Coronavirus and the GDPR
As part of your response to the coronavirus (COVID-19) pandemic, you may have taken steps to discourage all but essential visitors to your place of work, but to collect data about those individuals that you have met. For the great majority of us, there is no law that says you must. Collecting data like this is voluntary, but if you do collect it, then the next question is, what should you do with it.
The GDPR and Data Protection Act allow you to collect this data, provided you tell the visitors what you are doing and why, and provided that the data you collect is adequate, relevant, and limited to what you need. That means you need to understand why you are collecting the data.
If the reason you are collecting the data is for test and trace purpose then you will want a name and a telephone number for contact purposes, the date and time of the contact, and the person that was contacted within your organisation. So, think about the reasons you are collecting the data, and do not collect any data that you do not need for that purpose. Possibly, you might want to record which area of a building was visited.
It is important to understand that you are NOT collecting the data so that you may contact your visitor if Covid-19 has been discovered in your place of business. That would involve a data breach by you concerning the health of the person your visitor visited. You are collecting the information so that you can pass this on to the Government’s contact tracing personnel who have the legal responsibility for tracing the contacts of an individual with a positive test result. More than that, understand that you will not be volunteering this data to the Test and Trace teams. You only share the data if you are asked for the data through official channels.
With this under your belt, you are now able to explain why you are collecting the data to your contacts. This could be done verbally, but it may be a better idea to do it with a small note or card. You could set up a footer on your emails to explain your procedures to anyone you write to. Make sure however that the footer is reasonably prominent so that it will be read. Don’t hide it away in terms and conditions that nobody reads.
Any collection of data needs to have a legitimate basis. The justification for collecting names and contact details during the pandemic will be the interest of the individual to know that they have been in contact with an infected person during an “at risk” period, and the promotion of public health.
The issue then to address is how long to keep the data for. The Information Commissioner’s Office guidance is that the data should be kept for no longer than 21 days, based upon the fact that after that length of time the data will be redundant for the purpose for which it has been collected. If the data has been kept in a paper file, then shred the paper document. If the data has been kept digitally, say in an excel spreadsheet, then irrevocably delete the spreadsheet. It will be as well to document the process that you intend to adopt, and then stick to it.
Bear in mind that if you do collect this data then your visitors will have the right to make a data subject access request – a request that you must respond to within 30 days or face a complaint to the Information Commissioners Office. The prospect of such a complaint might be remote – why would anyone in their right mind make a data subject access request of your business just because you noted down, out of concern for their well-being, their name and address so that the official track and trace team could contact them in case of need. The real risk of such a complaint is that you do not carefully dispose of the data at the end of the “at risk” period so that it falls into the wrong hands, or you otherwise abuse the data, such as using it for your marketing database.
So, in summary, if you are going to collect contact data, then
- Collect it carefully;
- Keep the minimum data necessary for the purpose you are collecting it;
- Don’t use the data for any other purpose;
- Keep it no longer than you need it for that purpose and make sure that you destroy it as soon as that purpose has passed;
- Don’t share the information with anyone else unless it is to the proper authorities following a lawful request.
- Don’t use the data for any other purpose – like updating your marketing database.
Please feel free to use our note to our visitors.
We have asked you to provide us with your name and a contact number in order that we can provide that information to the Department of Health through its Test and Trace service. We shall only provide the data to Test and Trace if we are asked for it. We shall not volunteer the data. By promoting the effectiveness of the scheme our aim is to protect your health and the health of those around you.
We shall not use the information for any other purpose, nor share it with anyone else, and we shall only keep the data concerning your visit for 21 days. At the end of 21 days we shall destroy the record.
For further advice in this area please contact Hamish Cameron Blackie, or your usual contact at GBH Law, who will be pleased to assist.