ICO initial guidance for collecting personal data for contact tracing purposes

COVID secure pubs bars restaurants

Share This Post

Further to the webinar I ran on the 29th June, the ICO have now published a statement and some pointers on appropriate data protection compliance in light of the government’s Coronavirus guidance requiring bars, pubs, cafes, restaurants, etc. (who are able to open from 4th July) to record customer and visitor contact data in case it is required by the NHS Test & Trace contact tracing purposes.

The ICO statement points to the need to protect personal data, an indication that further government guidance will be forthcoming and that the ICO wish to take a pragmatic approach to enforcement, supporting rather than fining (unless there is a serious breach):

“For the public health benefits to be realised from these new measures it is important people feel able to share their personal data with confidence. So people can have this trust and confidence in the way their personal data will be kept safe and used properly as they prepare to return to their favourite pubs, restaurants and local businesses, we want to help businesses to get things right first time as they adapt to new ways of working.

“We’ve published ICO advice – clear, simple steps that businesses can take as they introduce customer and visitor records. And we’ll be supporting government guidance with a series of Q and As on our coronavirus online hub that will give more detail. We also have a team of experts offering advice and support through our small business helpline.

“We appreciate the challenge that many small businesses face in introducing unfamiliar arrangements at speed. Our focus is on supporting and enabling them to handle people’s data responsibly from the outset and, while we will act where we find serious, systemic or negligent behaviour, our aim is to help the thousands of businesses that are doing their best to do the right thing.

“We’ll continue to update our guidance on this and other coronavirus-related data protection issues on our dedicated web hub.”

In its initial “Contract tracing – protecting customer and visitor details” guidance, the ICO set out the 5 key steps to compliance (all of which were covered in my webinar on the 29th June):

  1. Only ask for data that is needed
  2. Be open and transparent about what you’re collecting the data for
  3. Carefully store the data
  4. Don’t use it for other purposes (unless it’s lawful (consent) for you to do so)
  5. Erase the data in line with government guidelines (currently 21 days)

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy