Last updated1: 4/7/2020
1 Please note, this document is subject to change following updated Government guidelines. Please refer to the social distancing guidelines of your nation or Local Authority, as these may differ from what is outlined in this document.
The opening up of the economy following the COVID-19 outbreak is being supported by NHS Test and Trace. Organisations have been asked to support this service by keeping a temporary record of visitor details for 21 days, and assist NHS Test and Trace with requests for that data in the event of a local COVID-19 cluster or outbreak. Many organisations already take bookings and have systems in place for recording visitor details. The Department for Digital, Culture, Media and Sport is due to release good practice guidelines to help arts and cultural organisations safely reopen, developed in collaboration with sector stakeholders.
The Audience Agency has set out the following guidance to help organisations comply with the requirements of data protection regulation, particularly those that are collecting and storing personal visitor data for the first time.
This document forms a suggested approach to addressing personal data collection in compliance with data protection regulations. It provides only an overview of the key considerations, and if guidance is being sought for the creation of an organisational personal data management framework, please visit The Audience Agency website to access more detailed resources.
There are 5 key considerations when planning a framework for working towards and maintaining compliance with data protection regulations.
1. Collect only the minimum amount of data required
The data collected should be limited to the purposes for which it is intended. In the case of NHS Track and Trace, all that is required is the name of the customer, date of visit and contact details, such as email or phone.
2. Be transparent
Tell customers why you are collecting their details, what you will do with the information and how you will store and process individuals’ data. If it collected is for multiple purposes, these must all be stated separately so that the customer can choose which options they wish to give consent for.
3. Only keep the data for as long as it's required
The UK government guidance states that businesses collecting contact details NHS Test and Trace should only retain these records for 21 days, in a way that is manageable for their business, and assist NHS Test and Trace with requests for that data if required. If the data has been collected solely for this purpose and no other uses have been agreed to by the customer, it should be deleted and cannot be used for other purposes.
4. Store and delete data securely
Data should be stored and deleted securely. If this information is kept electronically, steps should be taken to restrict and protect access to the data to those people for whom it is necessary to perform the processing - such as measures like security software and firewalls, encryption, the use of secure Virtual Private Networks (VPN) and log-in restricted access. If paper forms are used to collect this data, they should be disposed of correctly.
5. Limit the use of the data and keep the collection process simple
When data is collected for NHS Test and Trace, it cannot be opportunistically used for marketing or research purposes, unless appropriate consent is obtained. The collection process should be made as clear and as simple as possible. For example.
We would like to retain your details so that we can contact you for:
- NHS Test and Trace purposes to assist the NHS with requests for data in the event of a local COVID-19 outbreak y/n
(please note your details will be deleted after 21 days, unless you have agreed to contact for additional purposes )
- Marketing purposes, i.e. to keep you up to date about upcoming events - y/n
- To send you a survey about your experience today - y/n
- etc. other purposes, e.g. fundraising - y/n
Please let us know how you would like to be contacted:
- email - y/n
- SMS - y/n
- phone - y/n
- etc. - y/n