Privacy & Information Security Law Blog

The UK Prime Minister, Boris Johnson, announced on June 23, 2020, that restrictions relating to COVID-19 would be eased as of July 4. Although many measures remain in place to prevent the virus’ spread, certain businesses, including restaurants and pubs, will be able to reopen in the UK, with the recommendation that staff-customer contact be minimized.

Notably, the Prime Minister stated that businesses will be asked to assist in the government’s efforts to employ contact tracing of infected individuals. Mr. Johnson stated: “We will ask businesses to help NHS Test and Trace respond to any local outbreaks by collecting contact details from customers, as happens in other countries, and we will work with the sector to make this manageable.” Establishments and companies in the UK will therefore be responsible for the additional collection and potential sharing of customers’ personal data. Going forward, this type of additional data collection is likely to be applied not only in the hospitality sector but also in the education, retail and manufacturing sectors, as they reopen.

Any entity engaging in this kind of data collection will need to comply with the requirements of data protection law. Although the UK Information Commissioner’s Office (“ICO”) has advised that it will be taking a pragmatic approach to enforcement during the pandemic, it also has stated that it will take firm action against organizations exploiting the health crisis by misusing personal information. Organizations assisting with contact tracing efforts or implementing their own should therefore take care to ring-fence the data collected for these purposes and not use it for incompatible purposes, such as direct marketing.

All collection of personal data, including contact tracing-related collection, should be carried out in compliance with the data protection principles set out under the EU General Data Protection Regulation and UK Data Protection Act 2018, including the principle that processing should be lawful, fair and transparent. For example, organizations must ensure that individuals are appropriately informed of how their personal data will be used. A supplementary privacy notice setting out the contact tracing process should be available to employees and consumers, including information regarding, for example, how the data is used, with whom it may be shared and for how long it will be retained.

Collection should also be kept to a minimum, as required by the data minimization principle. In this context, the data collected should be limited to that which is strictly necessary for the purposes of notifying individuals in the event of an infection. Personal data also should not be retained beyond a reasonable period. For these purposes, the appropriate retention period will be the period during which notification of a new infection may be possible. Given the generally accepted 14 day incubation period of the virus, data collected for contact tracing purposes likely can be deleted within weeks. In New Zealand, which has implemented a similar system, this data is required to be deleted within eight weeks. Additionally, the New Zealand Privacy Commissioner has issued practical guidance.

Depending on the nature of data collection, additional measures may be required to keep the data secure. For example, when recording the movements of individuals electronically, appropriate security measures should be put in place to protect the data, particularly if it includes location or tracking data.

Those collecting data should also consider how such collection fits into their overall framework of data protection compliance. For example, data processing inventories may need to be updated, and, where warranted by the collection of health data, the nature or volume of collection or likely use, a data protection impact assessment may be required. The greatest challenge, however, will be for small businesses for whom additional data protection responsibilities must be added to a lengthy list of additional regulations and procedures for operating during the pandemic.

Update: On July 2, 2020, the ICO published new guidance on protecting customer and visitor details when assisting with the government’s test and trace scheme. The ICO’s Deputy Chief Executive, Paul Arnold, stated: “For the public health benefits to be realised from these new measures it is important people feel able to share their personal data with confidence. So people can have this trust and confidence in the way their personal data will be kept safe and used properly as they prepare to return to their favourite pubs, restaurants and local businesses, we want to help businesses to get things right first time as they adapt to new ways of working.”

View the ICO’s guidance on assisting the government with contact tracing.