Canary Wharf, London
0207 537 6480
info@elbp.co.uk

Protecting Contact Tracing Data

Protecting Contact Tracing Data

As it is now compulsory to collect contact tracing data, the onus is on you to ensure that you protect the data while it is in your possession and dispose of it as soon as you can. This will help you avoid any data protection issues that may arise if your IT systems are breached or paper records are lost or stolen.

To support your efforts we have put together a short article on how to collect, store and dispose of contact tracing data.

What data should I collect?

For the contact tracing system to work you need to ensure you are collecting the right data. However, to ensure you and your clients/visitors are protected you should not collect anything more than the following:

  • a name (for groups of 6 or less, only 1 name required)
  • a number (or an email if a number is not available)
  • the date & time of the visit
  • departure time, if possible

Proof of identity is not required unless it is a usual part of your business requirements.

How should I collect contact tracing data?

Contact tracing data should be collected in a clear and transparent manner and in accordance with Data Protection regulations.

It can be collected in paper form or digitally using a mobile or device.

How should I store contact tracing data?
Like all data you process, contact tracing data should be securely stored. Paper records should be locked up in a filing cabinet or safe whilst digital records should be stored behind access protected devices and IT systems (cloud based and/or on desktops).

How long should I keep contact tracing data for?

Contact tracing data should be kept for a maximum of 21 days, which allows for 14 days incubation period and 7 days allowing for testing and tracing.

What should I do with the data once 21 days is up?

The contact tracing data should be disposed of securely.

For example, if you collected the data using paper forms, then the forms should be shredded using a cross- shredder. If, however you used digital devices then the data should be deleted off the devices plus any backups and cloud storage systems that the data is shared or synchronised with. You should regularly check to ensure you are not holding any data that has passed the 21-day retention period.

Can I use contact tracing data for other business purposes?

Unless expressly stated that you will be using the data for other business purposes, such as making bookings, then the answer is no! Contact tracing data should not be used for business analytics, customer profiling or email marketing purposes.   

Can I share contact tracing data?

Contact tracing data should only be shared with the NHS if asked to do so. Other than that, the data should not be shared with other parties.

Complying with the new regulations to help break the chains of transmission of Coronavirus is now compulsory and so is the need to comply with Data Protection regulations when processing contact tracing data – stay safe and compliant!


This article was brought to you by our marketplace member Yejide Adeoye of Logic to Create- visit their marketplace profile to find out more.