Considerations for data protection in the age of track and trace

Last updated: 3rd July 2020

The Government has now released further guidance in relation to the personal data that organisations need to collect in order to assist with NHS Track and Trace.

Our initial summary below still stands but important detail has been added.

This includes:-

• The requirements apply to a whole range of sectors that provide “On Site Services”. These include pubs, bars, restaurants, hotels, cinemas, zoos, hairdressers and clothes outfitters. Businesses that don’t provide such an “on site” service (such as takeaways) are excluded.
• Data needs to be collected relating to staff as well as customers and visitors.
• Organisations need to keep records of the times and days their staff worked
• The name and contact phone numbers of all customers and visitors should be collected together with their arrival and departure times and the names of the staff who dealt with them. Where a group of customers is being serviced (for example in the case of a restaurant booking) then the details of one “lead” member of the party alone can be taken.
• The government will help by supplying a Notice for establishments to display.

Our points below continue to apply

• You will need to refer to the data collected for Track and Trace in your online Privacy Notice – so the Notice may need to be updated. You should also consider using the Government’s notice to display or to share with customers at the time of collection;
• The data will need to be collected and stored securely and confidentially – so staff training will be required to make sure this happens;
• The data should be used only for the purpose of complying with Track and Trace unless you have told your customers you will use it for another purpose. You will not be able to use it for marketing purposes, for example, unless you have permission to do so; and
• You will need to have a system in place to destroy the data securely once it is no longer required – likely to be after the 21 day period.

The Government’s latest Guidance on the reopening of restaurants, pubs, bars and takeaways introduces some important requirements relating to the collection of your customers’ personal data.

Under the Guidance you are required to collect “a temporary record” of all your customers and visitors and retain this for 21 days to assist with NHS Track and Trace.

The Guidance isn’t clear on the exact details you need to retain but we expect this would be names and contact details, such as an email or telephone number, for each customer or visitor.

The system is still very much a work in progress and the Government has committed to work with industry and to provide further details shortly. That said,  the contact details you collect will need to be dealt with in accordance with the law relating to data protection so you are almost certainly going to need to take account of the following:-

• You will need to refer to the data collected for Track and Trace in your online Privacy Notice – so the Notice may need to be updated. You should also think about drafting a short text explaining why this data is being collected to display or to share with customers at the time of collection;
• The data will need to be collected and stored securely and confidentially – so staff training will be required to make sure this happens;
• The data should be used only for the purpose of complying with Track and Trace unless you have told your customers you will use it for another purpose. You will not be able to use it for marketing purposes, for example, unless you have permission to do so; and
• You will need to have a system in place to destroy the data securely once it is no longer required – likely to be after the 21 day period.

As with so much relating to Covid, the situation is likely to change as more guidance is released by government and we will update as this occurs.

In the meantime please don’t hesitate to contact Napthens’ Commercial team if you have any questions relating to compliance with these requirements.