Case study 1: Asking employees if they are experiencing coronavirus symptoms
A manufacturing company is concerned about COVID-19 spreading amongst its staff – the nature of their work means they are unable to work from home.
The company is considering a range of measures to keep its employees safe, including regular cleaning, wearing face coverings, and asking staff to complete a short questionnaire at the start of each week about whether or not they have any symptoms.
What are the key data protection considerations?
If the company introduced a measure that involves processing personal data (such as a questionnaire), it would need to comply with data protection law – the data must be processed lawfully, fairly and transparently. It should also consider the need to complete a Data Protection Impact Assessment before any measures are put in place.
The company needs to be clear, open and honest with staff about how and why it would use their personal data, how long it would be kept for, and who it would be shared with. The staff should also be told how the information would be held securely as well as the rights they have in relation to the data.
The company may be able to use ‘legitimate interests’ as its lawful basis for the processing. Health data is ‘special category data’ under data protection law, so an additional special condition is needed for the processing to be compliant – the company’s health and safety obligations could be the relevant special condition here.
If the company can demonstrate that the processing is a necessary and proportionate way of protecting its staff and their working environment, data protection laws wouldn’t prevent it – but it needs to consider whether the proposed processing activity actually achieves that aim and whether the same result could be achieved through less intrusive means. The ideal processing solution would achieve the desired aim in the least intrusive way possible.
In making this assessment, it should keep up to date with the latest government guidance – in particular around social distancing, wearing face coverings, and the general requirement to self-isolate when experiencing symptoms. The company should think carefully about whether a questionnaire achieves anything different to these measures that would make it a necessary step to protecting its staff.
Case Study 2: Risks involved in staff handling personal information collected for contact tracing purposes
A pub is required to collect customers’ personal details for the purpose of assisting with local contact tracing requirements. Staff at the pub collect basic information such as a name and contact number from people.
A staff member at the pub who has access to these customer logs wishes to speak privately to a particular customer outside of work, and decides to take their information from the logs to do so. As a result, the customer is contacted by the staff member and feels that their personal information has been used inappropriately. The unwanted contact causes them distress.
What are the key data protection considerations?
Organisations that do not handle personal information properly run the risk of breaching data protection law, which could have serious consequences for both the organisation and their staff.
In this scenario, the customer information is collected for the sole purpose of assisting a contact tracing scheme. This information must not be used for any other purposes than disclosing it to contact tracing personnel. This purpose should be made clear to customers.
It is important the pub’s management provide training to their staff so that they understand what they should and shouldn’t do with customer information. Management should also ensure that staff are aware that it is an offence under the Data Protection Act to obtain or disclose customer information without the consent of the organisation.
Although organisations cannot always safeguard against rogue behaviour from a member of staff, there are basic measures that should be in place to help ensure the safety and security of customer and visitor information.
If paper records are used, they should be kept out of public sight and in a safe place, with measures to prevent malicious access (eg locked doors, safes and keeping them out of sight and out of reach of customers during opening hours).
The pub’s management could also consider a digital solution in which access can be controlled by password or other access controls.
Whatever approach is taken, staff need to be properly trained so they understand how to play their part in ensuring that the system works effectively, in compliance with data protection law.
Personal information collected for the specific purposes of contact tracing cannot be used for direct marketing or advertising, profiling a customer base or analysing demographics. This would be considered as a misuse of the information.
Case Study 3: Collecting young people’s personal information for the purpose of contact tracing
A public library wishes to assist a contact tracing scheme by collecting basic information from visitors, probably a name and contact number.
For contact tracing, normally the library would record information from visiting adults, or family groups that may include children, but there are times where a young person or group of young people may visit the premises on their own. The library wants to know what to do when an unaccompanied young person visits the library.
What are the key data protection considerations?
If there is an adult in the group of visitors then it is sensible to record their details rather than a child’s.
We advise that the library checks the relevant government guidance pages to ensure they are following the correct procedures in terms of the age of those whose contact details they should be collecting. The library should not conduct intrusive verification checks to determine a child’s age, for example asking whether a visitor is over a certain age would be sufficient.
If there are no government guidelines on the age limit for collecting customer contact details, the library will have to make a sensible decision about whether or not they think that the young person can understand why contact information is being collected, and what will happen with their information. In order for the collection and use of this information to be fair, it is very important that the library is transparent when collecting this information.
If staff at the library believe a child is below the age required to provide this information as set out in government guidelines, and do not think that the young person is able to understand why this information is required, they should exercise caution and not collect their contact details. The library should not deny access based on age, if they would usually allow young people to visit unaccompanied by an adult.
Library staff could place posters at entrances and around the premises that can be understood by all ages. In the case of younger visitors, library staff could greet visitors on entry to explain the process.
Organisations should bear in mind the risks involved in processing children’s data and so it must be managed carefully.
It is very important that information about young people is kept securely, it is not visible to other adults visiting the premises, and access to it by staff should be strictly limited.
Further information on processing children’s data is available here.
Case Study 4: Manually collecting customer contact details
Based on Government guidance, a café is now legally required to collect customer contact details for contact tracing purposes. They will be downloading a government QR code poster and encouraging people to scan it when they visit. However, they have a few regular customers who do not have a mobile phone, and they want to make sure they have alternative methods to collect this information. They have thought about having a list and a pen by the door, and directing people to sign in when they enter the café, but are not sure if this is appropriate.
What are the key Data Protection Considerations?
Whilst the café may encourage the use of government app QR codes as their main way to collect visitor and customer contact details, use of the government apps is voluntary. Organisations should also have an alternative method to collect this information. Businesses will need to decide which alternative method is most suitable for their business and their customers.
If the organisation has decided to collect this information manually, they should not do so with an open list which is in public sight. The café must ensure that they have appropriate security measures in place to protect this information, There is a risk that a customer could write down the contact details of another customer, or that an unattended list of individuals, especially one left by a door, could be stolen. The café may want to consider whether they should collect this information digitally for example through secure, access-controlled software.
If the café does still decide that manually collecting this information is the most suitable alternative for their business, they must think about what measures they can put in place to keep their paper records safe, and ensure that their staff are aware of these. For example, they could consider the following:
- Requesting contact details when an individual makes a booking over the phone, the café informs the individual why the data is needed and how it will be handled, they then record the contact details in a closed book which is locked away and only used by a trained member of staff.
- Consider a ballot box style approach. The café could decide to have blank cards requesting basic contact details, and a secure box in an area where it can be monitored by a member of staff. Individuals, or a member of staff record the contact information on a card, and then place it into the secured box.
- Allocate a trained member of staff per shift to ask for this information when they greet customers, this member of staff knows that they must keep this information secure and that they must explain why they are asking for the details. They ensure that once they have recorded the contact details, they put the list into secure place which the public do not have access to.
Further information about the relevant security requirements are available here.