Coronavirus Track and Trace

 

Adopted                    July 2020

Review Date               Ongoing

 

 

Purpose

As a result of the Coronavirus Pandemic the UK Government implemented a programme of Contact Tracing, whereby people were asked to inform them if they had become sick or showed symptoms of Covid-19, and detail people they had contact people, or where they have been.

As part of the Covid secure status that was required for venues to reopen, we are required to hold customer details for the purposes of Contact Tracing for up to 21 days.

This caused us concern in regard to GDPR and DPA legislation.

This Policy combines advice and guidance, to ensure that we are acting within the legislation within this new requirement.

 

Accountability Principle

Under current legislation “the accountability principle requires us to take responsibility for what we do with personal data and how we comply with the other principles of GDPR. This includes having appropriate measures and records in place to demonstrate compliance”.

Under the Covid-19 secure contract tracing scheme the Accountability Principle means that we can collect and personal data that people provide voluntarily, so long as it is lawful, fair, and that we tell our customers what we are doing with it.

We must make sure that the information is adequate, relevant, and limited to what we need, and should not used for any other purposes. This means that people can supply information when booking tickets and we can in turn supply that information to the contact tracing service – but unless they have ticked the marketing box, we cannot contact them for other purposes, other than for permitted reasons.

This is no different to what we have been doing in the past. What is new is that we are required to hand over details to a third party in the form of the UK Government – something that we have never done.

 

Lawful Bases

Under GDPR sharing personal/protected data with the Government is covered by the principle of Lawful Bases.

The Information Commissioners Office states that there are three applicable Lawful Bases for collection, processing, and sharing of this information under the Data Protection Law.

 

That other organisations and venues are also having to take these steps should, however, mean that people are already aware of steps being taken.

 

Communication

This change will have to be communicated to our customers, those who have already purchased tickets and those who we are hoping will.

We will do this via a combination of our online platforms, social media accounts, and by increasing the page count in our brochure to specifically deal with Coronavirus related information.

Our overall message will be that we are being directed to do this, and if you do not wish your data to be shared with the Government programme, it may be better that you did not attend the venue.

This will be complemented with signage at the venue.

We will ensure that all the information contains the following:

We will also refer them to our Data Protection policy which details their rights.

 

What is the personal data we collect for the contact tracing scheme?

We will only collect the personal information that is needed to help with contact tracing. UK Government is likely to specify the exact information we should collect, and we must not collect any more for this purpose.

The information should be limited to staff, customer, and visitor contact details and the date they attended the venue (and time if we have more than one event on during that day)

At this time, the Government has requested that organisations collect only the lead party member’s name, telephone number, and date (and time) of the event/activity.

We have to trust that the person providing the data is providing true information. We cannot ask for identity verification for this purpose – unless the event is age limited etc.

 

Rights under Data Protection Law

Nothing in this policy or the advice received so far has diminished the rights that people have in regard to their data. These include:

The person who has provided the data can ask for these, and any of their other rights to be exercised verbally or in writing.

Nothing has changed in this respect.

 

Sharing of Data

We will only share this data when it is requested by a legitimate authority.

This means checking that the person requesting the data is genuine, and advice in regard to this is available on the Government website.

We cannot offer to share this information – even if we are aware of a positive test from a visitor. It must be requested.

We cannot contact other visitors if we suspect or are aware of a positive test. We can only provide the information to the contact tracing team.

Vulnerable Staff

We will be asking any staff and volunteers who are considered vulnerable (especially those who were shielding) to provide us with more information on their health. This is so that we can limit the amount of risk we are exposing them to. This information would need to be stored securely and only used for ensuring that they will be able to work in a safe environment.

 

Testing

We do not currently intend to handle testing at the venue, however if testing of staff becomes a requirement or knowledge of a test result needs to be recorded then this becomes a further requirement on data protection.

Health data is considered special category data and as such this data becomes subject to more intensive measures, and explicit consent given for the collection and processing of this data.

We will review this part of the policy if this situation occurs and in accordance with the prevailing guidance and legislation.

 

Hirers

We have to ensure that we capture every attendees’ details (or the lead bookers), and this means ensuring that Hirers do the same.

We will include as part of our Special Terms and Conditions of Hire the need to collect this data, but will include the statement that we will not be responsible for the processing or handling of the data, unless they are using our systems.

In this instance we will process the data in accordance with the steps described above.

If the hirer is controlling the processing of data we will play no part, to ensure that risk of misuse is minimised.

 

 

APPENDIX 1

Data Protection Impact Assessment – Contact Tracing

This Data Protection Impact Assessment (DIPA) should set out:

·         Submitting controller details

Name of controller John Caldwell
Subject/title of DPO Contact Tracing during Covid Secure

·         Step 1: Identify the need for a DPIA

This particular issue is arising from the requirement that Government will place on venues to provide clear and accurate, personal data for the purpose of contact tracing in the case of an outbreak of Coronavirus.

