Data protection for Test and Trace and Coronavirus (COVID-19) mitigation

The NHS Test and Trace contact tracing service in England, and its equivalents elsewhere in the UK, are no longer part of the Government’s Coronavirus (COVID-19) prevention strategies. The winding up of these schemes has implications for data protection compliance.

Organisations throughout the UK are no longer being asked to collect staff, customer, and visitor contact details, or to ask people to scan NHS QR codes or sign into venues. Additionally, organisations have largely been asked to delete any data that they recorded to share with contact tracing services.

For more information on current Coronavirus (COVID-19) guidance throughout the UK, read the Scottish Government’s website, the Welsh Government’s website, and the UK Government’s guidance for England.

Personal data collected for contact tracing purposes should only be kept for as long as it’s needed. Specific guidance on how long data should be kept is provided by relevant public health authorities (ie for England, Wales or Scotland). However, it has generally been recommended that the data is retained for 21 days before being disposed of or deleted securely. This means that, generally, organisations that are still storing test and trace data should delete it. Care needs to be taken that any such deletion or disposal does not risk unintended access. Organisations should, for example, shred paper documents and ensure permanent deletion of electronic files.

It is still possible to collect data relating to people’s Coronavirus (COVID-19) status whilst remaining compliant with the UK’s data protection rules under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, if doing so is genuinely necessary for a specific purpose (eg maintaining staff and client safety). To safely collect this data, organisations should be careful to do the following: 

1. Consider whether it’s still necessary to collect this data

Coronavirus (COVID-19) data collection and data protection practices were formed in the context of a fast-developing emergency situation. The Information Commissioner’s Office (ICO) recommends that, to assess whether collecting Coronavirus (COVID-19) data is still necessary, organisations should consider: 

• how does continuing to collect extra Coronavirus (COVID-19)-related personal data help to keep your workplace or venue safe?

• do you still need the information you’ve already collected?

• could you achieve your aims (eg a safe workplace) without collecting this personal data?

If you decide that, based on these considerations, collecting personal data isn’t necessary, your organisation’s collection and processing may no longer be compliant with data protection principles. 

2. Dispose of any information that your organisation no longer requires 

You should assess all of the additional personal data that your organisation has collected and stored during the pandemic (eg data collected during Test and Trace programmes or about staff members’ vaccination statuses) and consider whether it’s still necessary for you to store this data. If it’s no longer required, dispose of it securely. 

3. Ensure any data collection and processing is compliant with the existing advice

If you decide it’s still necessary for your organisation to collect personal information, you should make sure that you adhere to the data protection principles and advice contained in the remainder of this guide. 

For more information on ongoing data protection compliance, read the ICO’s guidance.

Personal data is information that relates to individuals who can be personally identified from that data. It includes (amongst other things) names, addresses (including email addresses), and telephone numbers.

There is a further 'special category' of 'sensitive personal data', which, amongst other things, includes information about physical and mental health conditions and genetics. Sensitive personal data requires extra protection. Information about people’s Coronavirus (COVID-19) status and vaccination status falls into this category. For more information about personal data and sensitive personal data, read Data protection.

Data processing is any use of personal data for reasons other than personal reasons. It includes obtaining, recording, and storing personal data. For more information, read Processing personal data.

Organisations should only collect personal data which it’s necessary for them to maintain records of for the purposes of preventing the spread of Coronavirus (COVID-19), to maintain staff, client, and visitor safety. This data may include names, contact details, and vaccination statuses.

Organisations may also keep a record of all staff working on their premises on any given day, the times of their shifts, and their contact details.

If your organisation is collecting customer data for Coronavirus (COVID-19) mitigation purposes, you need to make this clear and inform individuals about the information being collected. 

Organisations should be open, honest, and clear about the data they collect and who they will be sharing that data with. This can be done by displaying signs - such as privacy notices - on premises or online. 

Organisations should not collect personal data in a way that is misleading, detrimental, or outside of what a person would reasonably expect. For example, you should make clear to customers that you are collecting their personal data to ensure you’re aware of risks to clients’ health associated with Coronavirus (COVID-19).

You must not use information that you collect for Coronavirus (COVID-19) mitigation purposes for advertising or marketing.

The applicable lawful basis that your organisation can rely on to justify its collection of customer, visitor, and staff personal data will depend on the type of organisation it is and whether the Government requires it to collect this information. Under data protection law, there are certain lawful grounds that can justify collecting personal data, which include:

• legal obligation - it is lawful to collect personal data to comply with the law. This ground will no longer apply to data protection for Coronavirus (COVID-19) mitigation purposes, as it did earlier in the pandemic

• legitimate interests - collecting personal data may be in the interests of the individual, the organisation, and public health, if doing so will help to tackle Coronavirus (COVID-19). This ground may still apply to some organisations

• public task - it is lawful to process personal data where it is necessary for allowing  you to perform a task in the public interest (eg to tackle Coronavirus (COVID-19)), where the task has a clear basis in the law. This ground may still apply to some organisations

• consent - in reality, most organisations that are still processing Coronavirus (COVID-19)-related data should be obtaining consent from the people whose data they’re collecting before they collect the data. For more information, read ‘Do I need to collect consent for Coronavirus (COVID-19)-related data collection?’ below

For more information, read Processing personal data and the ICO’s guidance on lawful bases for processing.

Consent is a lawful basis for the processing of personal data. Relying on consent is possible if the people whose personal data is being processed are given a genuine reason why they are being asked to provide their data before their consent is obtained. In other words, the provision of personal data should be truly voluntary. 

Organisations should collect consent when:

• the information being collected is sensitive personal data or could reveal something sensitive about the person involved (eg their Coronavirus (COVID-19) status or vaccination status)

• there is no legal requirement for the organisation to collect personal data

• the organisation will not deny access to its services if an individual does not want to provide their details

Special rules apply around collecting consent. For more information on this, read Consent for GDPR.

Organisations should generally only share customers’ data if it is requested by a legitimate public health authority. If you are contacted by a public health authority, you should take steps to ensure that the caller is genuine. If you are unsure if the telephone number is genuine, check with your local council. Once you are satisfied that the caller is legitimate, you should make sure that you share this information securely. 

Note that you must not share information that you have collected for contact tracing for advertising or marketing purposes.

Where customers’ or visitors’ personal data is collected for Coronavirus (COVID-19) mitigation purposes, organisations need to ensure that they have procedures in place that cover the secure and safe handling of the data. Staff members need to be aware of what they should and shouldn’t do with the data, and organisations must ensure that these guidelines are followed. For example, customer logs should only be available to those who need them, and staff should be trained to keep such lists and logbooks out of public sight. Consider creating a Data protection and data security policy to achieve this.

Failure to handle personal data properly places the organisation and staff at risk of breaching data protection laws, which may lead to severe consequences for both.

For more information, read Data protection.