The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Note: this information is for organisations which: 

  • collect data for their own purposes;
  • don’t have a legal requirement to collect and disclose personal data to contact tracing. You should check government guidance to see whether you are required to collect this information. Government guidance has been published and varies for EnglandNorthern Ireland, Scotland and Wales; and
  • are concerned about whether they can disclose data to contact tracing schemes.

If your organisation is required to collect this data, please refer to our guidance here.

Case study 1: Collecting data ‘just in case’ for disclosures to a contact tracing scheme

An organisation processes personal data as part of their day-to-day business purposes. They are aware that there is a legal requirement for certain organisations to collect customer, visitor and staff data, but they do not fall within a sector that is legally required to do so. The organisation wants to collect this information ‘just in case’, although this isn’t what they would normally do.

What are the key data protection considerations?

A key data protection principle is data minimisation, so you should only collect personal data that is adequate, relevant and limited to what is necessary. Mandatory collection and disclosure of customer, visitor and staff data to contact tracing schemes only applies to specific organisations, such as those in the hospitality sector and close contact services. For more information, see Government guidance for: England, Scotland, Wales and Northern Ireland.

If the organisation isn’t one of the sectors this applies to, they should not be collecting information ‘just in case’ there is a need to disclose information to a contact tracing scheme.

Case study 2: People objecting to the disclosure of their information to a contact tracing scheme

A local authority processes data about their staff and people they support through their social work department as part of their day-to-day business. A contact tracing team calls and requests the personal data of anyone who has been in contact with Jane, a social worker who has tested positive for COVID-19. The local authority has the records of all the employees and members of the public that Jane has contact with, but is concerned about whether they can disclose this information. They are concerned that people may not have consented and may object to the disclosure.

The local authority checks government guidelines and understands that they are not legally required to maintain these records for contact tracing purposes. However, as they hold this information as part of their usual course of business, they want to know what they need to consider before they share this information.

What are the key data protection considerations?

The right to object

Where there are reasons for sharing data in the public interest, such as public health, data protection law does not stand in the way of data sharing. Organisations can disclose data when requested by contact tracing schemes, unless there is a compelling reason not to.

Where disclosures to a contact tracing scheme are not mandatory, and the local authority chooses to rely on public task or legitimate interests, then the GDPR gives people the right to object to the processing of their personal data. The local authority needs to take into account people’s views if they have strongly objected to their personal data being disclosed. The local authority also needs to consider what information people are told about how their data is handled and whether it’s within their reasonable expectations for the local authority to share their data with a contact tracing scheme.

However, the right to object is not absolute in these circumstances. Where they have received an objection, the local authority could still go ahead and share the data with the contact tracing scheme, if they are satisfied that disclosing for reasons of public health override individual interests or any duty of confidentiality.

Even if someone doesn’t exercise their right to object, the onus is on an organisation to assess any requests for disclosure they receive and ensure that disclosure is necessary and proportionate in those circumstances. They should also be mindful of compliance with the other data protection principles, such as data minimisation and accuracy.

It's important for organisations to be able to justify their reasoning and clearly document their decision in case someone challenges their disclosure.

Case study 3: Schools collecting and sharing information for contact tracing purposes

A number of parents contact a high school, stating that they object or do not give their consent to their information or their child’s information being shared with contact tracers.

They have not yet had any cases of COVID-19 or calls from contact tracing, but are trying to prepare just in case. The school does not need to collect extra information as they already have registers, class lists and parent contact details. But they are considering sending out a letter to all parents to ask for their consent to share this information with contact tracing teams.

What are the key data protection considerations?

It is not mandatory for the school to provide the information to a contact tracing scheme, but that doesn’t mean that the school needs parental consent to share any requested information. Data protection legislation enables organisations to share data where it is necessary, justified and proportionate to do so. In the context of the pandemic, sharing data with contact tracing schemes for public health reasons is justified unless there are compelling reasons not to do so.

The GDPR has several lawful bases for sharing data. Consent may not be the most appropriate lawful basis to rely upon for sharing the data in these circumstances. It may be more appropriate for the school to rely on public task or legitimate interests instead, for sharing data with a contact tracing scheme.

For further information about sharing information with a contact tracing scheme and lawful basis please see our guidance on lawful basis.

If the school chooses to rely on public task or legitimate interests, then the GDPR gives people the right to object to the processing of their personal data. The school needs to take into account the parent or guardian’s views and the reasons why they have strongly objected to their personal data or their child’s personal data being disclosed. The school also needs to consider what they have told parents, guardians and children about how they are handling their data, and whether it’s within their reasonable expectations for the school to share their data with a contact tracing scheme. However, the right to object is not absolute in these circumstances.

Where they have received an objection, the school should consider whether the objection or any risks of sharing the data outweigh the public interest in disclosure for public health reasons. The school could still go ahead and share the data with a contact tracing scheme if they can demonstrate disclosure for public health reasons overrides the parent, guardian or child’s interests.

The school should clearly document its justifications and decision-making process in the event of any queries or complaints.

The school should already hold information necessary for contact tracing, if it’s required. Instead of sending letters asking for parental or guardian consent, the school should clearly inform them that they may need to share their details or their children's details with (NHS test & trace and others) for contact tracing purposes. The school should also review the information they hold to make sure it is accurate, by asking parents to ensure the contact details they hold are up to date.

Case Study 4: Disclosing personal data to a contact tracing scheme where organisations have a duty of confidentiality

A counsellor tests positive for COVID-19 and is approached for the details of the people they have been in close contact with. The counsellor is concerned that, as they owe their patients a duty of confidence, they are not able to disclose this information.

What are the key data protection considerations?

Where there is a duty of confidence, a controller (ie the counsellor) may wish to ask for the consent or explicit consent of their close contacts before they disclose the information. They would need to meet the high threshold of consent, to ensure that it is freely given and fully informed. Our guidance has more detail.

There may be circumstances where it is not appropriate to seek consent, or the controller can’t obtain consent.

In these circumstances, the duty of confidence may be overridden, for instance, where disclosure is genuinely necessary to serve the public interest or where it outweighs an individual’s interests in maintaining confidentiality.

It’s possible that, in the case of disclosing personal data to a contact tracing scheme, it serves the public interest because they are sharing information with contact tracers with a view to advising or treating someone who may be infected with COVID-19. But controllers should think about this carefully, taking into account the nature of their relationship with their patient, and whether any disclosure would cause them any damage or distress.

We would encourage controllers to be open and transparent with those they meet in a professional capacity, by making them aware that disclosure of personal data is likely to happen if they are contacted by the contact tracing scheme. This could be achieved by providing written information or clearly explaining it to their patient verbally.