The ICO has published updated guidance for organisations which are asked by the government to collect and retain information about customers and visitors for the purposes of COVID-19 contact tracing.
In summary, the ICO has confirmed:
- data protection law doesn't prevent you from collecting personal data in this context if it is provided voluntarily, as long as it is lawful and customers and visitors are informed about what you are doing;
- if you are collecting customer data for a contact tracing scheme (such as the NHS Test and Trace in England), you need to make this clear to individuals;
- it is necessary to check government guidelines to confirm whether your business is encouraged to collect customer contact information for contact tracing purposes;
- the lawful basis for processing can include legitimate interests, public task (if you are a public authority) or consent;
- such personal data should only be retained for as long as is needed. In England, this generally means 21 days based on guidance from public health authorities (although it could be retained for longer if necessary for compliance with other sector specific guidelines).
The ICO has confirmed most organisations will not need to rely on consent for these purposes. However, in the context of contact tracing, the ICO recommends consent is used if collecting contact details in a place of worship or if you provide a service to small groups of people or on a one to one basis.
Most private sector and public authorities should not need to rely on consent. Where you do collect consent, you must give people genuine choice about whether they provide their data. You should not use consent as your lawful basis unless it is truly voluntary to provide personal data. Consent is recommended when the information you are collecting could reveal something sensitive about the person involved. In law, this is called special category data and it means you need to treat it particularly carefully. It includes health information, racial or ethnic origin, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership. In the context of contact tracing, we recommend using consent if you are logging details in places of worship, for example. You should also use consent if you provide a service to small groups or on a one-to one basis, like tailoring or sports massage. That’s because the information you may be asked to share for contact tracing purposes may only apply to one or two people – rather than a roomful – making it more likely that you’d make assumptions about your customer’s health.