Data processing

Coronavirus and track and trace data – What are your obligations?

This is a live document and was last updated on August 2020

Important information about Coronavirus and data protection.

If you have ventured out to a venue such as a pub or a restaurant since the lockdown eased, you will most likely have been asked for your contact details. Whilst we all want to play our part in beating this pandemic, what exactly does the law say about the processing of personal data in such circumstances? Should you be collecting visitor’s information? If you do, how should you gather it, process it and share it? Here we consider the implication of track and trace data.

Firstly, let me state that regardless of the content of this blog, I have of course been sharing my data. we all agree that anything we can do to prevent further deaths and suffering can only be a good thing. But this blog is about the legal implications that may or may not become an issue in the future.

Let’s start by considering the basis on which we might process the data. The guidance from the government has been less than clear which leaves organisations to interpret it in also sorts of ways. In the interests of this blog (OK, this isn’t really true!), I have visited a few pubs to see just what they say about my data and the purposes for collecting it. As you might imagine, it was a mixed bag from, ‘I’m not sure’ to ‘If you don’t give me your details, you’re not coming in’ I even completed an online form via an app which asked me if I had felt unwell in the past 14 days. I ticked the box confirming I had felt unwell (I hadn’t) to see what action might be taken. Was I about to be ejected by a waiter in full PPE? I wasn’t of course, making the whole process a waste of time and resource. It seems nobody can adequately explain the basis on which track and trace data is being processed.

In order to process data, the GDPR says you must have an Article 6 basis. There are six that range from consent to legitimate interest. Most venues I have visited have insisted on recording my personal data, taking my temperature, or both. As I had no choice, they aren’t using consent. This condition can only be given voluntarily, and I should be fully informed of the intended use, who it might be shared with and whether it might be subject to international transfers. The other conditions include a legal obligation. This wouldn’t work as there is no such obligation to collect the information. Public Interest. requires a law or can only be used by an authority. Vital Interest Doesn’t work unless the individual is at risk. This just leaves us with Legitimate Interest. If this condition is used, then each venue might need to consider the implication of such a decision. The guidance on this suggests you might need to consider, ‘Is there another way to achieve the objective?’ Also, in order to ensure fairness, you might need to conduct a risk assessment or a balancing test to establish that rights and freedoms can be upheld. But most importantly, it is very unlikely that legitimate Interest would permit you to process my data against my will.

So, saying ‘If you don’t give me your details, you’re not coming in’ seems unfounded and unfair. The government guidance is to proceed regardless but to use consent in a setting where special categories of data may be processed such as a person’s religious belief when visiting a church. Furthermore, my temperature may indicate a health condition which is a special category of data too. To process special data is more complex and either required my explicit consent (which cannot be insisted upon) or an exemption to the law which can be found in Schedule 1, Pt 1 of the Data Protection Act 2018. If this was the chosen route, then on top of risk assessments the venue would need additional and appropriate policy documents. Of course, they don’t have these which makes the processing of personal data most likely a breach of the GDPR.

The government has not yet conducted its own risk assessment of the potential issues the Track and Trace App presents to privacy. By launching the app without an assessment, they effectively broke the law anyway. If they ever do complete one and find the risks to be high (which it will be), the app would probably be taken down as the law requires risk to be mitigated.

So, here are a few top tips to help you navigate track and trace if you need to implement it;

  • Ask people for their consent (agreement) to collect their details, if they say no respect their decision;
  • Allow people to refuse to give you their data (Opt-out of the scheme), still allow them access to the premises;
  • Don’t temperature check unless you are a health professional or have one on hand. (An elevated temperature could be something other than Coronavirus and you’re not in a position to offer a diagnosis);
  • The data you keep must only be retained for as long as is necessary. How long is that in your opinion? The government guidance suggests 21 days;
  • It must then be fully deleted, don’t keep a record of any data collected;
  • Consider whom you need to share the data with and why. Are you going to share it with anyone who asks? Make a policy decision in advance;
  • Update your policies to include a section on this type of data processing, your grounds for processing and a data retention timeline. This will help you demonstrate your accountability;
  • Monitor the ICO’s website for updates on this and other matters concerning data protection,
  • Use your common sense. If someone is clearly unwell, not worry about data protection, you have a duty of care which is much more important.

Mark Burnett

GDPR Certified Data Protection Practitioner

Hope and May


Get in touch