It’s now a legal requirement for certain businesses to collect customer, visitor and staff contact details for contact tracing purposes, although the position varies between England, Wales, Scotland and Northern Ireland.
Businesses should therefore check the government guidelines for where they operate to determine whether it’s necessary for them to do this. The Information Commissioner’s Office (ICO) has now issued data protection guidance for businesses that are mandated to collect this personal data.
How Can Businesses Ensure They Handle Data Responsibly?
The guidance advises that compliance does not need to be complicated and businesses should follow five simple steps to handle personal data responsibly. They must:
- only ask people for the specific information that has been set out in government guidance
- be clear, open and honest with people about what is being done with their personal data
- keep people’s data secure – businesses should not use open logbooks, and should ensure their customers’ personal data is kept private
- not use the personal data collected for contact tracing for other purposes, such as direct marketing, profiling or data analytics
- securely erase or dispose of the personal data collected after 21 days, in line with government guidance.
The ICO’s guidance also confirms that businesses do not have to ask people for their information if individuals are using a contact tracing app to check into venues, but they should not make the use of contact tracing apps mandatory, i.e. they should give people options to give their details for contact tracing purposes.