As we are a venue with a mid to large capacity (374 seats), and one of the larger venues in the Worcestershire area, there will be a need to ensure that data is handled correctly.

 

The data required appears to be (at this time) name, address and a contact telephone number of any person attending the venue, or the lead booker of a group.

 

·         Step 2: Describe the processing

Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved?
The intention at this time is to use our online booking system to collect and process the initial gathering of data. We use a company called Ticketsource for this, and their data gathering is compliant with GDPR/DPA.

Once they collect the data, i.e. when a ticket purchase is completed, we can access that information through our side of the portal.

It is available to us on screen and can also be downloaded into excel or csv format.

This can then be forwarded on to an appropriate authority.

If we are running events or activities that do not require an online purchase, we will be conducting a paper-based exercise, and the data will be added to an excel spreadsheet afterwards.

The processing risk comes in the safe transfer of the information to the third party and ensuring that the data is only used for its stated purpose.

Once it is in possession of the third party, we have no control over how they use this, and Government is using contractors for the tracing process.

We need to consider what happens with events organized and managed by third parties (i.e. private hirers), who is responsible and what is our liability/legal duty

 

Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
The nature of the data is personal and identifiable data in that it includes names, addresses, and contact details specifically for a person.

It does not contain special category data, and we will not be asking for this.

The data we collect will be specific to these three categories, and is data that we would normally collect via our sales process, with the addition of an email addresses, which at this time we are not being asked to provide to the contact tracers.

The information will only be collected once a person, or the lead booker of a group, completes a sale using our online platform.
If we are running events or activities that do not require an online purchase, we will be conducting a paper-based exercise, and the data will be added to an excel spreadsheet afterwards.

The data needs to be kept for no less than 21 days.
In reality the online data stays on the Ticketsource system as a “registered user” for future purchases and can be accessed at a future point should it be required.

Any paper-based records we need to employ will be kept for 21 days and then shredded. Any electronic or spreadsheet versions of those lists will also be deleted after 21 days.

We need to consider what happens with events organized and managed by third parties (i.e. private hirers), who is responsible and what is our liability/legal duty

 

Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
 

The providers of the data are generally our customers (audience etc), or visitors to the venue.

As a venue we do not appear to be (at this stage) at any liberty to ignore the requirement to supply this data to Government. The choice for the supplier of data (customer/visitor) will be that if they do not wish to give this information, they simply do not attend the event/activity.

As the tracing scheme is being rolled out to other venues, such as pubs and restaurants prior to our reopening, the requirement to provide data will be established prior to their attendance at our venue.

All persons attending, or the lead booker for a group, will be expected to provide their details. This will include Children and Vulnerable people – however in this instance it will be their parents or care giver who will be considered the lead booker.

As described in the Lawful Bases above we belief, as we are being instructed by Government to collect this data, that we have grounds to collect and process this data.

The providing of this information to a third party is new for us, and our customers as we have not shared data to a third party in the past.

The processing risk comes in the safe transfer of the information to the third party and ensuring that the data is only used for its stated purpose.

Once it is in possession of the third party, we have no control over how they use this, and Government is using contractors for the tracing process.

Our ticketing provider has the technology to support this data collection and processing – the issues will not be at their end.

 

There has been some resistance to the implementation of this across various sectors, but opposition seems to be diminishing in the face of it becoming another “new abnormal”.

 

Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly?
We want to achieve compliance with Government instructions so that we can reopen the venue.

The only intended effect on individuals is that they can have confidence in attending events and activities at the venue, and that if someone falls ill as a result of attending the venue they can be contacted and given information in regard to what to do next.

 

The benefits to us is that we can reopen.
The benefits to our community and users/visitors are confidence, security, and advice if needed.

·         Step 3: Consultation process

Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?
As we are being instructed by Government to collect this data, and this fact is being well advertised at a national level we feel that we not need to consult too widely.

 

We will advertise the data collection through our normal channels and displays, and as its becoming part of regular life we believe that visitors will expect us to do this, and we hope, have confidence in the fact that we are.

Other than seeking advice from the ICO, and industry/sector bodies we do not intend to seek advice from other sources.

 

·         Step 4: Assess necessity and proportionality

Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
The Lawful Bases of the collection and processing of this data are illustrated in this document.

The processing of this information will achieve the purpose it is collected for – if it is needed.

We feel that the steps highlighted above are the easiest and simplest means to collect and process the data.

We will only use the information for the intended purpose, and the processing of the information will be kept to the smallest number of people possible.

We will advertise the reasons for collecting the information, and we will include the way that the information will be handles, including links to our website etc.

 

We can only guarantee data processing is complied with at our end. Once the information leaves us (if it does) for legitimate purposes it is beyond our control and we only have the Governments word that it will be used correctly.