ICO publishes contact tracing guidance

What data can businesses collect from customers for contact tracing purposes?

The key takeaway
Organisations should collect only the information needed, as set out in the government guidance (eg names and contact details). Organisations should be transparent with customers, and carefully store the data they collect. The personal information collected as part of the contact tracing scheme should not be used for other purposes, and should be kept for no longer than necessary.

The background
The ICO has published initial guidance for businesses collecting customers’ personal data as part of the government’s contact tracing scheme. In line with supporting government guidance, the ICO has also created an online “Data protection and coronavirus information“ hub that seeks to help individuals and organisations with data protection queries during the coronavirus pandemic. 

The guidance
The guidance is laid out in five steps, as follows:

1. Ask for only what’s needed
Only ask for the specific information set out in the government guidance (eg names and contact details). Identity verification should not be requested unless this is standard practice for the business.
2. Be transparent with customers
Be clear, open and honest with people about what you are doing with their personal information. Tell them why you need it and what you’ll do with it. You could display a notice in your premises or on your website, or simply tell people. 
3. Carefully store the data
Any personal information collected must be securely maintained – this applies to both electronically held and paper-based information. 
4. Don’t use it for other purposes
Any personal information collected for contact tracing purposes should not be used for other purpose eg direct marketing, profiling or data analytics. 
5. Erase data in line with government guidance
Any personal data collected should not be kept longer than the government guidelines specify. Paper documents should be shredded, and electronic documents should be permanently deleted.

Why is this important?
Organisations should seek to ensure they follow the basic five steps laid out above to minimise the risk of breaching the GDPR rules. As part of the government’s COVID-19 contact tracing scheme, the ICO has published more detailed guidance than the above to assist those with limited experience of collecting and retaining personal data for business purposes – this includes for example the lawful basis for collecting the data, and the retention periods for the personal data. 

Any practical tips?
The guidance is essential reading for all those involved in contact tracing projects.  Remember also other sources of reference, including the Government’s NHS Test and Trace Guidance which place obligations on designated venues/businesses in certain sectors (eg hospitality) to collect customer, visitor and staff contact details for contact tracing purposes. Note that there is currently no such obligation on companies to trace employees.

If you have a confirmed positive case of COVID-19 in your workplace, then consult the  NHS Workplace Guidance, and if there is more than one case, you should contact your local health protection team (HPT) to report the suspected outbreak. The HPT will undertake a risk assessment, provide public health advice and where necessary, establish a multi-agency incident management team to manage the outbreak

Autumn 2020