Contact Tracing: Complying with Data Protection Regulation

As businesses prepare to open up on 4 July, following the easing of lockdown restrictions, they are expected to have robust measures in place to curb the spread of COVID19, including contact tracing. Collecting personal data as part of contact tracing is expected to create a data privacy minefield for some. So how can businesses navigate this minefield?

What is Contact Tracing?

Contact tracing, supported by the NHS Test and Trace service, is a vital strategy in the fight against COVID19. It can help curb the spread of COVID19 by tracing those who are showing symptoms of COVID19 as well as those who may have come into contact with the infected and risk of becoming carriers. Contact tracing requires the collection and sharing of personal data, affecting most businesses with face-to-face customers or visitors, including hospitality, leisure and retail sectors.

Some businesses may already have systems and processes in place to collect personal data. However, for some small businesses, it will be an entirely new experience. Both will need to comply with data protection regulations while employing contact tracing.

Key Data Protection Requirements

Here is a refresher on the data protection requirements for businesses in the UK.

Data protection regulation in the UK

The UK data protection regime is set out in the DPA 2018, along with the GDPR (which also forms part of UK law). The DPA 2018 sets out the framework for data protection law in the UK. It updated and replaced the Data Protection Act 1998 and came into effect on 25 May 2018. It sits alongside the General Data Protection Regulation (GDPR) and tailors how the GDPR applies in the UK.

The Regulator

The Information Commissioner’s Office (ICO) maintains and enforces data protection regulation across the UK, including the GDPR. Awareness and understanding of data protection requirements are essential for businesses looking to prevent data breaches.

Lawful basis for the processing of personal data

Under the GDPR, acceptable reasons for the lawful basis for the processing of personal data are consent, contract, legal obligation, vital interests, public task and legitimate interests. Data collection for contact tracing is expected to be classed as a public task – a specific task in the public interest that is set out in the law.

Six Tips on Collecting Data for Contact Tracing

So how can businesses ensure that they are fulfilling the requirements for contact tracing but also complying with data protection regulations? Here are six helpful tips on collecting data for contact tracing.

1. Keep the process transparent: Assure your customers on why you are collecting data and how the data helps with contact tracing.

2. Only collect the data you need: For contact tracing purposes, customers only need to provide details such as name, phone number and email address.

3. Keep the data secure: Invest in a secure data collection method or system to make sure the data you have collected is stored away safely.

4. Be clear on retention policy: Government guidance requires businesses to keep a temporary record of customers and visitors for 21 days only.

5. Use the data only for the purpose collected: Personal data collected as part of contact tracing cannot be used for any other purposes such as marketing unless stated explicitly and consent has been given for it.

6. Don’t forget to delete the data: Any personal data must be securely discarded after 21 days.

Contact tracing or not, compliance with the data protection regulation is a vital requirement for most businesses. To mitigate the risks of compliance breaches, always follow best practice around data collection, perform regular audits of policies and processes, and continually review staff readiness.

Helpful resources:

COVID-19 secure guidance for employers, employees and the self-employed

NHS Test and Trace

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.