Further to the webinar I ran on the 29th June, the ICO have now published a statement and some pointers on appropriate data protection compliance in light of the government’s Coronavirus guidance requiring bars, pubs, cafes, restaurants, etc. (who are able to open from 4th July) to record customer and visitor contact data in case it is required by the NHS Test & Trace contact tracing purposes.
The ICO statement points to the need to protect personal data, an indication that further government guidance will be forthcoming and that the ICO wish to take a pragmatic approach to enforcement, supporting rather than fining (unless there is a serious breach):
“For the public health benefits to be realised from these new measures it is important people feel able to share their personal data with confidence. So people can have this trust and confidence in the way their personal data will be kept safe and used properly as they prepare to return to their favourite pubs, restaurants and local businesses, we want to help businesses to get things right first time as they adapt to new ways of working.
“We’ve published ICO advice – clear, simple steps that businesses can take as they introduce customer and visitor records. And we’ll be supporting government guidance with a series of Q and As on our coronavirus online hub that will give more detail. We also have a team of experts offering advice and support through our small business helpline.
“We appreciate the challenge that many small businesses face in introducing unfamiliar arrangements at speed. Our focus is on supporting and enabling them to handle people’s data responsibly from the outset and, while we will act where we find serious, systemic or negligent behaviour, our aim is to help the thousands of businesses that are doing their best to do the right thing.
“We’ll continue to update our guidance on this and other coronavirus-related data protection issues on our dedicated web hub.”
In its initial “Contract tracing – protecting customer and visitor details” guidance, the ICO set out the 5 key steps to compliance (all of which were covered in my webinar on the 29th June):
- Only ask for data that is needed
- Be open and transparent about what you’re collecting the data for
- Carefully store the data
- Don’t use it for other purposes (unless it’s lawful (consent) for you to do so)
- Erase the data in line with government guidelines (currently 21 days)
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR