It is now a requirement for many organisations, such as pubs, restaurants, etc., to collect contact details of customers and staff for Covid-19 tracing purposes. As a result, organisations now need to ensure that they are compliant with the stringent rules present within the General Data Protection Regulation 2016/679 (GDPR) and Data Protection Act 2018 (DPA 2018).
What data should be collected for contact tracing purposes?
Article 5(1)(c) of GDPR states that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. This is known as the data minimisation principle. The effect of the data minimisation principle being that you should only collect the data that you need to fulfil your purpose and no more.
Organisations therefore need to consider exactly what data they need to collect for contact tracing purposes. A good start in this respect is to look at the Government guidance to see what data should be collected.
How long should you keep data collected for contact tracing purposes?
Article 5 (1)(e) of GDPR makes it clear that data should not be kept for longer than it needs to be. What does this mean in the context of tracing data? Public health authorities have indicated that data should only be retained for 21 days, following which the data should be disposed of securely.
Who can the data be shared with?
Any data collected for contact tracing purposes should only be shared with a legitimate public health authority. You cannot use the data for marketing or advertising, to do so would be in breach of the purpose of the processing of the data and therefore would be considered a misuse of the data contrary to GDPR.
If you are contacted by a public health authority asking for the data, you need to satisfy yourself that the person requesting the data is legitimate. There are a number of individuals who have been trying to scam organisations into disclosing personal data by claiming to be a public health authority.
How can Nelsons help?
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you are an organisation processing any kind of data there are lots of rules and regulations you need to follow, these can be complex and often confusing. If you are unsure about what you should/should not be doing, it is best to seek legal advice as soon as possible to ensure that you remain compliant with GDPR together with DPA 2018.
For advice, please call 0800 024 1976 or contact us via our online enquiry form.