25th August 2020

Insider’s Guide to COVID-19 Data Protection Compliance

By Matthew Pryke

Lockdown restrictions are gradually relaxing but it is not business as usual for those opening their doors to customers, visitors and employees for the first time since March. The ‘new normal’ for businesses involves cooperating with new safety measures such as contact tracing. The UK Information Commissioner’s Office (‘ICO’) has made clear the collection of personal information for these measures must comply with data protection legislation.  The ICO has recently published new guidance to help businesses comply with these requirements. Here’s our insider’s guide to the 5 steps every business must take.

1.   Only ask for necessary information

Government guidance outlines the specific information required for contact tracing schemes and businesses should collect only this necessary information. This information is likely to include basic details such as:

  • Name;
  • Contact details; and
  • Time of arrival.

There is no need to ask for identity verification unless this is already standard practice (e.g. age verification for alcohol).

Government guidance is likely to continue to change from time to time and it is, therefore, good practice to ensure you operate in line with the latest guidance.

2.   Be clear and transparent

When collecting personal information businesses should be clear and transparent about how this information is going to be used. Customers should be told why you need the information and what you will do with it. If you already collect customer data as part of your business practice, such as for bookings, you should also make it clear this information may also be used for contract tracing purposes. Methods to achieve this transparency may include:

  • Displaying notices on the premises;
  • Including an explanation on your website; and
  • Informing customers at the time you collect the information.

Best practice also suggest this information should be included as part of an organisation’s privacy policy.

3.   Store personal data in a secure way

Businesses have a responsibility to protect the personal data they collect. This applies to both digital and paper-based information. Methods to help ensure information is securely maintained may include:

  • Locking the data away: keep paper lists in locked cabinets and make sure any digital information is secured with a strong password.
  • Training employees: ensure all employees are briefed on their responsibility to keep customer information safe.
  • Being vigilant: the ICO has reported a rise in scam activities relating to COVID-19 updates. Be wary of any web links or attachments in suspicious emails.

4.   Do not use the personal information for other purposes

The personal data you collect for contact tracing must not be used for any other purpose. Examples of prohibited purposes include:

  • Direct marketing;
  • Profiling; and
  • Data analytics.

If you are unsure whether an activity is prohibited then you should seek legal advice first.

5.   Erase data according to government guidance

Any data collected for the purpose of contact tracing should not be kept for longer than stipulated by the government guidelines. Physical documents should be shredded and digital documentation should be permanently deleted, including back-ups and cloud storage.

The ICO have stated it will take action if it encounters any inappropriate handling of personal information. Hamlins has already helped many of our clients update their policies to ensure compliance in light of the COVID-19 pandemic. For further information on how COVID-19 might affect your business practices and the data you hold, please contact Matthew Pryke.

Insider’s Guide to COVID-19 Data Protection Compliance

Have a question? Contact Matthew

Associated services

Have a question? Contact Matthew

Associated services


New message for


    We will only use this email to contact you regarding your enquiry. We will not pass this on to any 3rd parties. See our privacy policy.