insideKENT Magazine Issue 101 - September 2020 | Page 126
BUSINESS
Supporting the Test and
Trace programme – what
should businesses do?
by Robert Reynolds, regional managing partner,
Wilkins Kennedy, Ashford Office
AS THE COUNTRY EASES OUT OF SOCIAL AND
ECONOMIC LOCKDOWN MEASURES, AND MORE
BUSINESSES ARE OPENING BACK UP, BUSINESSES
IN CERTAIN SECTORS HAVE BEEN ASKED TO
COLLECT DATA FROM THEIR CUSTOMERS TO
SUPPORT THE TEST AND TRACE PROGRAMME.
This can be seen as a daunting prospect for
small organisations who are not familiar with
the data protection laws.
What is the Test and Trace
programme?
On 28 May, the NHS Test and Trace service
was launched and has become a crucial element
of the Government’s national strategy to reduce
the spread of COVID-19. The service ensures
anyone who develops COVID-19 symptoms
can be tested quickly, and traces close recent
contacts of anyone who tests positive, notifying
them so they can self-isolate.
What have businesses been asked
to do?
To help with the programme’s success, the
Government have set out a new business plan,
requesting businesses to collect contact details
of customers and/or staff in their establishment,
including time of entry and departure (if possible).
Participation is voluntary when collecting this
data, however, it should be encouraged as it can
ultimately help to contain clusters or outbreaks
of COVID-19.
Which sectors do the regulations
apply to?
The sectors that need to comply with these
regulations differ, depending on whether the
business is located in England, Scotland or Wales.
It is particularly relevant to the hospitality,
tourism and leisure sectors.
What data should businesses collect?
Businesses should only collect the minimum data
necessary in order to contact someone. For
example:
• Name.
• Contact telephone number. (If this is not
available, an email address or mailing address).
• If a group arrives, the number of people in
the group. (Only one person’s details need to
be noted).
• Time of entry.
• Time of departure (if possible).
• If a customer will interact with only one
member of staff (e.g. a hairdresser), the name
of the assigned staff member should be recorded
alongside the name of the customer.
What are the data protection
implications?
As this is a new activity, businesses should follow
their usual data protection procedures.
Specifically, they need to:
• Document the legal basis for processing
this data.
• Update their privacy policy.
• Update their information asset register / data
flow documentation.
• Inform their customers and staff.
• Ensure this fits in with their response to the
rights of individuals, e.g. subject access requests
and correcting data.
• Use the data collected ONLY for the stated
purpose. They should not use the data collected
for a different purpose, e.g. marketing.
If businesses have no current data protection
processes in place, this can be a daunting
prospect. They should focus their attention on
the following:
• Understand whether they now need to register
with the ICO. The vast majority of businesses
will already be registered.
• Document the legal basis for processing data.
• Document the data flow of the data – Where
do they get it from? Where is it stored? Who
has access to it? When is it destroyed?
• Create or update their privacy policy.
• Understand how they need to respond to the
rights of individuals, for example a subject
access request.
Sharing data with the NHS
In certain instances, and only when necessary,
the NHS may ask for a copy of the data collected.
This is either because someone has tested positive
for COVID-19 who listed the business’s premises
as a place they visited recently, or because the
premises has been identified as the location of
a potential local COVID-19 outbreak.
Businesses should only share data with the NHS
when asked to do so, sharing only the limited
amount that is requested through a secure method, and they
must ensure they are speaking to a bona fide member of the
Test and Trace team.
Retention / deletion
Businesses should only keep the data they have collected for
the time period requested. After this period, they should
completely delete this data. If it is then still held on back-up
systems, businesses need to document this in their information
asset register or data flow documentation.
Doing our part
We all need to do our part to bring this virus under control,
and contact tracing is a key component of this. Collecting
any personal data does, however, put certain obligations on
a business, not just according to laws such as the GDPR, but
also to foster trust with their customers.
Information in this article was correct at the time of publication.
Due to the fast changing nature of COVID-19 related advice
and guidance please consult our website for regular updates.
If you would like further information or need clarity on the
next best steps for your business, please contact us.
Local offices:
Ashford: 01233 629 255 / Canterbury: 01227 454 861
Maidstone: 01622 690 666 / Orpington: 01689 827 505
Sandwich: 01304 249 997
[email protected]
www.wilkinskennedy.com
wilkinskennedy
126