We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award-winning law firm.

 

Visit our debt recovery website

If you decide to collect customer and visitor information as part of the Government’s COVID-19 contact tracing scheme (Scheme), you must do so in a manner that is compliant with the Data Protection Act 2018 (DPA). This is because the information you collect is likely to be deemed personal data that is protected under the DPA.

You should initially check government guidelines for information on whether your business is encouraged to collect contact information as part of the Scheme. You can do this HERE:

If you are intending to take part in the Scheme, you should consider (and where appropriate, action) the following:

  1. What is your lawful basis for collecting the information? If the government is asking you to collect customer data, then it is likely that your lawful basis under the DPA, will either be legitimate interests (if you are a private organisation) or a public task (if you are a public body). You should steer away from relying on consent unless you are collecting sensitive personal information (such as health information) or it is completely voluntary for a customer to provide their personal data. The Information Commissioner (ICO) recommends that you should rely on consent if you provide a service to small groups or on a one-to-one basis (e.g. massages). This is because the information you may be asked to share may only apply to one or two people, making it more likely that you would make assumptions about your customer’s health.
  2. You must be clear, open and honest with people that you are collecting their data for a contact tracing scheme (such as the NHS Test and Trace), who you will share it with and how long you will keep it.
  3. The government has specified the exact information you should collect for contact tracing. You should familiarise yourself with the government’s requirements and not collect any additional information for the purpose of contact tracing.
  4. You must only keep the information for as long as it is needed. In England, the current period for retaining information collected for contact tracing is 21 days. Once this period has passed, you must securely dispose of the information (e.g. by shredding paper documents or permanently deleting digital records).
  5. For the purposes of contact tracing, you only need to accurately record the information that the customer/visitor provides to you. It is not necessary to conduct identity checks to validate that information (unless this is something your business would ordinarily do, for example, age verification at licenced premises).
  6. All customers/visitors have certain rights under the DPA in relation to their personal data. This includes, but is not limited to, the right of access to their data and the right to ask for any inaccurate data to be corrected. You must ensure that you have measures in place to recognise, and where appropriate, action, any such requests.
  7. Information must only be shared when it is requested by a legitimate public health authority. If you are asked to provide information to a contacting tracing scheme, you must ensure that the caller is genuine and only share the information securely.

The above is a non-exhaustive list of points to consider when collecting information for contact tracing.

Please note, the information included in this update is correct at the date of publishing.

Should you require any advice on complying with the DPA when collecting personal information and/or updating your data protection policies or notices, please call us on 01332 226 130 or complete the form below.

Scroll to next section

Scroll back to the top

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information on how these cookies work, please refer to our Cookies Policy.

Strictly necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous.

Force24 cookies & tracking

This website utilises Force24’s marketing automation platform. Force24 cookies are first-party cookies and are enabled at the point of cookie acceptance on this website. The cookies are named below:

F24_autoID
F24_personID

They allow us to understand our audience engagement thus allowing better optimisation of marketing activity.