The Government’s response to COVID-19 has seen numerous pieces of emergency legislation come into force.
One of the most recent pieces of legislation, which aims to enable the national contact tracing effort, is The Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020 (the Regulations) which came into force on 18 September 2020. Quite a mouthful…but food for thought!
The Regulations require certain persons to collect information from individuals who enter their premises. If you fall within the definition of a ‘relevant person’ who is required to collect this information under the Regulations, you must also make sure that you continue to comply with the applicable data protection legislation in respect of your collection and use of this information.
Who do the Regulations apply to?
The Regulations apply to any relevant person (which includes any individual person or company, partnership, charity, corporation, unincorporated association, sole trader or other organisation having a legal personality) who operates or occupies ‘relevant premises’. These are defined as:
“a set of premises, whether indoors or outdoors, that are operated or occupied wholly or partly for the purpose of providing a service or activity listed in the Schedule directly to an individual who wishes to access that service or participate in that activity.”
The services and activities are listed within the Schedule to the Regulations and they include services and activities such as sports clubs, museums, restaurants, cafes and public houses. You will need to check the list of services and activities to establish whether your premises are caught under the Regulations.
Importantly, the Regulations also apply if you hire a relevant premises or use a relevant premises on a temporary basis for the duration the relevant premises is hired or used.
What information do we need to collect under the Regulations?
One of the obligations the Regulations impose on relevant persons is the obligation to collect certain information from individuals and those in a group seeking to enter relevant premises. There are exceptions to this obligation which include:
where the purpose for the individual(s) visit is exempt from the requirement – exempt purposes include:
- visits by the police, emergency responders and visits for delivery purposes
- where the individual is under 16 years of age; or
- where the individual is unable to provide the information because of a physical or mental disability.
Where the obligation does apply however, the information which must be collected includes:
- the name of the individual
- a telephone number on which the individual may be contacted
- an e-mail address if the individual is unable to provide a telephone number
- a postal address if the individual is unable to provide an email address
- the date and time that the individual entered the relevant premises; and
- where the individual is a member of a group seeking permission to enter relevant premises together, the number of people in that group.
If an individual scans a relevant QR code when seeking to enter the relevant premises then the above information need not be collected, where that individual is part of a group however the above information should still be collected from the remaining members of the group who have not scanned the QR code.
In addition, the Regulations require relevant persons to disclose the above information as directed by the Secretary of State and/or the Public Health Officer.
What are the data protection issues and how do we address them?
The information listed above will be the personal data of the individual to which it relates which means that, if you are required to collect this information in compliance with the Regulations, you must also make sure you comply with all applicable data protection legislation. The data protection legislation which will apply to your collection and use of this personal data will include the Data Protection Act 2018 and the General Data Protection Regulations (EU) 2016/679 (GDPR).
You will therefore need to ensure that your collection and processing of the personal data is compliant with the principles under the GDPR and, in addition, you may also need to take some or all of the following steps in respect of your data protection compliance, updating your Customer Privacy Policy to include:
- the additional categories of personal data (listed above) which you are required to collect about individuals under the Regulations
- the additional purposes for which you will be collecting individuals’ personal data e.g. for the purposes of adhering to your obligations in respect of contact tracing
- any additional lawful bases which you are relying on for processing individuals’ personal data for the purposes of contact tracing e.g. it is necessary for you to process the individual’s personal data to comply with your legal obligations under the Regulations
- confirmation that you may be required to share individuals’ personal data as directed by the Secretary of State and/or Public Health Officer
- updating your Record of Processing Activities to confirm that you will be collecting, processing and sharing individuals’ personal data for the purposes of your compliance with your legal obligations under the Regulations in respect of contact tracing; and
- updating your Records Retention Policy to confirm that all personal data collected and processed in compliance with the Regulations will be deleted 21 days following its collection.
It is also worth noting that the information you collect under the Regulations should only be used for the purposes of complying with the Regulations. If you want to collect and use an individual’s personal data for any other purpose (such as marketing) you should keep this data collection entirely separate from the information you collect under the Regulations. This will avoid causing confusion to the individual whilst allowing you to remain transparent about why you are collecting the individual’s personal data and the lawful basis on which you are relying for such processing of their data.
If you would like to discuss any aspect of your data protection compliance, please contact a member of our Data Protection Team.
This article is from the winter 2020 issue of Food for Thought, our newsletter for those working within the food and drink industries. For further information please contact a member of Birketts’ Food Team. To download the latest issue, please visit the newsletter section of our website.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at December 2020.