insideKENT Magazine Issue 101 - September 2020 | Page 126

BUSINESS Supporting the Test and Trace programme – what should businesses do? by Robert Reynolds, regional managing partner, Wilkins Kennedy, Ashford Office AS THE COUNTRY EASES OUT OF SOCIAL AND ECONOMIC LOCKDOWN MEASURES, AND MORE BUSINESSES ARE OPENING BACK UP, BUSINESSES IN CERTAIN SECTORS HAVE BEEN ASKED TO COLLECT DATA FROM THEIR CUSTOMERS TO SUPPORT THE TEST AND TRACE PROGRAMME. This can be seen as a daunting prospect for small organisations who are not familiar with the data protection laws. What is the Test and Trace programme? On 28 May, the NHS Test and Trace service was launched and has become a crucial element of the Government’s national strategy to reduce the spread of COVID-19. The service ensures anyone who develops COVID-19 symptoms can be tested quickly, and traces close recent contacts of anyone who tests positive, notifying them so they can self-isolate. What have businesses been asked to do? To help with the programme’s success, the Government have set out a new business plan, requesting businesses to collect contact details of customers and/or staff in their establishment, including time of entry and departure (if possible). Participation is voluntary when collecting this data, however, it should be encouraged as it can ultimately help to contain clusters or outbreaks of COVID-19. Which sectors do the regulations apply to? The sectors that need to comply with these regulations differ, depending on whether the business is located in England, Scotland or Wales. It is particularly relevant to the hospitality, tourism and leisure sectors. What data should businesses collect? Businesses should only collect the minimum data necessary in order to contact someone. For example: • Name. • Contact telephone number. (If this is not available, an email address or mailing address). • If a group arrives, the number of people in the group. (Only one person’s details need to be noted). • Time of entry. • Time of departure (if possible). • If a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer. What are the data protection implications? As this is a new activity, businesses should follow their usual data protection procedures. Specifically, they need to: • Document the legal basis for processing this data. • Update their privacy policy. • Update their information asset register / data flow documentation. • Inform their customers and staff. • Ensure this fits in with their response to the rights of individuals, e.g. subject access requests and correcting data. • Use the data collected ONLY for the stated purpose. They should not use the data collected for a different purpose, e.g. marketing. If businesses have no current data protection processes in place, this can be a daunting prospect. They should focus their attention on the following: • Understand whether they now need to register with the ICO. The vast majority of businesses will already be registered. • Document the legal basis for processing data. • Document the data flow of the data – Where do they get it from? Where is it stored? Who has access to it? When is it destroyed? • Create or update their privacy policy. • Understand how they need to respond to the rights of individuals, for example a subject access request. Sharing data with the NHS In certain instances, and only when necessary, the NHS may ask for a copy of the data collected. This is either because someone has tested positive for COVID-19 who listed the business’s premises as a place they visited recently, or because the premises has been identified as the location of a potential local COVID-19 outbreak. Businesses should only share data with the NHS when asked to do so, sharing only the limited amount that is requested through a secure method, and they must ensure they are speaking to a bona fide member of the Test and Trace team. Retention / deletion Businesses should only keep the data they have collected for the time period requested. After this period, they should completely delete this data. If it is then still held on back-up systems, businesses need to document this in their information asset register or data flow documentation. Doing our part We all need to do our part to bring this virus under control, and contact tracing is a key component of this. Collecting any personal data does, however, put certain obligations on a business, not just according to laws such as the GDPR, but also to foster trust with their customers. Information in this article was correct at the time of publication. Due to the fast changing nature of COVID-19 related advice and guidance please consult our website for regular updates. If you would like further information or need clarity on the next best steps for your business, please contact us. Local offices: Ashford: 01233 629 255 / Canterbury: 01227 454 861 Maidstone: 01622 690 666 / Orpington: 01689 827 505 Sandwich: 01304 249 997 [email protected] www.wilkinskennedy.com wilkinskennedy 126