So, who knows their alphabet? These are the guidelines to store information about Track & Trace set out in a nice and easy A to E format.
- Ask only for what is necessary.
- Be transparent with customers.
- Carefully store the data.
- Don’t use it for other purposes.
- Erase it in line with government guidance.
Any clearer about what you need to do? Well if you don’t have any policies or processes in place relating to GDPR than the answer will probably be no.
So what can go wrong? Well the fine just for not registering with the ICO when you need to is £400. Who wants to pay out money when they don’t need to?
The principle here is simple. As a qualifying business, or organisation, you are required to follow this. Not should – required!
This simple A to E list specifically covers 6 of the 7 principles that GDPR, and hence the Data Protection Act 2018, has within it. Defy these principles at your peril.
Data Minimisation and Track & Trace
You don’t need their life story, just a way to contact the person attending you premises. So why collect anything but the sparest of contact information?
Here’s a hint – Track & Trace works using texts phone calls and emails to contact people for them to take the appropriate action(s).
Purpose Limitation and Track & Trace
Do not add them to a marketing list, do not send them their bar bill by email, etc. when collecting information for Track & Trace. It’s just not relevant.
But, do remind them that their information may be shared with the appropriate authorities.
Lawful, Fair and Transparent and Track & Trace
The reason you are doing this is simple, it’s a requirement. Not doing it breaks the law. It’s not hard.
You still need to tell them why you are doing it and what is going to happen to their data, even how you will erase, or destroy, it.
Integrity & Confidentiality and Track & Trace
Remember, this could be related to someone’s health and in extreme circumstances their survival. Treat it respectfully and store the records for each day separately.
Keep it securely. Don’t just make a list of people and keep it in a notepad that gets left in an accessible drawer day after day.
Storage Limitation and Track & Trace
Your limit is to store this contact data 21 days. No longer, no less.
When you don’t need it anymore, erase it. This means destroy, nuke, or any other superlative you would like to use. Any individual deserves the respect to have their contact information properly destroyed. Not just screwed up and placed in the round filing receptacle on the floor (commonly known as the bin).
Accountability and Track & Trace
Your obligation is to follow the law. Yes, I do really mean obligation. So whether you enforce 2m distance, or 1m+ with appropriate mitigations, you still need to do everything required for Track & Trace.
As it’s your premises, and if you don’t do it right, you should expect to be in trouble.
Accuracy and Track & Trace
The principle left out of the above explanations is Accuracy. For me this is the most difficult one for the owner of a premises to manage.
How do you know whether the information provided is truly accurate? All you can do is make sure that what you have written down is what has been provided by the individual.
Still confused? Also look at https://eyebray.com/frequently-asked-questions-about-the-first-steps-on-your-data-protection-journey/ or https://eyebray.com/gdpr-the-basics/ to get a more in depth feel about more aspects of your data protection requirements.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or by calling 0743211611.
