The Irish Data Protection Commission (DPC) has published guidelines for businesses who must collect contact details from customers, to assist them in navigating their data protection obligations to protect the privacy rights of customers while also following the Government's advice.
Main points
- Minimise the amount of data collected – Businesses should only collect data that it needs to provide for contact tracing or compliance purposes, eg name, contact number, time and date of attendance. In the case of licensed premises, records of the sale of meals to customers must be recorded for compliance purposes. However, the DPC points out that this does not require businesses to ask customers to verify their identity.
- Be transparent about why the data is being collected – Businesses and their staff should be able to explain clearly to customers the purpose for collecting the personal data. If an online booking system is used, information could be provided at this point to advise customers that their details will be retained for contact tracing.
- Store the data securely - If the data is stored electronically (although this is not necessary), businesses should ensure that the system is secure. Contact tracing details should not be kept in such a way that they are visible to other customers and businesses must ensure that the information is kept securely and confidentially.
- Limit the data to the purpose for which it was collected – Businesses cannot use the data for other purposes such as direct marketing. The data should also not be disclosed to any third parties except public health authorities who request it for contact tracing purposes if necessary.
- Delete data when no longer required for contact tracing or compliance purposes - The current public health requirement is that contact details should be retained for one month. Accordingly, businesses should schedule regular deletion and destruction and should ensure that the data is disposed of safely including shredding any manually held data. Business should also remember to delete the data from recycle bins as well as from any cloud based back up files (where stored electronically).
The obligation to comply with data protection law is not waived during the COVID-19 pandemic. Accordingly, businesses should, without delay, review their contact tracing procedures to ensure that they are data protection compliant.
For more information, please contact Maureen Daly or any member of the Data Protection team.
