The Information Commissioner’s Office (ICO) in the United Kingdom has published guidance for businesses that are putting in place contact-tracing measures in respect of their customers and visitors, as part of the efforts to respond to the COVID-19 pandemic. The purpose of the guidance is to protect the personal information that businesses are collecting.
The guidance sets out five key steps:
- Ask only for what’s needed: People should only be asked for the specific information that is required, such as their name, contact details and time of arrival.
- Be transparent with customers: Businesses should be clear, open and honest with customers about why the personal information is being collected and what it will be used for.
- Carefully store the data: Businesses should look after the personal information that is being collected. This means keeping it secure on a device if it is being collected digitally, or locked away if paper records are being used
- Don’t use it for other purposes: Businesses should not use the personal information collected for contact-tracing for any other purposes, such as direct marketing, profiling or data analytics.
- Erasure: Businesses should not keep personal information for longer than required by law. Businesses need to dispose of the data securely to reduce the risk of someone else accessing it.
The ICO guidance is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].