How does GDPR and contact tracing affect your business?

How does GDPR and contact tracing affect your business?
Moai Team
Moai Team

Stopping the spread of COVID-19 may rely on gathering personal information, to trace contact with those infected. So how can your business do this and respect data protection regulations, and people’s privacy?

The Information Commissioner’s Office (ICO) has produced a raft of guidelines for businesses required to collect customer data as part of the government’s contact tracing scheme. The key thing to note is that our data protection regulations – chiefly the GDPR (General Data Protection Regulations, made law in May 2018) – do not restrict you collecting and using data, but do ask that data collection is lawful and fair, and that you tell your customers/visitors what you are doing. The ICO notes that:

“the information you collect [must be] adequate, relevant and limited to what you need. It must be accurate and not used for anything else. You should also keep it secure, so you minimise the risk of accidentally losing or destroying it.”

The principles are pretty clear, and relate to what an average consumer would be comfortable with.

You are operating within the guidelines if:

  • ✔ You are only taking information that help you offer a better service
  • ✔ You are asking people to opt in and making it clear what they are consenting to
  • ✔ You can reassure customers that you won’t lose or share their data

What does that mean for your business, with the rise of COVID-19?

  • You must be clear and honest about the purpose of all data collection

Let customers know that it is only for the purposes of contact tracing – the schemes established by the four UK government administrations. You should also let people know how long you are planning to keep data, and how they can request it. To be clear: The Coronavirus Act 2020 says that businesses can NOT add customer details to their marketing lists if their data was collected for purposes of COVID-19 tracking. If you don’t want to mix up data sets, and want to avoid potentially unlimited fines from the ICO for breaching your responsibilities as a data controller, the Moai app can help.

  • You can ask people for the adequate information

This will vary depending on contact tracing scheme requirements. Some schemes in England require you to take names, contact numbers, dates and times, and even assigned staff members. Check the local government websites for specific information on what is needed where you are.

  • You should keep it limited

You don’t need your customer’s healthcare history or shoe size; ensure you are collecting only what is needed.

  • It should be accurate

While this is voluntary, and you can only do so much to ensure people don’t give you false information, keeping your process simple and being clear about the purpose (to keep people safe, and only where necessary) should help.

  • You must keep it secure

Keep physical and/or digital files safe and securely stored, and make sure all staff are trained on new procedures and their responsibilities under the law.

The ICO recommends data is kept for no more than 21 days.

Using customer data

As a business owner, you should only share this data with a legitimate public health authority, and only if it is requested. NHS Test and Trace may get in touch to ask for these records, if someone who visited your premises has tested positive for COVID-19. More details can be found on the government website, but be sure you are speaking to legitimate contact tracers and upholding your requirements of data protection.

Secure contact tracing using the Moai app

One way to keep yourself certain of secure and useful collection of customer data is to use the app from MOAI. This approach ensures no personal data is ever held by your organisation, or indeed anyone. The app is totally secure, encrypting data at every stage, so the user – your customer – needs never worry about their personal information being leaked or misused. They simply scan a QR code at your premises and, should it be necessary, they will be contacted automatically if someone else who scanned the same code in the same time period reports a positive COVID-19 test result.