There are regulations in place for certain industry sectors to ensure that they have track and trace controls in place. This specifically relates to venues in hospitality, the tourism and leisure industry, close contact services and local authority facilities.
- Ask at least one member of every party of customers or visitors (up to six people) to provide their name and contact details.
- Keep a record of all staff working on their premises and shift times on a given day and their contact details.
- Keep these records of customers, visitors and staff for 21 days and provide data to NHS Test and Trace if requested.
- Display an official NHS QR code poster from 24 September 2020, so that customers and visitors can ‘check in’ using this option as an alternative to providing their contact details.
- Adhere to General Data Protection Regulations (GDPR).
- Hospitality venues must also refuse entry to those who refuse to participate.
Failure to undertake any of these requirements will result in fixed penalty fines.
CONTACT TRACING APP
The contact tracing app was rolled out from the 24 September 2020. The Government has urged businesses to display NHS QR Code posters on entry to their premises, which are able to be scanned by the app, so that individuals that attend certain locations can be identified and notified in the event of an outbreak related to that location.
The app will then be used in conjunction with the more traditional approach to contact track and tracing methods, by staff employed to manually carry out these duties. The contact tracing information remains on the individual’s phone for 21 days before being deleted.
LEGAL REQUIREMENTS
The Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020 support the new track and trace requirements for organisations. Under these Regulations, requirements on organisations include:
- Asking at least one member of every party of customers or visitors (up to six people) to provide their name and contact details. Where the party is larger than six, then it must be broken down into smaller groups and have a designated person provide their details.
- Details gathered from the individual must be: name; time of visit to venue; size of group; either email/phone number/or postal address.
- Keeping a record of all staff working on their premises and shift times on a given day and their contact details.
- Keeping these records of customers, visitors and staff for 21 days and provide data to NHS Test and Trace if requested. Following which they must be securely destroyed as soon as possible after that date.
- Displaying an official NHS QR code poster, so that customers and visitors can ‘check in’ using this option as an alternative to providing their contact details.
- Adhering to General Data Protection Regulations (GDPR).
Failure to comply with requirements to gather tracking information can result in fixed penalty fines that range from £500 for the first infringement, up to £4,000 when multiple infringements are identified.
DATA PROTECTION LEGISLATION (GDPR AND THE DATA PROTECTION ACT 2018)
As part of developing and establishing these controls, organisations must consider how any bespoke controls they develop conform to the requirements of GDPR and The Data Protection Act2018.
This would include conducting a Data Protection Impact Assessment (DPIA) to fully understand the impact of their system upon an individual’s rights and freedoms.
TEST AND TRACE FOR STAFF
Staff exhibiting symptoms must isolate in line with Government guidance and seek a test at the earliest possible time.
For staff that test positive, they will be contacted by the NHS Test and Trace and asked to provide details regarding anyone they have had close contact with.
Staff should be kept informed about possible cases of the virus amongst their colleagues, but individuals who have or may have the virus should not be named. In most cases, the duty to protect the health and safety of your employees by informing them that they may have been in contact with the virus will over-ride the confidentiality risk, but each situation should be considered individually.
KEY POINTS TO BE AWARE OF IN ADHERING TO DATA PROTECTION LEGISLATION (GDPR AND THE DATA PROTECTION ACT 2018)
Data limitation – The data gathered must be the least amount possible to fulfil the purpose for which it is required.
Data protection notices – Individuals must be given information that explains what data is being gathered, why, how it will be used, who it will be shared with, how long it will be kept for.
Lawful grounds – The lawful ground for gathering contact tracing information is currently a Legal Requirement.
Retention periods – The track and trace app currently stores individuals’ information for 21 days before deleting it.
Accuracy of information – Under track and trace it is only necessary to keep an accurate record of the information provided. There is no requirement to ask for evidence such as driving licences, etc.
Individuals’ rights – An individual has the right to ask you to tell them what information you have on them, and to request that it is corrected if the information is found to be incorrect.
Sharing of information – Only share contact tracing information with public authorities and ensure that you verify the identity of anyone requesting this information on behalf of a public authority.
Handling of information – Restrict access to tracking information to a limited number of staff and train them regarding the need to keep this information private and secure.