As lockdown restrictions are gradually relaxed and businesses slowly begin to resume their activities, the UK Information Commissioner (ICO) has published guidance for organisations planning to collect personal data of their staff, customers and visitors for the first time, to assist with the UK’s various contact tracing schemes.
The ICO recommends five steps to ensure that such measures do not raise data protection issues:
- Businesses should only ask people for what is needed, in other words, the specific information set out in Government guidance (e.g. names and contact details). Identity verification should not be requested unless this is standard practice for the business.
- Businesses should also be clear, transparent and up-front with people about what their personal information will be used for. This means that businesses should tell individuals why they need their data and what they plan to do with it, including the fact that it may be used for contact tracing. The ICO suggests that this can be achieved in various ways, for example, through notices on websites or in premises, or simply by telling people.
- Any personal information collected must be securely maintained (this applies both to electronically held and paper based information).
- Any personal information collected for contact tracing purposes should not be used for other purposes, such as marketing.
- Any personal data collected should not be kept for longer than required by the Government guidelines. Electronic documents should be permanently deleted and paper documents shredded once they are no longer needed.
Deputy Chief Executive Paul Arnold issued a statement in respect of the ICO's advice, noting: “For the public health benefits to be realised from these new measures it is important people feel able to share their personal data with confidence. So people can have this trust and confidence in the way their personal data will be kept safe and used properly as they prepare to return to their favourite pubs, restaurants and local businesses, we want to help businesses to get things right first time as they adapt to new ways of working.”
He also noted, however, that while the ICO’s aim is to support organisations to handle people’s personal data responsibly, the ICO will also take action where inappropriate handling of personal information is found.
It will be interesting to see how businesses adapt in practice to the challenges of collecting and using personal information to assist them in re-opening safely to the public.
We appreciate the challenge that many small businesses face in introducing unfamiliar arrangements at speed. Our focus is on supporting and enabling them to handle people's data responsibly from the outset and, while we will act where we find serious, systemic or negligent behaviour, our aim is to help the thousands of businesses that are doing their best to do the right thing.