Call us on 03450 21 21 51

How to implement Track and Trace safely without compromising your data security
The SRM Blog

How to implement Track and Trace safely without compromising your data security

Claire Greathead

Written by Claire Greathead

31st July 2020

Share this article

track and trace gdpr

The further easing of lockdown restrictions this month has allowed many face-to-face businesses like hospitality, retail and leisure to re-open under controlled conditions. This means that after the hiatus of the last few months, there has been a rush to implement safety measures. While many of these have been physical changes, introducing a range of steps to ensure social distancing, there is also a key requirement for businesses and organisations to gather and retain customer information for 21 days to help with the NHS’s Test and Trace policy if requested. This is presenting an added layer of complexity – and potential risk – to the ‘new normal’ conditions in which we live.

For many, however, it should not be an undue burden. Most close contact services where appointments are made, like hairdressing and beauty therapy, already hold basic client information. Hotels and restaurants are also familiar with routinely recording and holding customer details. These businesses will need to ensure that details are available so they can support the tracking of individuals if required, but it is likely that they will have already taken steps to comply with data protection legislation and GDPR guidelines. An update of their protocols to include the new system of data collection will, however, need to be carried out.

When it comes to less formal settings like pubs, cafes, community centres or places of worship, the gathering, recording and retaining visitor contact details is not usual practice and, for many in these venues, it is uncharted territory. It is also something that has had to be introduced in a short period of time, giving little opportunity for a thorough security appraisal.

The Government has produced guidelines that provide a degree of flexibility built in, depending on the size and sophistication of the business. In some cases, paper records are deemed acceptable if they are kept hidden and secure for 21 days and then permanently destroyed.

For most businesses, however, electronic record keeping will be the preferred system. Although the records are being specifically kept for contact tracing, with minimum detail and for just 3 weeks, the gathering, securing, encryption, storing and deletion of these files must still adhere to the legal requirements of Data Protection legislation and GDPR.

In response to demand, a number of apps have been developed to record names, basic contact information and the time of entry and exit. Some use QR codes for scanning by either customers or staff; some use venue codes, requiring individuals to enter the information as they enter the premises; and others can obtain the information direct from mobile phones. Encryption and safe deletion after 21 days are built into these apps.

So far, so good.

The greatest underlying risk to data protection lies in the security of the devices collecting details themselves. If these devices on which the apps are installed have little or no authentication attached to them, the potential for data theft is significantly increased. iPads, tablets and phones may be the simplest way to gather customer information but, if these are linked to the wider business system, they may provide a relatively easy point of entry for hackers.

While customers are now fairly comfortable with their personal information being held, as it is routinely with online purchases, they will require reassurance that you are protecting their data from potential criminal activity. It is therefore essential that network system security policies are reviewed and updated to reflect this new data point and build in security measures and training for all those involved.


SRM Track and Trace Tips

Here are our top tips for ensuring that fulfilling your Track and Trace obligation does not affect your adherence to GDPR and data protection legislation.

  1. Be transparent with customers about your responsibilities

It is important that customers or visitors understand why you need to collect their data, how you are going to safeguard it and what you are going to do with it. Let them know that their data will be encrypted and stored securely and that there is a secure system for deletion at the end of the required period.

  1. Collect only the data that is required

Contact tracing requires the recording of a customer’s name, phone number or email address together with the date and time of their booking or attendance. No other details are needed. This is in line with GDPR which advises that only information that is required should be retained.

  1. Don’t forget staff

Track and Trace records are not limited to customers or visitors. They must include all members of staff, volunteers or those visiting in any other capacity. Staff are also essential to the correct management of the data collection process. They are the frontline in providing reassurance for customers and so should be trained appropriately.

  1. Keep contact details hidden and secure

It is essential that all details provided are hidden and stored in a way that others cannot see, record or photograph. Electronic records are preferred because they can be password protected, encrypted and stored securely.

  1. Retain data for no longer than is required

The Government requires that these records are temporary, only kept for 21 days. They should be deleted after that period in a secure and permanent way.

  1. Do not use the data for any other purpose

The information gathered for contact tracing cannot be used for any other purpose. If you want customers to sign up for newsletters or promotional offers, then consent must be specifically obtained for this. If retained and use without consent this would breach UK data protection law.

  1. Delete data securely

Data must be deleted in a secure way, leaving no traces behind. Failure to do this may constitute a breach. Although the Information Commissioners Office (ICO) has indicated that it will be pragmatic when it comes to enforcing the law, they will be within their rights to take action.

  1. Ensure all devices have authentication and security

Password protection may be sufficient but two-factor authentication provides an additional layer of security. This is particularly important where there is open WiFi within the premises. A schedule of testing and updating devices is also advisable and the devices used for contact tracing should be included in the network security policy.

There are many variables, depending on the size and type of business, but it is essential to review your ‘new normal’ practices to ensure that the risk of a data breach is minimised. Professional advice on how to maintain compliance and minimise risks will ensure your system is as secure as possible.

Are you concerned about your data protection policies and procedures? Let our expert team support you to keep your organisation in line with the latest requirements and avoid any potential fines or sanctions caused by mistakes. Contact Us.

Back to top