Why Contact Tracing Could Be a Data Protection Nightmare for Small Business
As businesses begin to reopen after the Covid-19 lockdown, many are facing new requirements to collect personal details from their customers in order to support contact tracing. But without experience in handling personal data they could be exposing themselves to existential risks…
Under section 2.1 of the Government advice for re-opening hospitality businesses in the UK (issued 23rd June 2020) it states that:
“The opening up of the economy following the COVID-19 outbreak is being supported by NHS Test and Trace. You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed”
What is personal data?
Under the General Data Protection Regulation (GDPR) which came into effect in EU (including UK — under the Data Protection Act 2018) in May 2018, there are some very specific requirements for what is or is not allowed to be done with personal data, but to understand these we must first be clear on what personal data is.
The first part of the provision is fairly obvious and easy to understand. It states that personal data is any data which relates to living persons who “can be identified or who are identifiable, directly from the information in question”. So that includes name and address, email address, phone numbers, national insurance numbers and so on.
So far, so good — this is obviously personal data any most people would recognize it as such. However, the legislation also contains a second type of data that is classed as personal data and that is
“any information relating to natural persons who can be indirectly identified from that information in combination with other information”
That’s a bit of a mouthful but in short, any information that when combined with any other piece of information allows an individual to be identified is in scope. That means things like ticket numbers, transaction IDs and receipt numbers all fall into scope — you could look these up and combine them with other details such as payment or contact records to identify who made the booking or payment.
So pretty much all the data that a restaurant, pub or café might now be being asked to collect to support contract tracing is personal data, and that means many businesses who have not previously had to worry about managing this suddenly find themselves classified as Data Controllers, and must comply with the legal obligations GDPR brings.
What are the risks?
Key obligations include the requirement to hold only data that is required to fulfil the transaction or their legal obligations and not to collect any “excess” information above and beyond that, the requirement to inform customers of what data is being collected and why and to only use the data for the purposes it was supplied for.
This last one introduces a risk that a business that is not familiar with the legislation may decide to use the personal data they collected to support contact tracing to mail customers with a discount offer. Seems reasonable right? I mean they are previous customers and you have their email or address details… Wrong! This is a clear breach of GDPR because the data was not collected for this purpose and the customer has not consented to you using it this way.
And if you’re thinking you can get around that by getting the customer to consent to you using the data for marketing at the same time they consent to you holding it for contact tracing, then there’s more bad news. GDPR specifically requires that these consents are “unbundled” and must each be given separately by your customer, and furthermore you must assume you do not have marketing consent unless it is given and cannot make consent to marketing a condition to providing your goods or service.
Then there’s the thorny issue of data security. A business collecting personal data has an obligation under GDPR to ensure that the data is properly protected and that in the event of any “data breach” (unauthorized release, loss, modification or sharing of any of the data) this must be reported to the Information Commissioners Office within 72 hours. Such a breach could include a member of your staff using these details to contact a customer for personal reasons, and there have been cases in the UK where this has happened.
At this point you may just be thinking that this is all too much and you’re just going to use good old fashioned pen and paper to record customer details. But there’s more bad news there too… GDPR doesn’t just apply to electronic records, it applies to all records your business keeps. Which means arguably proper, secure retention, management and deletion of paper records is actually more costly and risky than electronic ones.
This is just a summary of some of the issues GDPR brings to a business. Things get more complicated when you consider how you will respond to a Data Subject Access Request. Such a request means that anyone can ask you to provide a complete copy of all personal information you hold on them. You have 30 days to comply but you must provide it, without cost to anyone who requests it from any member of your staff, verbally or in writing. Besides the admin headache of this, consider whether you have notes about customers than you’d be uncomfortable with them reading. I’ve seen businesses who have all sorts of comments about how polite a customer was, how quick they are at paying etc. Besides the potential legal impact, the reputational damage that having to provide these to a customer could bring is enormous, especially in the age of social media.
Failure to comply with GDPR brings potential fines of up to €20 million (that’s about £18 million at the time of writing) or 4% of global turnover, whichever is greater per offence. Whilst it is unlikely that such large fines would be used for a first offence by a small business, that is what the law provides for.
This article is really just a summary of some of the aspects to consider but compliance with GDPR is a cultural and education issue more than a technological one. It is about ensuring that you and your team understand what is required under the legislation and behave in a manner that complies with it so the most important thing you can do is to educate yourself and your staff on the obligations your business has, and the rights that your customers have.
If you are concerned about the impact of GDPR on your business, you can find out more on our website.