Covid 19 - What you need to know - Data Collection Guidance Published
On Thursday (2nd July) the Government published guidance to industry in relation to the data collection referenced in earlier guidance.
This requirement, which is included in guidance and not specified in regulation, has been the cause of much discussion following publication of the guidance on 23rd June.
The new supplementary guidance, which can be found here, addresses the keys issues of what information is expected to be captured and the impact of the GDPR (General Data Protection Rules) on this task.
The guidance advises the following data should be collected (for both staff and customers):
- the names of staff who work at the premises
- a contact phone number for each member of staff
- the dates and times that staff are at work
Customers and Visitors
- the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date of visit, arrival time and, where possible, departure time
- if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer
No additional data should be collected for this purpose. We expect that the clarity in respect of ‘lead members’ will be generally welcomed by Operators.
The advice goes on to say:
“Recording both arrival and departure times (or estimated departure times) will help reduce the number of customers or staff needing to be contacted by NHS Test and Trace. We recognise, however, that recording departure times will not always be practicable.”
What if customers will not co-operate?
It is stressed that the provision of this information is voluntarily and customers cannot be compelled. Businesses are advised:
“If a customer or visitor informs you that they do not want their details shared for the purposes of NHS Test and Trace, they can choose to opt out, and if they do so you should not share their information used for booking purposes with NHS Test and Trace.
The accuracy of the information provided will be the responsibility of the individual who provides it. You do not have to verify an individual’s identity for NHS Test and Trace purposes.”
The GDPR (General Data Protection Rules)
The data that you are asking you to collect is personal data and must be handled in accordance with GDPR to protect the privacy of your staff, customers and visitors.
The guidance advises that the collection of this data is not inconsistent with the GDPR generally, when done properly and where collected data is kept secure.
The guidance repeats your responsibilities in relation to the GDPR. It advises that you do not have to inform every customer individually and suggests the display of a notice at your premises or on your website setting out what the data will be used for and the circumstances in which it might be accessed by NHS Test and Trace will be sufficient (a template notice will follow, promises the guidance). Considerations of those who may be visually impaired or unable to read English must be considered, as always.
The guidance also focuses upon the process which will be adopted if the NHS Track & Trace wish to access this information. It sets out how a business will be contacted and the process which will be followed; in order to avoid unscrupulous parties ‘tricking’ premises into sharing this data with them. This section should be particularly closely reviewed by all Operators ‘data controllers’.