and alert individuals who may have been in contact with someone at the venue who has recently tested positive for COVID-19.

At the same time, UK Government guidance reminds organisations that they must adhere to data protection law, namely the General Data Protection Regulation (GDPR). To reflect this shift from voluntary to mandatory collection of data, the ICO has published new guidance on how to protect this customer and visitor information. The guidance promotes a simple 5-step or ‘ABCDE’ approach:

  • A – Ask for only what’s needed

Those organisations subject to the compulsory rules are required to obtain the following information only: name of visitor (or lead visitor and number of group); contact number, email or postal address; date of visit, arrival time and, if possible, departure time; name of assigned staff member, if applicable.  ‘Data minimisation’ is one of the principles of the GDPR, meaning that the data collected should be limited to what is necessary.

  • B – Be transparent

Personal data should always be processed transparently with respect to a data subject. Organisations should be open and honest about why they are collecting a visitor’s information and how it might be used (i.e. by the track and trace programmes).

  • C – Carefully store the data

Organisations should have appropriate technical and security measures in place to protect the information collected and its privacy whilst it is held on record.

  • D – Don’t use it for other purposes

Information which is collected for the purpose of contact tracing should not be used by the organisation for any other purpose, for example, direct marketing or data analytics.

The GDPR contains a number of lawful bases on which personal data may be processed, one of which is to comply with a legal obligation. This may be relied upon by those organisations to whom the UK Government has now made the rule on collecting visitor information mandatory. However, an organisation which goes on to process such data for a different purpose would be acting unlawfully, unless it could establish another lawful basis for that activity which had been notified to the data subjects concerned from the outset.

It is important to note that for some sectors, the UK Government’s guidance on collecting visitor information for track and trace is still voluntary and not a legal requirement. These organisations would need to consider which other lawful bases may apply in the circumstances. For example, the ICO suggests that the performance of a public task may be relevant to public authorities that can identify a task, function or power with a clear basis in law (such as a legal responsibility around public health) which requires it to process such data.

  • E – Erase it in line with Government guidance

Records of visitor information which are kept for the purpose of contact tracing should be securely deleted or disposed after 21 days. This supports the principle of ‘storage limitation’ under the GDPR, meaning that data should not be kept for longer than necessary to achieve the purpose for which it is processed. Government guidance explains that this 21-day period reflects the incubation period for COVID-19 (which can be up to 14 days) plus a further 7-day allowance for testing and tracing.

The guidance helps to illustrate how organisations now subject to a compulsory requirement to process visitors’ personal data can achieve compliance with data protection laws. Organisations should however ensure that they have suitable measures in place to implement the guidance and achieve the GDPR principles which underpin it, according to their own working practices.

If you have any questions about the data protection issues your organisation is facing in relation to contact tracing or your response to COVID-19, please contact our Technology, Data and Corporate Team.

This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published. If you would like further advice and assistance in relation to any of the issues raised in this article, please contact us today by telephone or email enquiries@sharpepritchard.co.uk.

Posted in Data Protection, GDPR, ICO, Latest news and blog.