By Conor Hogan, Global Privacy Practice Lead at BSI Consulting Services
Many businesses face challenges as they reopen this week with adaptions made for pandemic guidelines focused on employee and customer wellbeing and safety.
Data collection and management is a key part of the guidelines for contact tracing purposes. Fáilte Ireland recommends that businesses take the name and contact details of one person in each party and securely retain the data for one month. The person who gives their details is also advised to keep a record of who is in their party should details be required for future contact tracing.
Whether a business is large or small, transparency, necessity and proportionality are important considerations for the collection and use of personal data. Data captured for contact tracing or health and safety purposes must also ensure the protection of individuals’ rights.
Recovering from the global pandemic requires significant efforts and will demonstrate the resilience we have as a nation. While the right to privacy is not absolute, it must be balanced with wider benefits to society. Legislation such as the GDPR has special provisions for processing personal data in the context of public health emergencies. The following three tips provide a balanced approach for businesses undertaking contact tracing:
• Be transparent - explain to your customers as clearly as possible what information you are collecting, why you are collecting it and what you will do with it. Many firms already collect personal information for bookings, so do not over-engineer anything and keep things simple.
• Do not over-collect, and only collect the minimum amount of information you need - the information required for contact tracing is minimal, don’t add unnecessary elements. Businesses must not use this information for advertising or marketing activities. If you record the information in your usual booking software or physical books, then it is critical that a robust process is put in place to destroy or delete this information when it is no longer needed.
• Keep the information you collect secure - a dedicated diary is likely sufficient but implement simple and effective controls to secure it, such as restricting access to limited staff members and storing it in a safe place. Investing in a new piece of software (e.g. mobile app) requires careful due-diligence to ensure security and data protection-by-design measures are engineered into the system to protect your customers’ fundamental rights. Be alert to “quick fixes”, or “magic technology solutions”. As the data controller you are responsible for maintaining the confidentiality and integrity of the information collected. “Free” apps or solutions may siphon off and use customers’ data for other purposes.
Strengthening a business’s information resilience by reducing the risk of mishandling of personal data and the likelihood of a personal data breach is crucial as we move forward into the next phase of re-opening. Our “next normal” cannot be built on an abuse of fundamental rights, it must be grounded in the protection of those rights balancing societal benefit and the public health response required.