Insights ICO publishes guidance for businesses collecting personal data for contact tracing

The guidance provides advice for organisations and small businesses that are required by the Government to collect and retain customer and visitor information, for a limited time period, for the purposes of a COVID-19 contact tracing scheme. It is designed for those who have limited experience of collecting and retaining personal data for business purposes.

On publication of the new guidance, Deputy Chief Executive Paul Arnold said that in order for the contact tracing scheme to work “it is important people feel able to share their personal data with confidence”. So that people can have trust and confidence in the way their personal data will be kept and used, Mr Arnold said that the ICO wants to “help businesses to get things right first time as they adapt to new ways of working”.

The guidance covers the following:

  • Are we allowed under data protection law to collect personal data from our customers as part of a contact tracing scheme?
  • What do we need to tell people when we collect their data for the contact tracing scheme?
  • How do I make sure my collection and sharing of data is lawful?
  • Should I use consent as my lawful basis?
  • How much personal data should we collect for a contact tracing scheme?
  • How long can we keep personal data collected in accordance with government guidance?
  • How do we make sure that the personal data we collect is accurate?
  • What data protection rights do people have in relation to the data we collect about them for a contact tracing scheme?
  • What do we need to do about security?
  • Whom can we share the customer data we collect with?
  • Can we use the personal data we have collected for a contact tracing scheme for marketing or other business purposes?

To access the guidance, click here. To read Mr Arnold’s statement in full, click here.