As we prepare for further measures to ease the current restrictions in place to curb the spread of the coronavirus, the government has confirmed that these restrictions are being eased with the support of the NHS' contact tracing system.
In guidance published yesterday, the government confirmed that establishments in certain sectors should collect details and maintain records of staff, customers and visitors in order to assist NHS Test and Trace in the event a customer or member of staff tests positive for coronavirus. A copy of the guidance can be viewed at - https://www.gov.uk/guidance/maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace?utm_source=e159c002-348d-40e9-892a-656cc5916a0f&utm_medium=email&utm_campaign=govuk-notifications&utm_content=immediate
Who does the guidance apply to?
The government guidance confirms that the following establishments collect details and maintain records of staff, customers and visitors:
- Hospitality establishments including pubs, bars, restaurants and cafés;
- Tourism and leisure establishments including hotels, museums, cinemas, zoos and theme parks;
- Close contact services including hairdressers, barbershops and tailors;
- Facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children's centres; and
- Places of worship, including use for events and other community activities.
What information should be collected?
The government guidance confirms that the following information should be collected by the establishment where possible:
- Staff -
- the names of staff who work at the premises
- a contact phone number for each member of staff
- the dates and times that staff are at work
- Customers and visitors -
- the name of the customer or visitor. If there is more than one person, then you can record the name of the 'lead member' of the group and the number of people in the group;
- a contact phone number for each customer or visitor, or for the lead member of a group of people;
- date of visit, arrival time and, where possible, departure time; and
- if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer.
Do we have to comply with the GDPR?
The information that is collected is personal data for the purposes of the General Data Protection Regulation (GDPR) and therefore is subject to the obligations set out in the GDPR and the Data Protection Act 2018. In response to this latest guidance, the Information Commissioner's Office (ICO) has published further guidance to assist establishments in understanding their obligations under the GDPR in relation to this information. This includes:
- Only ask individuals for the information set out in the guidance - In order to demonstrate compliance with the 'purpose limitation' and 'data minimisation' data protection principles set out in the GDPR, you should only ask visitors and staff for the specific information that has been set out in the government guidance.
- Be transparent about your collection and use of the information - You should be upfront, transparent and honest with individuals about why you are collecting the information and what it will be used for. This can be done by displaying a privacy notice in your premises, including it on your website or even by verbally informing individuals upon arrival. If you already collect visitor data for bookings, you should update your existing privacy notice to reflect the fact that their information may also be used for contact tracing purposes.
- Keep the information safe and secure - In order to comply with the 'security and integrity' data protection principle, you must ensure that the information you collect is kept safe and secure. This means keeping information secure on electronic device if you're collecting the records digitally or, for paper records, keeping the information locked away.
- Do not use the information for any other purpose - In order to comply with the 'purpose limitation' data protection principle, you must only use the information you collect for the purposes of assisting NHS Test and Trace. For example, you must not use the details collected for marketing purposes (e.g. by adding them to your mailing list) unless you have requested consent from the individuals to do this.
- Do not keep the information for longer than necessary - In order to comply with the 'data retention' data protection principle, you must only keep the information collected for the period of time specified in the government guidance. The guidance confirms that in order to support NHS Test and Trace, you should hold records for 21 days. After 21 days, this information should be securely disposed of or deleted. When deleting or disposing of data, you must do so in a way that does not risk unintended access (e.g. shredding paper documents and ensuring permanent deletion of electronic files).
What information can be shared with NHS Test and Trace?
The government guidance confirms that NHS Test and Trace will ask for the records you have collected only where it is necessary, either because someone who has tested positive for coronavirus has listed your premises as a place they visited recently, or because your premises have been identified as the location of a potential local outbreak of coronavirus. The guidance goes on to say that you should share the requested information as soon as possible to help identify people who may have been in contact with the virus and help minimise the onward spread of coronavirus.
Additionally, guidance from the ICO confirms that data protection will not prevent organisations from sharing information with health authorities during the coronavirus pandemic. As employers and occupiers of premises, you have duties to ensure the health and safety of all your employees and visitors. There are many routes available to share such information, using some of the conditions and exemptions in the Data Protection Act 2018.
A copy of the guidance from the ICO is available to view here - https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/contact-tracing-protecting-customer-and-visitor-details/
For more information contact Bethany Paliga in our Governance, Procurement & Information department
via email or phone on 01254 222347.
Alternatively send any question through to Forbes Solicitors via our online Contact Form.