This is for the purpose of assisting NHS Test and Trace with data if it is needed for contact tracing and the investigation of local outbreaks.
Government guidance provides that: "The opening up of public places following the COVID-19 outbreak is being supported by the NHS Test and Trace service. … you should assist this service by keeping an accurate temporary record of visitors for 21 days".
If you are providing public-facing services, this guidance applies to you. If you are collecting personal data you must comply with data protection laws, even if you are a not-for-profit or community group.
Data protection law permits you to collect personal data for legitimate purposes (in this case the legitimate purpose is supporting NHS track and trace), provided you do so in accordance with the data protection principles. This means:
- only collect what you need (name, contact details and date and time of their visit)
- only use it for the purpose it is collected (ie for track and trace, do not add these details to your mailing lists unless they have consented to this separately) - do not share it with anyone other than NHS track and trace
- don't keep the data longer than required (21 days)
- make sure you have appropriate security in place to keep the data safe and confidential (don't use a publicly visible sign in sheet); accessible on a need to know basis, to employees/volunteers who are under a duty of confidentiality, and have processes in place to destroy it securely/permanently delete it after 21 days
- most importantly, be transparent - tell people what you are doing, why, and what their rights are by providing them with a privacy notice
If you would like to discuss data protection compliance for your organisation contact Penny Bygrave in our Information Law team on 07909 681 572, or complete the form below.