COVID-19 contact tracing: ICO confirms collecting customer data is as easy as ABC(DE)
The ICO has issued guidance for organisations who need to collect customer and visitor information to support COVID-19 contact tracing.
The guidance sets out 5 steps businesses should take:
- Ask for only what’s needed - only ask for specific information set out in government guidance. You should only verify someone's identity if this is standard for your business, for example, ID checks for age verification in pubs.
- Be transparent with customers - clear, open and honest communication with people about what you are doing with their personal information is key. Individuals should know what data they need to provide and why. This can be done through a notice, website information and/or telling people in person. If you already collect personal data for bookings, organisations must explain that the data may also be used for contact tracing.
- Carefully store the data. Organisations should do this anyway, so utilise any data storage methods you already use.
- Don’t use the data for other purposes. The ICO gives examples of direct marketing, profiling or data analytics.
- Erase the data in line with the government guidance. This applies to both paper and electronic records.
Comment
The guidance is welcome as various industries began reopening on 4 July, for example hospitality, pubs and restaurants. The guidance reflects good and simple principles for data processing.
As the guidance notes, any new processing to aid contact tracing does not need to be complicated. The method should used be what best suits the business. You must protect any data collected in the same way as other types of data. Clear and open communication will help reduce the risks of complaints, data breaches and/or adverse publicity.
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.