Publication - Advice and guidance

Coronavirus (COVID-19) Test and Protect: multi-sector guidance on collection of customer and visitor contact details – July 2020

Guidance to support customer and visitor data gathering for businesses and other establishments to assist contact tracing as part of NHS Scotland's Test and Protect system.

Coronavirus (COVID-19) Test and Protect: multi-sector guidance on collection of customer and visitor contact details – July 2020
3. Lawful Basis for Data Collection

3. Lawful Basis for Data Collection

It will be important to ensure that data is collected and handled in line with data protection laws. To help you make sure you are compliant with data protection regulations, the Scottish Government has published a template Privacy Notice, setting out the terms of how data should be gathered, stored, used and disposed of. The privacy notice is how your business or organisation will demonstrate compliance with Article 13 of the General Data Protection Regulation (GDPR) that sets out what information needs to be provided when data are collected from the data subject (e.g. customers, visitors, staff).

The privacy notice can be viewed online and should also be downloaded and made available in each establishment so that members of the public providing details are informed as to what will happen with their data.

The privacy notice sets out the purpose for which the data is being collected, what data is being collected, the lawful basis for doing so, how long the data will be retained, what rights customers have over this data and how to complain to the establishment and the ICO if there is a concern.

As a controller, each business or organisation will be using the GDPR lawful basis of 'Legitimate Interest'. This is a balanced lawful basis that has minimal impact on the customer or visitor and they have the right to object and to have their data erased. Establishments should respect that choice if it is made. Where an individual is not willing to provide their data, it is a decision for the business or organisation whether to make services available to that individual or to refuse entry or a booking.

The Privacy Notice has been published as a supporting document to this publication.

For more information on GDPR and how to access GDPR training, please visit www.ico.org.uk.


Contact

Email: CPE@gov.scot