Advice: Storing customer details for test and trace? Don’t forget GDPR, says Lawgistics

Keeping on top of GDPR regulations is just as vital as it was before the pandemic – that’s the advice of automotive legal firm Lawgistics.

Speaking on Car Dealer Live yesterday (13 August), legal advisor Nona Bowkis explained the regulations around storing details for NHS Test & Trace – a new hurdle that businesses across the country are getting to grips with.

‘We get quite a few GDPR questions’, said Bowkis. ‘Furlough and so on have taken over, but two years ago everything was about GDPR. You can’t forget that, and people can still – and are – complaining.

‘This should be a straightforward thing. The government has said, you need to take their details. And the ICO, who police all things data protection, there is some guidance from them.

While the motivations behind keeping this customer data may be honourable, businesses still need to keep themselves covered from a GDPR point of view, Bowkis told us.

‘You have to have it in your privacy policy and say: “We will be taking, as per government instructions, your details for [Test & Trace]”. You’re only allowed to take the details that you need: name, contact number and the time they arrived.

‘And the guidance at the minute is to keep [these details] for 21 days and then destroy them, so that needs to be written into the policy as well.’

Bowkis also urged caution for those seeing the increased data capture as a business opportunity.

‘You can’t use those details as a sneaky way of doing some marketing! They’re not for marketing purposes, purely for track and trace’, she added.

Test & Trace is just one of the many changes businesses across the UK have needed to make in the wake of Covid-19 – and it’s not the only thing you should be mindful of from a GDPR point of view, reminds Bowkis. Even changes to how you communicate with staff, such as Zoom or Skype, could have implications.

‘If you’re doing anything differently in your business, you need to keep reviewing that GDPR policy. It’s not something you did back in 2018 and can forget about: you need to update it all the time,’ she said.

As far as Test & Trace is concerned however, businesses don’t need to panic – providing that they’ve kept their privacy policy up to date, of course.

‘People will complain to the ICO, because people love complaining,’ jokes Bowkis. ‘But, GDPR article 6 sets out all the reasons why you can process data. One of them will be legitimate interest, and in this case particularly, it’s in the public interest.

‘I would hope that the ICO would say that you’re quite entitled to keep those [details]. But, it’s got to be in your privacy policy – if you get investigated, the ICO will know you’re taking it seriously and have tried to do all the right things.’

Source link

Leave a comment