ADVICE & OPINION
COMPLIANCE
CONTACT TRACING AND COVID-19
In association with
There are regulations in place for certain industry sectors to ensure that
they have track and trace controls in place. This specifi cally relates to
venues in hospitality, the tourism and leisure industry, close contact
services and local authority facilities. www.barbour-ehs.com
THESE ORGANISATIONS MUST:
Ask at least one member of every party of
customers or visitors (up to six people) to provide
their name and contact details.
Keep a record of all sta working on their
premises and shi times on a given day and their
contact details.
Keep these records of customers, visitors and
sta for 21 days and provide data to NHS Test and
Trace if requested.
Display an o icial NHS QR code poster from 24
September 2020, so that customers and visitors
can ‘check in’ using this option as an alternative
to providing their contact details.
Adhere to General Data Protection Regulations
(GDPR).
Hospitality venues must also refuse entry to those
who refuse to participate.
Failure to undertake any of these requirements will
result in fixed penalty fines.
CONTACT TRACING APP
The contact tracing app was rolled out from the
24 September 2020. The Government has urged
businesses to display NHS QR Code posters on
entry to their premises, which are able to be scanned
by the app, so that individuals that attend certain
locations can be identified and notified in the
event of an outbreak related to that location.
The app will then be used in conjunction with the
more traditional approach to contact track and tracing
methods, by sta employed to manually carry out
these duties. The contact tracing information remains
on the individual’s phone for 21 days before being
deleted.
LEGAL REQUIREMENTS
The Health Protection (Coronavirus, Collection
of Contact Details etc and Related Requirements)
Regulations 2020 support the new track and trace
requirements for organisations. Under these
Regulations, requirements on organisations include:
Asking at least one member of every party of
customers or visitors (up to six people) to provide
their name and contact details. Where the party
is larger than six, then it must be broken down
into smaller groups and have a designated person
provide their details.
12 NOVEMBER 2020
Details gathered from the individual must be:
name; time of visit to venue; size of group; either
email/phone number/or postal address.
Keeping a record of all sta working on their
premises and shi times on a given day and their
contact details.
Keeping these records of customers, visitors and
sta for 21 days and provide data to NHS Test and
Trace if requested. Following which they must be
securely destroyed as soon as possible a er that
date.
Displaying an o icial NHS QR code poster, so that
customers and visitors can ‘check in’ using this
option as an alternative to providing their contact
details.
Adhering to General Data Protection Regulations
(GDPR).
Failure to comply with requirements to gather
tracking information can result in fixed penalty fines
that range from £500 for the first infringement, up to
£4,000 when multiple infringements are identified.
DATA PROTECTION LEGISLATION (GDPR AND THE
DATA PROTECTION ACT 2018)
As part of developing and establishing these controls,
organisations must consider how any bespoke
controls they develop conform to the requirements of
GDPR and The Data Protection Act2018.
This would include conducting a Data Protection
Impact Assessment (DPIA) to fully understand the
impact of their system upon an individual’s rights and
freedoms.
TEST AND TRACE FOR STAFF
Sta exhibiting symptoms must isolate in line with
Government guidance and seek a test at the earliest
possible time.
For sta that test positive, they will be contacted by
the NHS Test and Trace and asked to provide details
regarding anyone they have had close contact with.
Sta should be kept informed about possible cases
of the virus amongst their colleagues, but individuals
who have or may have the virus should not be
named. In most cases, the duty to protect the health
and safety of your employees by informing them that
they may have been in contact with the virus will
over-ride the confidentiality risk, but each situation
should be considered individually.
KEY POINTS TO BE AWARE OF IN ADHERING TO
DATA PROTECTION LEGISLATION (GDPR AND THE
DATA PROTECTION ACT 2018)
Data limitation – The data gathered must be the
least amount possible to fulfil the purpose for which
it is required.
Data protection notices – Individuals must be given
information that explains what data is being gathered,
why, how it will be used, who it will be shared with,
how long it will be kept for.
Lawful grounds – The lawful ground for gathering
contact tracing information is currently a Legal
Requirement.
Retention periods – The track and trace app
currently stores individuals’ information for 21 days
before deleting it.
Accuracy of information – Under track and trace it
is only necessary to keep an accurate record of the
information provided. There is no requirement to ask
for evidence such as driving licences, etc.
Individuals’ rights – An individual has the right to ask
you to tell them what information you have on them,
and to request that it is corrected if the information is
found to be incorrect.
Sharing of information – Only share contact tracing
information with public authorities and ensure that
you verify the identity of anyone requesting this
information on behalf of a public authority.
Handling of information – Restrict access to tracking
information to a limited number of sta and train
them regarding the need to keep this information
private and secure.
Visit https://barbour-ehs.com to register
/www.barbour-ehs.com
/barbour-ehs.com
