Technology As the Covid-19 pandemic reduces in numbers of fatalities, the UK Government launched a new tech initiative to keep the public safe on 28 May 2020 called Track and Trace. It was first rolled out on the Isle of Wight on 5 May 2020. Since then, it has gone nationwide.
What is Track and Trace?
It is a means to identify those who have had close contact with a person that has tested positive for Covid-19 using a tracing service created by the UK Government. The Government has said it will take on 18,000 contract tracers; 3,000 of those will be qualified public health and clinical professionals. To conduct the task of Track and Trace, these NHS Contact Tracers will be contacting and asking people who have been exposed to self-isolate for 14 days.
There are a few issues with this service. The tracing App has been delayed until the wintertime and many staff say it is under-utilised. There has also been public concern about their personal data. People are questioning how it will be used and if it will be safely stored.
However, there is another challenge. It will only work if employers, restaurants, companies and business owners that have visitors obtain and process this information. This means they will need a process for this. Our recommendation would also be for them to have a policy regarding obtaining, storing and sharing this data to maintain clear guidelines.
Previously only health professionals and key workers could obtain a Covid-19 test. Things have now changed and anyone who has the classic symptoms of Covid-19, meaning a cough, high temperature, sore throat and flu-like symptoms can attend a testing centre and have a free Covid-19 test. The Government will obtain a copy of their ID, name and date of birth, which will be recorded at the test centre. By attending the test centres and having the Covid-19 test, people will be giving explicit consent for their data to be used in accordance with the Data Protection Act 2018 and the GDPR.
However, what about those that now attend business premises? If a positive test is reported from that premise, those details can be passed to the Government’s Track and Trace operators. Is consent a lawful requirement? Is this mandatory? What duties will the business have?
Many businesses that routinely take bookings probably already have systems for recording some of this data – including restaurants, hotels, and hair salons. The pandemic means that many are putting in place ‘advanced booking only’ services. It is hoped that these systems can serve as the source of the information that is needed, without placing too much onus or additional cost on the businesses.
Current policy revisions
Businesses will need to consider their current (if they have one) Data Protection policies. The business will need to keep this data secure, delete it as necessary and process it promptly if required to do so. This information should only be used for Track and Trace and isolation. This is for public safety and security so businesses will need to reassure customers that their data will be used ethically and protected by the law.
What is the definition of ‘Personal Data?
Personal data is defined under data protection laws, the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) to be:
- Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
- Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
- Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
- The GDPR protects personal data regardless of the technology used for processing that data. It is technology-neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper. All personal data is subject to the protection requirements set out in the GDPR.
Recording this Personal Data
This data needs to be held securely, and customers are to be advised why these details are being recorded. Some companies have barcodes to scan your details, and some ask you to complete a form. We have seen many places writing this on a piece of paper where you can see everyone else’s data. We also have to question, since no ID is being checked, whether the quality and reliability of the data will be worthwhile as people are genuinely nervous of sharing their data and question whether it will be adequately protected.
A business needs to carry out a risk assessment about processing this data. It should also have a Data Protection policy and process available for parties to see. We also have to question should all businesses be registered with the Information Commissioner’s Office, even when beforehand this was not necessary. Some businesses have never needed to consider personal data processing, but to enable Track and Trace to function, businesses with visitors will need to consider their position.
If this type of data has always been collected, businesses now just need to make staff, customers and visitors aware that their contact information may now also be shared with NHS Test and Trace.
GDPR came into force on 25 May 2018. We, as individuals, are “data subjects” as the legislation describes us. It means we have a right to control and know more about our personal data, and who is using and processing such data. A data subject/individual has the following rights:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
The Track and Trace scheme is now underway and started on 28 May 2020 without the launch of the Coronavirus App. So far, it has been said that 20,968 people who tested positive had been referred to the Track and Trace scheme.
As technology lawyers, we often see how legislation is out of date and cannot keep up with the law. We see ethics and morals overridden in the name of technology and the need for data. We also see people’s concern over giving too much away and to a seemingly hackable platform.
We are aware that they government are looking to work with and agreeing to use Apple/ Google alternative technologies.
Consent requirements vary
Unlike GDPR requirements, businesses do not have to inform every customer individually and get evidenced documented consent. The ICO have stated: “Most organisations will not need to rely on consent. But there are some notable exceptions You should not use consent as your lawful basis unless it is truly voluntary to provide personal data”. It is in this matter going to be voluntary to provide such data and it is also going to be within the public and legitimate interest to do so.
The Government has suggested that displaying a notice at the premises or on your website is sufficient. It should set out what the data will be used for and the circumstances in which NHS Track and Trace might access it.
Employers keeping their employees safe
Large companies throughout the world have also created systems for tracking employees. They say that if an employee catches the coronavirus, they have a logged and traceable contact history, which can identify which other workers need to quarantine without closing the entire business. It can also pinpoint where contact took place so that a company can put in place extra measures. It sounds commercially sensible and an excellent use of technology within the risk assessment process.
Employees have however expressed concern over their safety and information that could ultimately be used to dismiss them. For example, it could be used to identify those who repeatedly breach the social distance rule or who are in the wrong place at the wrong time. It could be used as a useful tool to identify training and support rather than something to catch staff out.
The message is that the public and companies alike, including tech companies, need to be aware of the updates and movements in terms of Track and Trace. The Government needs to ensure it will function for the key purpose to keep people safe from Covid-19. It will also need to rely on businesses working with them to collate this data.
We will all have a part to play. If people are travelling to work, employers should encourage employees, workers, and consultants to use the App, when it launches, to protect themselves
We hope that all businesses will be mindful of the App and Track and Trace as we integrate this into the new normal. Every business and employer needs to look at their risk assessment, processes and policies to integrate this technology to protect its staff and customers. Likewise, we as the public need to embrace the technology and cooperate to give it any chance of succeeding. To do this, businesses and individuals need assurances as to the use, safety and importance of their personal data.
Karen Holden is the Managing Director & Founder of A City Law Firm who practise both commercial law and litigation, having been admitted to the roll in 2005. If you require further advice or assistance, please do not hesitate to contact [email protected]
A City Law Firm Limited is a leading entrepreneurial law firm in the city of London, with a dynamic and diverse team of lawyers. It was awarded most innovative law firm, London 2016 and Business Law firm 2017. They specialise in start-up business law, the tech industry, IP and investment.