Collection of personal data - privacy notice
For the health and safety of the customers and staff in these premises, we must collect the name and contact details of visitors to these promises to support NHS Scotland’s Test & Protect. This information will be used to enable NHS Scotland to contact you should you have been in the premises around the same time as someone who has tested positive for coronavirus. Contacting people who might have been exposed to the virus is an important step in stopping the spread.
Why do we need to collect this data?
As stated above, the purpose for which we are processing your personal data is to assist with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic.
This will involve the gathering and, when required, the sharing of information with NHS Scotland as the responsible body for Test and Protect. Your data will not be used for any other purpose. In order to assist in the containment of the virus, we will only share your data when it is requested directly by NHS Scotland.
This will only be in the unlikely event there is a cluster of coronavirus cases linked to the venue. Information will be transferred securely to NHS National Services Scotland who will use the data to contact trace those who were in the establishment at the same time as the positive case, and will provide guidance and support to those who may be advised to self-isolate. For further information on the NHS Scotland Test and Protect strategy please visit the NHS website.
What data will we collect?
Along with the date and time of your arrival and departure, we will collect the following personal data if applicable:
- your name; and
- contact telephone number.
If you do not have a telephone number, you have the option to provide:
- a postal address; or
- an email address.
Where multi-household groups are present, we will collect contact details from a ‘lead member’ of each household, along with the number in attendance from each household within the group.
What is our lawful basis for collecting and sharing this data?
Under data protection law, GDPR Article 6(1), we have a number of lawful bases that allow us to collect, process and share personal information. In this case, the lawful basis for processing your data is ‘legal obligation'.
In short, we are obliged to process the personal data to comply with the law which requires us to collect your data and share it with public health officers if they request it under The Health Protection (Coronavirus) (Restrictions) (Scotland) Amendment (No. 11) Regulations 2020.
How long will we retain the data?
Your personal data, collected for the purposes stated in this privacy notice and will be held by us for at least 3 weeks (21 days). All personal data will be held and disposed of in a safe and secure manner.
As defined in the data protection law, GDPR Article(s) 12-23, you have the following rights:
- The right to be informed about the collection and use of your personal data. This is outlined above.
- The right to access the information we hold about you. Also known as Subject Access Request (SAR).
- The right to request rectification of any inaccurate personal data we hold about you. In certain circumstances exemptions to these rights may apply.
Further information is available on the Information Commissioner’s Office website.
Do you have a complaint?
If you consider that your personal data has been misused or mishandled by us, you can raise this with the data controller. In this instance, the data controller is the manager of this venue. If you remain dissatisfied you can make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner’s Office Wycliffe House
0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Central Enquiry Unit
Phone: 0300 244 4000
The Scottish Government
St Andrews House