Processing Customer Data for COVID-19 Contact Tracing
14th September 2020
As we move forward in the lifting of COVID-19 restrictions, one of the recommended measures is for certain businesses to take contact details from customers and retain them for one month in the event that someone becomes ill and contact tracing by the health authorities is required.
This guide will help you to maintain records of customers who have visited your business while keeping their personal data safe. It will also help you to navigate your data protection obligations to protect your clients’ and visitors’ privacy rights whilst following government advice designed to help keep us all safe.
- Minimise the amount of data you collect – Only collect the details that you need to provide for contact tracing or compliance purposes, e.g. name, contact number, time and date of attendance. In the case of licensed premises, records of the sale of meals to patrons must be recorded for compliance purposes. Please note that this process does not require you to ask people to verify their identity and customers should not be asked to do so.
- Be transparent with your customers about why you are collecting this data – You and your staff members should be able to explain clearly the purpose for collecting personal data. If you have use an online booking system, information could be provided at this point to advise customers that their details will be retained for contact tracing.
- Store this information carefully - You do not necessarily need to use technology to store this information but if you do decide to keep it electronically, ensure that the system you use is secure and delete the information at regular intervals when it is no longer required. Contact tracing details should not be kept in such a way that they are visible to other customers and you must ensure that this information is kept securely and confidentially.
- Limit this data to the purpose for which it was collected - In particular, do not use this data for direct marketing purposes or to make contact with customers for any reason. Do not disclose this data to any third parties except the public health authorities who will request it for contact tracing purposes if necessary.
- Ensure you delete contact details when you are no longer required to keep them for contact tracing or compliance purposes - The current public health requirement is for a retention period of one month. Schedule deletion and destruction regularly and ensure the data is disposed of safely, shredding any manually held data if you choose to store it in this way. Remember to delete from your recycle bin and delete any cloud based back up files if storing electronically.