Data Protection and Test and Protect: What about the GDPR?
Date: 11/08/2020 | COVID-19, Data Protection & Information Law, Regulatory Law
On Friday 7 August 2020 the Scottish Government announced that it will be mandatory to collect contact details of customers in a range of hospitality and public settings. Up until Friday the ‘rules’ were contained in Government Guidance which does not have the force of law backed up with criminal penalties. It seems likely that from Friday premises who do not collect contact details under the Test and Protect regime in Scotland will face enforcement action, which is likely to include criminal penalties.
The previous Guidance set out the requirements under data protection legislation and provided a template privacy notice which was very helpful for any organisation to understand what information it should be collecting and why.
The information would only be shared with NHS Scotland when requested by them and that would only be in the event of a cluster of coronavirus outbreaks linked to the premises. This would allow NHS Scotland to contact the individuals who were present at the same time as anyone testing positive to provide them with advice about testing and isolating.
Legal basis for processing data
This also meant that in data protection terms, the legal basis for collecting and sharing the contact information was that it was in the legitimate interests of the business and wider society to process the data in this way: this interest being the need to control the spread of the virus. This legal basis requires balancing the interest against the impact on the individual customer or visitor. The Guidance stated that the impact on the individual was minimal and given the significant interest that everyone has in supressing the virus, it is hard to envisage circumstances where it could be argued that the invasion of privacy when someone is asked to provide contact details to the café they are eating in, could outweigh that important interest.
As the collection of information was not mandatory, customers and visitors could refuse to supply it. It was then up to the business as to whether or not it would allow the customer or visitor to use its services. In practice this could be a difficult decision for businesses who are keen to open up and start recovering from the last few months.
The Likely Impact of Mandatory Collection
It seems likely that the Government will amend the Health Protection (Coronavirus) (Restrictions) (Scotland) Regulations 2020. Once the new provisions are in place, it has been announced that certain premises, particularly in hospitality, will have a legal obligation to collect contact information. This could make things simpler for those businesses. The legal basis for the collecting (and possibly sharing) the personal data will be that it is necessary to comply with a legal obligation. It will therefore be easier for those organisations to refuse to provide their services to customers or visitors who refuse to supply contact data. However it could make things more tricky for those who continue to collect the contact data under the previous Guidance – that remains to be seen.
If the 2020 Regulation are amended the penalties for organisations who fail to comply without a reasonable excuse are contained in this legislation. Organisation are likely to face a fixed penalty of up to £60 and/or face criminal prosecution and a fine of up to £10,000. In addition, business owners and managers could face prosecution on an individual level as well.
Additional Data Protection Issues
The Scottish Government produced a template privacy policy for the previous Test and Protect regime and it is hoped that they will do this again. This is helpful for businesses and all staff to read so that they can provide accurate reassurance to customers and visitors about what will happen with their personal data. So, for example contact details will be kept for 21 days only for the purpose of the Test and Protect regime. Posters were also available to explain this to customers and visitors.
Organisations must ensure that they collect and store the data in a secure way. If it is in written form, ensure that it Is not left lying around. If you are using technical solutions, ensure that any additional processing is made clear. If you are collecting contact data anyway, then you must still explain that the information will be collected for the additional purpose of Test and Protect, shared when necessary with NHS Scotland and not used for the purpose after 21 days – even it is being stored for other reasons.
Conclusion
Trust and personal data is important at all times. During this crisis there have been a number of issues which have lead to a lack of trust between individuals and Government bodies in particular. Test and Protect is important to all of us and organisations need to get it right in order to do their part in keeping everyone safe.
For practical advice on how to get this right, please contact Laura Irvine.
