Collecting contact information for contact tracing – COVID 19
The Information Commissioner (ICO) has issued guidance on what organisations and businesses need to do if asked to collect contact information for the purposes of the contact tracing scheme.
The requirement is that those in the following sectors (whether they operate indoor or outdoor venues) should collect contact details from staff, customers and visitors:
- hospitality, including pubs, bars, restaurants and cafés
- tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
- close contact services, including hairdressers, barbershops and tailors
- facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
- places of worship, including use for events and other community activities
Collection of personal data is subject to the Data Protection Act 2018.
What are the key points?
Communicate with the data subjects: When collecting data you must be clear open and honest about why the data is being collected, who you will share it with and how long you will keep it. When letting people know you must take into account who you need to communicate the message to so for example when communicating with children and young people make sure that the language used is appropriate to that age group.
What is the lawful basis for collecting the data? You may be aware that in general there needs to be a lawful basis for collecting personal data. In most cases you will be able to rely on the legitimate interest basis as it is in the interests of the individual, the organisation and public health in order to tackle Covid 19 to collect data. For close contact services and places of worship however the ICO states that the consent of the individuals should be obtained. This is because the information you may be asked to share is likely to only relate to a small number of people rather than a crowd.
What data should you collect? You should only collect data that is needed. This includes contact details and the date and time of arrival and (where possible) departure. In England this is only required for one person in a group but the guidance may be different in other nations in the United Kingdom. You should accurately record the information that you are given but there is no need to verify it by checking ID unless you would do this anyway such as when serving alcohol for example.
How should you keep that data? Anyone collecting or processing personal data is required to keep that data safe and secure. This means that you do need to make sure that your staff are aware of what you can and cannot do with the data and who you can share it with; the data should be kept secure – ie not in an accessible and open location; and the data should not be collected in an open access book such as a visitors book where anyone can see the data recorded.
How long should you keep the data for? In general you must not keep data for longer than is necessary for the purpose you collected it. In the case of contact tracing the ICO states that you should keep the data for 21 days and then you should dispose of it securely.
Who can you share the data with? Only with a legitimate Public Health Authority – there are very limited exceptions to this for example the Police as part of a criminal investigation. Be cautious about fraudsters and scammers.
Contact tracers will:
- call you from 0300 013 5000
- send you text messages from ‘NHStracing’
- ask you to sign into the NHS Test and Trace contact-tracing website
Contact tracers will never:
- ask you to dial a premium rate number to speak to them (for example, those starting 09 or 087)
- ask you to make any form of payment or purchase a product or any kind
- ask for any details about your bank account
- ask for your social media identities or login details, or those of your contacts
- ask you for any passwords or PINs, or ask you to set up any passwords or PINs over the phone
- disclose any of your personal or medical information to your contacts
- ask about protected characteristics that are irrelevant to the needs of test and trace
- provide medical advice on the treatment of any potential coronavirus symptoms
- ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else
- ask you to access any website that does not belong to the government or NHS
Can you use the data collected for any other purpose? No.
If you have any questions about your responsibility to collect contact details in connection with the Contact Tracing app or about data protection issues generally…talk to Tollers on 01604 258558 and ask to speak to the commercial contracts team.