Coronavirus track and trace: 7 steps to complying with data protection law

The UK Prime Minister, Boris Johnson, announced on June 23, 2020, that restrictions relating to COVID-19 would be eased as of July 4, allowing certain businesses, including restaurants and pubs, to re-open in the UK. Notably, these businesses will be asked to assist in the government’s efforts to employ contact tracing of infected individuals.

Businesses in the UK will therefore be responsible for the additional collection and potential sharing of customers’ personal data. This is likely to apply not just in the hospitality sector but to retail, leisure, education, manufacturing and, indeed, to most businesses that have face-to-face contact with people. This requirement will challenge small businesses in particular, for whom additional data protection responsibilities must be added to a lengthy list of additional regulations and procedures for operating alongside the COVID-19 virus. 

This additional data collection will need to comply with the requirements of data protection law. The UK’s Information Commissioner’s Office (ICO) has said that it will take a pragmatic approach to enforcement during the pandemic, but it has also stated that it will take firm action against organisations exploiting the health crisis by misusing personal information. So, organisations need to take this seriously.

While the obligation may seem overwhelming for small (and not so small) businesses there are some sensible, practical steps businesses can take.

1 Collect only the minimum amount of information required

For the purpose of contact tracing all that is likely to be required is the customers' name, contact details such as phone number or email address as well as the date and time of their booking. Don't over complicate things by taking more details than you need.

2 Keep customers informed

Tell people why you are collecting their details, and what you will do with the information. This notice does not need to be lengthy, but transparency is important  - and is required by data protection law.

3 Keep the information secure

If you ask people to fill in a form, ensure that their details cannot be viewed (or photographed) by others.

4 Keep the data for as short a period as possible

The COVID-19 incubation period is 14 days. Some additional period should be allowed to enable the contact tracing process to operate, but the overall retention period should be short. The UK Government says that businesses should keep a temporary record of customers and visitors for 21 days, in a way that is manageable for their business, and assist NHS Test and Trace with requests for that data if needed. The important point is not to hold this data for any longer than needed. It will have been collected for a specific purpose - contact tracing - and cannot be used for other purposes, so it should be deleted promptly.

5 Delete data securely

The deletion of data must be undertaken securely. Throwing a paper record into a wastepaper basket is not sufficient, and may amount to a data breach.

6 Limit the use of the data

When collected for the purpose of contact tracing, the data cannot opportunistically be added to a general marketing database. If data are to be collected for marketing purposes, then the collection process must make this clear, and the appropriate consent must be obtained. Personal details for contact tracing should not be used for marketing by default. That would breach data protection laws in the UK, and customers are likely to be unimpressed.

7 Keep the process simple.

Keeping things simple will help make the process as painless as possible. And train staff. If staff are knowledgeable, they are likely to be able to reassure customers, earning their trust and defusing potential challenges.

Bridget Treacy is a GDPR and data privacy expert and partner at law firm Hunton Andrews Kurth. ​​​Visit its wider COVID-19 resource centre.​ ​