Contact tracing and GDPR
The last few months have been difficult, both at home and at work. There have been a lot of mixed messages. Can we go outside? Can we not? Do we have to wear a mask in NI? Do we not? Unfortunately, I don’t have answers for these questions and I am just as confused as you are. However, one thing I can help with is to de-mystify contact tracing and GDPR.
What is GDPR?
GDPR is the General Data Protection Regulation. It governs the use of anyone’s personal data, how it can be collected, stored and used. We have lots of resources on GDPR on our website so if you need a refresher, definitely check them out.
What is Contact Tracing?
Also known as ‘Track and Track’ and ‘NHS Test and Trace’. The UK government states that:
“By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, you can help us to identify people who may have been exposed to the virus. Containing outbreaks early is crucial to reduce the spread of COVID-19, protect the NHS and social care sector, and save lives. This will help to avoid the reintroduction of lockdown measures and support the country to return to, and maintain, a more normal way of life.”
In layman’s terms, it means public and work places will be collecting every visitor’s contact details and date of visit, so they can be contacted if someone else on the same day, be it staff or a fellow audience member is tested positive for Covid-19.
Like everything else surrounding Coronavirus, there is no clear indication that you have to do it by law but the GOV.uk website does state organisations ‘should’ collect details.
There is no real guidance on how you should do this either. We have all already seen some ‘track and trace’ in practice, some being efficient and some that could have been done better. From sophisticated QR codes to writing contact details on the back of a paper napkin (I kid you not), there are all sorts of ways people are coming up with, but if you are going to put the effort in, you might as well do it right.
Tracing and GDPR
So how do these two mix? One is telling you to collect and store as little personal data as possible while the other is actively asking you to collect all the data. However, there is a good reason we are being asked to chip in as it could potentially save a life. GDPR is all about the risk to the individual. I would much rather receive a phone call I wasn’t necessarily expecting from a venue letting me know I have been in contact with someone who was COVID positive, than going on with my life and potentially affect others.
Just like all things GDPR, the data needs to be collected, stored and deleted securely.
Collecting the data
Explain clearly and concisely why you are collecting the data. You just need a name and contact from the individual. You can add in the date, time and people they were in contact with yourself.
If you are a ticketed venue, you can gather this information when your visitor is buying a ticket, online or in person. You probably ask for this information anyway, so you just need to specify the data will be used in case a fellow audience member tested positive for Covid. The box office is a handy way to collect and store this data without any extra work. Just ensure there is a way to know if the person definitely attended that day so you aren’t contacting someone who had booked a ticket but never actually came.
However, if you don’t have a box office system, you can use the trusted pen and paper. This should be managed by a staff member, not just left out for people to fill in and see everyone else details. A staff member should explain why you need the data, collect and store it away securely.
You and your staff should know how long this data will be kept for. I would recommend to delete it every two to three weeks as that is how long you can carry the disease. If it is a piece of paper, it should be shredded. If the information is collected on a digital device, it should be deleted from the system and the trash can.
Remember: The data cannot be used for any other means than track and trace. You cannot use this information for marketing purposes. People should know explicitly why their data is being collected, how it will be used and when it is deleted .
I like GDPR as it is a great way to either make or break audience relationships. Done well, it builds trust and respect. Done badly, it can do the opposite. However, don’t just take my word on it? This is what the ICO (Information Commissioners Office) says on GDPR and Contact Tracing.
If you have a quick question about this topic, drop me an email on firstname.lastname@example.org or if you want to have a longer conversation about it, book a free audience appointment with myself where we can go through it in detail.