How to... meet contact tracing requirements

Displaying an NHS Test and Trace QR code is now mandatory for these businesses as it will help the government with take-up of its NHS contact tracing app.

Businesses will be charged fees ranging from £40 to £2,900 by the ICO. Most will have never had to register before, so the cost is not something for which they will be prepared.

All of these businesses are now open to scrutiny around how they handle customer data and to the threat of prosecution by the ICO, which has many powers, including fines and even criminal action for non-compliance.

How to meet your contact tracing responsibilities

1 Use appropriate ways to capture and store check-in data

Think about how the check-in will work at your premises and what will be practical for your customers, remembering that not all customers will have smartphones. An advance booking system might be desirable to control numbers and maintain distancing.

Businesses must now register for and display an NHS Test and Trace QR code for their premises. This allows customers the option to check in by scanning the code, but not all customers will be able to use this.

Having customers complete a form themselves, whether online or on a check-in card, can help to ensure that the information is accurately captured. Asking staff to write down details or enter them into a system is more prone to error.

It seems easy for a small business to collect customer check-ins on a sign-in sheet, but that doesn't protect the data from misuse and exposes the contact details collected to other customers.

Simple check-in cards may be practical in some settings. They are a good way for customers without a smartphone to provide their details.

2 Set up staff protocols and train staff

Businesses have to make sure customer data is kept secure so it can't be accessed and abused. It also can't be used for other purposes, such as marketing.

This involves what privacy professionals call technical and policy controls. Technical controls include limiting access to the systems so that only appropriate staff have access to customer information.

Policies should be published explaining how staff can prevent the abuse of the data. Make sure to arrange staff training so everyone understands what they need to do.

3 Let customers know what you are doing with their data

Make sure you display a privacy notice, making it clear exactly what you are doing with customer data.

When you reuse advance booking data to speed things up, you have to let customers know you are doing this.

When you're asking for their data, customers must be told why their data is being collected, how it will be protected and for how long it will be kept.

It should also be made clear that it will be shared with the NHS Test and Trace system when required.

4 Only collect the data you need, nothing more

Only the required information should be collected and stored for Test and Trace. This includes arrival time and, where appropriate, departure time. Knowing these times helps to reduce the number of people who have to be contacted if it's necessary to trace people later.

5 Don't forget to delete the data

Data held for Test and Trace must be deleted after 21 days, so businesses need to put a process in place to remove older data regularly. They might consider whether to record that this exercise has taken place on a simple log so that someone else can monitor the process without access to the data.

Andrew Sharp is practice lead at data privacy firm Securys

Photo: Shutterstock