As we've previously reported on, pubs, restaurants, hairdressers and other hospitality businesses, are from the 4 July able to re-open their doors. However, it is not business as usual, in addition to the expected precautionary measures such as social distancing and enhanced hygiene standards, the UK government gave businesses 10 days' notice that they are also requested to collect and record visitors' personal information as part of the national contact tracing effort.  

To help businesses struggling with these requirements, and to prevent data protection from being a barrier to their recovery, the UK data protection authority, the ICO, has introduced an ABC guide focusing on how to implement new GDPR compliant contact tracing measures.

Key themes are:

  1.  Choose the solution which works best for you, there is no need to develop, or sign up to new apps or digital solutions;
  2. Only access the contact tracing information you need (e.g. name, contact details, time of arrival). There's no need to ask for ID if you don't already do it;
  3. Inform customers of why you need their information and what you will do with it. You can do this by displaying a notice, including it on your website or just telling people;
  4. Keep the information secure;
  5. Only use the information for contact tracing purposes - the information should not be used for marketing purposes;
  6. Erase the information after 21 days (shred paper records, delete digital records and empty the recycle bin, ensure cloud data is deleted) in line with Government guidance. For example in England, guidance from public health authorities state the information should only be kept for 21 days.

The ICO has also published more detailed contact tracing guidance here, and it is continually adding new content to its Covid-19 Q&A hub.

Kemp Little's privacy and cybersecurity experts have produced two separate guides to help support you with your data protection and cybersecurity issues.