For the past few months, organisations across Europe have been asked to store the contact details of customers and staff in an effort to control the spread of COVID-19.
Whether businesses are using QR codes, which upload individuals’ personal data, or manually recording the information on pen and paper, the process presents information security problems.
Many organisations won’t be used to such extensive data processing practices, and if they fail to protect it adequately, they could experience data breach and face a GDPR (General Data Protection Regulation) fine.
It’s an unfortunate position to be put in, given that organisations must collect the information if they wish to remain open, but there are many examples of businesses being required by law to process personal data – so it’s certainly not unprecedented.
You can make sure your contact tracing process is GDPR-compliant by following the five-step guide set out by Ireland’s DPC (Data Protection Commission), which we’ve summarised below.
1. Minimise the amount of data you collect
The best way to prevent data breaches – and mitigate the damage should the information be exposed – is to reduce the amount of information you collect.
This means processing only as much information as you need to fulfil the purpose for the collection – which is to contact individuals if they have been exposed to COVID-19.
As such, you should take people’s names, a phone number and the hours that they were on the premises.
In Ireland, licensed properties are also required to record the sale of meals.
2. Be clear about why you are collecting their personal data
By now, most people will be familiar with the concept of contact tracing and should expect you to collect their data – but don’t take it for granted.
Whenever you ask customers to hand over their contact details, you must explain that it’s part of a COVID-19 contact tracing programme that your organisation is required to complete.
3. Store the information securely
The measures you implement to protect personal data will depend on whether you process it digitally or physically.
Digital records should be subject to appropriate technical controls. For example, it’s a good idea to keep it on a password-protected database, with only approved personnel being made privy to the password.
Physical records should be kept in a locked drawer in a secure part of the premises.
4. Don’t use the information for other purposes
Your customers provided their data for the express reason that they could be contacted if they had been exposed to someone who had tested positive for COVID-19.
You cannot use their information for any other purpose, such as direct marketing, and you cannot sell it to third parties.
The only exception to this is if you are legally required to share the information with public health authorities for contact tracing purposes
5. Remove customer data when it’s no longer needed
You must ensure that you delete customers’ details when they are no longer needed.
In Ireland, organisations are required to remove information after 21 days, although other countries have their own requirements.
Physical records should be shredded, whereas digital records must be completely cleared from your systems. This includes records stored in your recycle bin or backups, which may be held in the Cloud.
Looking for more GDPR help?
These guidelines are a reminder of the ongoing importance of GDPR compliance. The penalties for violations can be severe, so organisations must ensure that they understand their data protection obligations and implement appropriate measures.
You can find out how the Regulation affects your organisation by taking our Certified GDPR Foundation Training Course.
This one-day course is delivered by an experienced data protection expert, and provides a comprehensive introduction to the GDPR and how you can meet its requirements.