A whole heap of businesses have just been upgraded – in data terms – from collecting and holding only limited amounts of data, probably about staff and suppliers, to holding information about members of the public.
With this upgrade comes a levelling-up of risk and additional scrutiny. If small businesses such as hairdressers and pubs hadn’t thought of themselves as Data Controllers before, they very much need to now.
How have data-handling obligations changed due to Test and Trace?
The Government has asked that businesses like barbers, hairdressers, pubs and other venues keep data about customers to help with its Test and Trace efforts.
This means that these businesses are now Data Controllers and need to be registered with the Information Commissioner’s Office - ICO (if they weren’t already). Any business collecting data will also need to have a privacy policy and to explain to customers how and why it is collecting data, and what it will do with it.
The Government requires only a lead name, contact phone number and the time of arrival to be collected. No other information should be collected for the purposes of assisting the Test and Trace system. The information needs holding for 21 days, after which it’s pretty certain that the risk of needing it is over and it needs appropriately destroying.
How can businesses use the Test and Trace data?
If you’re only collecting the data for the purposes of tracing anyone potentially exposed to the virus you cannot use it for any other purpose. You can’t subscribe people to your marketing emails or use their contact details for any other reason. The ICO could fine your business if it is used for any other purpose.
How you intend to use the data should be explained when it is collected.
How should Test and Trace information be collected?
As with all data it’s important that it is collected and stored securely.
Booking systems are an acceptable way of holding data, so if you already collect people’s information to make appointments then you could use this to report if you needed to.
Using an online system is likely to be the quickest and most secure way to collect data if you don’t already have a booking system. An app or system created by a company holding a Cyber Essentials Certification – is most likely to be dependable and able to keep your customers’ data safe.
Record Customer is an app built by our sister company, Askew Brook, specifically for collecting only the necessary data quickly and easily, and keeping it safe until it’s needed, then destroying it if it isn’t. Try it free for seven days, then pay just £40+VAT/month to keep your customers’ data safe and secure. This is a 20% discount for 3 months using the coupon code SERVERTASTIC.
You could use pen and paper, but you’d need robust systems to ensure the data was always stored securely, accessible by only people who need to see it, and that it was properly destroyed after 21 days.
Creating all of these data-secure systems is something many small businesses will never have had to deal with before
When might you need to hand over the data?
If someone who has been to your business tests positive for Covid-19 you might get a request from the Government’s Test and Trace team to release the data to them. They will only ask for data for customers who could have come into contact with the person who has tested positive, so you won’t need to release all of the data you hold.
The system has already been used. In the first week after reopening at least three pubs had already closed after customers or people closely related to staff members reported testing positive for coronavirus.
