Keeping records of staff, customers and visitors as part of business’ ongoing measures. This will help minimise the risk of and control the spread of communicable diseases.
As part of their statutory duties, employers should consider what action they should take if a visitor or staff member displays any symptoms of a communicable disease (such as coronavirus or norovirus) or have tested positive for coronavirus. Keeping records of staff or visitors who have been on site at a particular time or date has been a method businesses have previously used in their coronavirus response to inform a person they may have come into contact with someone who either has developed symptoms of a communicable disease (including coronavirus or norovirus for example) or have tested positive for coronavirus.
As it is no longer a legal requirement to carry out specific coronavirus specific risk assessments, these emergency practices should be reviewed.
There is specific guidance on the ICO website that can help businesses consider the use of personal information now the legal requirements to collect records specifically for NHS Wales Test, Trace, Protect (TTP) has ceased.
Keeping records of staff or visitors could be considered as part of business’ ongoing measures to help minimise the risk of and control the spread of communicable diseases where this is considered to be a reasonable and proportionate measure. Whether or not keeping records is reasonable will depend on a number of factors. There is a higher risk of coronavirus spreading in some settings. This is because people will spend a longer time in some premises than in other surroundings. Other factors could include the risk a person could pose to others; and the type of activity they undertake, especially if they are in direct, close contact with others who are vulnerable.
What information needs to be collected?
Keeping records of staff or visitors could help minimise further spread of a communicable disease, particularly in an event of an outbreak, as sharing records when requested with TTP or Environmental Health Officers would help identify people who may have been exposed to the communicable disease. Those notified by TTP or Environmental Health Officers could then take extra precautions, especially if they are in contact with vulnerable people.
If businesses identify it is a proportionate measure to collect contact details as a measure to help minimise the risk of and control the spread of communicable diseases, enough information should be collected to enable TTP or an Environmental Health Officer to contact a person if a positive case or outbreak is identified. Information required would be:
- the names of staff who work at the premises
- a contact telephone number for each member of staff
- the dates and times that staff are at work
Customers and visitors
- the names of customers or visitors
- a contact telephone number for each customer or visitor
- date of visit and arrival and departure time
At times you may need to collect the data of children under the age of 18, for example, where a 16 year old person visits the premises. You must consider any associated risk in retaining this information. You can find further information on these risks on the Information Commissioner’s Office (ICO) website.
If you collect personal data, you are a data controller under the UK GDPR for that data and certain legal obligations will apply to you. Further advice and guidance can be found on the ICO website on what you must do to comply with the data protection legislation. Data controllers should undertake a Data Protection Impact Assessment to support themselves in making the decision about whether such logs are appropriate and can be done lawfully. Specific guidance for SMEs and large organisations is available.
Businesses should be transparent that they are collecting information and for what purpose. Any personal data you collect must be securely stored and only used for the purposes stated in your privacy notice; for example, data collected specifically for communicable disease control cannot be used for marketing purposes. Personal data must not be kept for longer than necessary and must be securely disposed of (or deleted) 21 days from the date of each separate instance in which a person has been on the premises would enable contact tracing, should it be required. Use cross-cut shredders or similar methods to dispose of paper documents. Do not dispose of data in public bins, and ensure permanent deletion of electronic files. You can find more detailed information on data protection and manageable steps you can take to comply at (ICO) guidance.
If businesses have destroyed their existing data of staff or visitors, stopped collecting it or have decided not to keep records for these purposes, and are asked by TTP or Environmental Health Officers for information, there will be no repercussions for the business and the TTP or Environmental Health Officers will work with the business in relation to alternative methods in the event of an outbreak.