At the current time, the guidance from the UK Government is that businesses support the NHS and their Test and Trace process. Businesses are asked to collect and keep a record of visitor contact details for contact tracing. These details can be passed to the NHS if the business becomes aware of a Covid-19 incident. The European Data Protection Board (EDPB) has also issued similar guidance, they state:
“The use of contact tracing applications should be voluntary and should not rely on tracing individual movements but rather on proximity information regarding users.”
Who has been asked to support this scheme?
Businesses that provide ‘on site’ services and facilities that host events. For example, hospitality venues, hairdressers and places of worship. Takeaway only services are not asked to collect contact details. More details and full examples of the types of business this list includes can be found on the Government’s website.
Data Protection Regulations
Businesses that choose to collect visitor contact details need to ensure that they understand the data protection regulations that apply. In the UK, this includes PECR, the Data Protection Act 2018 and GDPR. Typically, data will be collected and stored in a logical manner. Enabling ease of sharing data with the NHS for the Test and Trace scheme. This is to easily identify data that needs to be deleted. This method is classed as a filing system, therefore compliance with data protection regulation is needed.
How are businesses collecting and storing people’s contact details?
As a business owner that has been asked to collect visitor contact details, you can decide how you want to collect and store this information. This has in many cases, added more burden to the array of administrative and protective tasks that business owners have had to complete to open their doors safely.
The MyLife Digital team has recently enjoyed some of the lockdown measures being lifted. They have been allowed out to research the different solutions that have been implemented to cater for contact tracing. The most frequently identified solutions are listed below. Each has its own strengths, weaknesses and risks.
- Paper ‘register’
- Text / Whatsapp message
- Booking system
- Apps to manage the ‘register’
One of the simplest, but arguably the most admin heavy methods to implement has been the paper ‘register’ of visitors. This becomes more of an inconvenience as visitor numbers increase. With little effort to get up and running, many businesses have opted for an easy to use paper and pen approach. Whilst this is accessible to staff and the majority of visitors, it can be the most risky. We have seen examples where this solution does not adhere to data protection regulations.
Storing data securely:
Often the register is left in plain sight of customers who can see other people’s contact information. This adds to the risk of a data breach and has already been reported in the form of data misuse. Keeping a paper register visible could lead to staff members or customers transferring contact details to their own phone and using them without permission.
Additional administrative work
To create a paper form is not a big piece of work. But, there are other processes that need to be completed to adhere to the guidelines.
- Deleting data after 21 days
- If there has not been a Covid-19 incident and therefore the information is not needed for NHS Test & Trace, it must be securely destroyed after 21 days. Hopefully, most businesses are already conscious of securely destroying documents and understand the minimum best practice is to shred them.
- Sharing information with the NHS
- If a business has decided to keep a paper register of visitors, they need to consider how this will be shared with NHS. This may include inputting details into the NHS Test and Trace contact tracing website, although this can be time consuming and a duplication of effort
Text / WhatsApp message
Some businesses have asked their customers to send a text or other type of electronic message to a mobile phone as a means of checking in to the venue. We have seen that the mobile phone receiving the check-in details is often an old phone that has been reincarnated for this specific purpose.
Whilst this has the benefit that customers won’t see other people’s contact details, it has some of the same downsides as a paper register. It also relies on visitors having a mobile phone.
Some businesses that had an online booking system in place prior to the pandemic are using this to act as a register of visitors. In this instance, the business is not holding personal data at the venue. Typically, this is available in larger venues and chains. It has benefits to both the business and customer as it is often the technology that was in use before the pandemic. Existing customers will be familiar with the process so it won’t seem strange to them. However, this doesn’t cater for walk-ins so might restrict already reduced visitor numbers.
There are a couple of concerns regarding the export of data for NHS Test and Trace purposes. It is unclear what process is in place for a business to access data when needed. When exporting data the process needs to ensure that this can be split by venue and visitors that have opted not to be added to the contact register are not included in the report.
Contact Tracing Apps
Numerous apps that have been created for the purpose of capturing contact details for NHS Test and Trace have popped up in the last few weeks. They have the benefit of keeping data away from the venue. There where built-in line with privacy by design principles and could help the business meet their compliance requirements. Before using such apps, business owners will need to complete some due diligence and identify those apps that have been created by reputable providers.
- A reputable provider will have a history of creating similar products and services
- The app provider is registered with Companies House (in the UK)
- Data protection principles have been accounted for
- The user experience is simple and slick for visitors
- A privacy notice is available to explain how data will be used
- Data must only be used as stated. If data is wanted for other purposes a separate statement and possibly consent will need to be sought
Is ‘Do Nothing’ an option?
Currently, there is no legal requirement to collect any data for contact tracing from individuals. Businesses are advised to encourage visitors to give their details. If they don’t, there should be no legal repercussions for the business. In addition, an individual should not be forced into leaving their details. Although, businesses do have a right to refuse entry should they feel this is necessary for the safety of their establishment and employees, such as beauticians. Where contact data is collected for another purpose, e.g. a booking, the visitor can still choose not to share their data with the NHS Test and Trace.
MyLife Digital has been built on the fundamental concept that individuals should be at the heart of how organisations collect, use and share their data. We follow both data protection and privacy by design approach to ensure that our solutions are focussed on individuals first. Guestbook by MyLife Digital is our latest solution to help businesses and individuals work together to support the NHS Test and Trace service. We know from working with our customers that they want new and innovative methods of communicating with their own customers. Guestbook gives businesses the opportunity to ask for consent to send offers and promotions as a separate request to check-in for contact tracing. This is an optional request and doesn’t stop customers from simply using the app to check in to the venue.
For more information on how this works see: https://mylifedigital.co.uk/guestbook/