Test and Trace Data Collection- What Has Changed?
10 Sep 2020
Last night, the UK government outlined changes to Test and Trace Data Collection, coming into effect from the 18th of September, will mean that data collection to enable NHS test and Trace will become mandatory for certain types of businesses.
A key change was made to the obligations around the collection and storage of data for the NHS test and Trace scheme. Currently, organisations can rely on consent or legitimate interest for the data they collect for NHS Test and Trace. This allowed data subjects the opportunity to reject the processing of their data for test and trace, or to choose not to provide their consent for this type of data processing.
As data collection will become mandatory under the COVID-Secure guidance provided by the UK Government, the appropriate lawful basis for the processing of Track and Trace data will change to ‘legal obligation’. Organisations will now be mandated to collect this data to enable test and trace to function. This places a burden on staff and complicates data protection compliance for organisations, such as pubs and restaurants.
It is important to consider the data protection principles when implementing a Test and Trace program. Here are some steps your business can take to ensure you stay accountable and transparent when collecting and storing this data:
- Document this processing: Ensure that you update your record of processing activities to reflect this new processing activity.
- Only Collect what is required: Only collect the data that you need to ensure compliance with the COVID-Secure guidance from the UK Government. Currently a name of one member of the party and a contact number is all that is required.
- Only use the data for its intended purpose: Do not use data collected for Test and Trace for any other purpose unless you seek the appropriate permissions.
- Keep the data secure: Ensure your method for test and trace data is secure to minimise the risk to your business. Do not use a form where data could be visible to every visitor to your venue. Only access the data if requested to do so by NHS Test and Trace!
- Dispose of the data correctly: Ensure that you are only keeping this data for 21 days, as required by the UK Government. Have a documented process for data destruction, whether that is a log of who shredded your paper copies; or documentation outlining your technical solution and how it ensures data is only retained for 21 days.
- Be prepared to respond to Subject Access Requests: ensure you know how to handle a SAR, have a process in place to manage such requests.
Government announcement can be seen here: https://www.gov.uk/government/news/coronavirus-covid-19-what-has-changed-9-september
The DMA will keep you updated with changes to this guidance as the UK Government releases more advice. If you have any questions relating to the government Test and Trace scheme, please feel free to email me at George.Jones@dma.org.uk