Contact tracing for licensed premises: what you need to know
On Tuesday 23 June, the Prime Minister announced that the Government intends to ‘unlock’ significant aspects of the lockdown with effect from 4 July 2020.
Among the business allowed to re-open will be restaurants, pubs, social clubs and community centres. Sadly ‘close proximity’ venues including nightclubs – many of which have been at the centre of reinfection spikes around the world – will remain closed for now. Quite how a ‘nightclub’ will, in the expected legislation, be distinguished from pubs and bars remains to be seen.
The announcement also included reference to a requirement that businesses “help NHS Test and Trace respond to any local outbreaks by collecting contact details from customers“. That particular requirement appears to have taken many by surprise – perhaps even the Information Commissioner’s Office. In a statement to The Guardian, the ICO said that they were “assessing the potential data protection implications of this proposed scheme and [are] monitoring developments“.
This ought not to have come as a surprise: similar measures have been adopted as lockdowns have been eased elsewhere in the world, including in New Zealand and Switzerland.
Still, as if licensed premises didn’t have enough on their plate right now, data protection rules must now be added to their burden. And with only days to go before ‘Super Saturday’, the Government has not published any guidance on how licence holders are expected to contribute to the contact tracing process. That said, the ICO has just published guidance for businesses on re-opening.
To make things a little easier, here are the key messages for licence holders:
Only collect the minimum amount of information necessary for contact tracing. The necessary information appears to be limited to a person’s full name, contact phone number or email address and the date and times of their visit. Collecting anything more puts you at risk of breaching data protection law – especially if that includes recording any information about a person’s health condition.
Tell customers what data you are collecting and why. One important requirement of data protection law is to provide a privacy notice which tells people what information about them you are collecting, why you are collecting it and what will happen to it (principally who it will be shared with and how long you will hold onto it for). This can be done by a notice on your website and displayed at the entrance to your premises. A suggested wording could be:
This information is being collected to assist the NHS Test and Trace service for tracing close recent contacts of anyone testing positive for coronavirus. It will be given to NHS Test and Trace on request in the event that it is required for contact tracing purposes. We will not use it for any other purpose, and will destroy it after eight weeks.
It will be kept here at [name of premises]. You have a right to access and correct any information we hold about you. For any questions about this notice please contact [email address/phone number]
Keep that information securely. It is likely that the information will need to be compiled and entered manually, probably onto a spreadsheet, or potentially in a paper record. Make sure that the record, wherever it is maintained, is only accessible by members of staff who need access to it. As a minimum, it should be locked away when not in use and stored on a password-protected (and ideally encrypted) device.
Only use that information for contact tracing. Don’t be tempted to use this information as a ‘customer database’ – this information should be kept entirely separate.
Don’t hang onto the information. You should only hold the information for as long as it is needed – and no longer. At the moment the government has not advised how long such records should be held, but a retention period of around eight weeks ought to be sufficient to enable the information to be used in the event of a local outbreak – after which time it should be securely disposed of.