4. Secure Collection, Storage and Disposal of Data
Premises covered by this guidance will need to gather minimum contact details for all customers and visitors to support Test and Protect.
Information to Collect
The following information should be collected by the premises, where possible:
Staff and volunteers
- The names of staff and volunteers who work at the premises
- A contact phone number for each member of staff and volunteer
- The dates and times that staff and volunteers are at work
For larger establishments, and where possible, it is also helpful to keep a record of what areas staff or volunteers work in within the premises.
Customers and visitors
- The name of each customer or visitor, or when attending as a small household group, the contact details for one member of that group - a 'lead member' - noting the size of the group
- A contact phone number for each individual, or for the 'lead member' of a small household group
- Date of visit and arrival and, where possible, departure time
If a customer does not have a telephone number, premises may give people the option to provide:
- A postal address
- An email address
How to collect data
Contact data will need to be collected by premises for each customer or visitor, or for the 'lead member' of a small household group, upon their arrival, or for certain events, it may be helpful to share a list of known attendees with a host establishment in advance, e.g. an attendee list for a wedding reception or funeral.
Many establishments that take bookings already have systems for recording contact information - e.g. hairdressers, theatres, restaurants - which can serve as the source of the information above. Where applicable, this could include taking bookings online or over the phone. If a premise uses an existing booking or ticketing system to collect data for the purposes of this guidance, establishments should be mindful that existing privacy notices may require updating.
If not collected in advance, this information should be collected at the point that customers enter the premises. Customers and visitors will need to be informed of the need to provide information upon their arrival. The resources below include a poster that can be put up in an establishment to alert customers to this need, and copies of the Privacy Notice should be displayed to inform people of how their information will be used and protected.
Information should be recorded digitally if possible, but a paper record is acceptable too. Writing contact details in a book or register and destroying these safely when the 21 day retention period is over is acceptable so long as the register is kept out of public sight and stored securely. Similarly, digital records must be securely deleted at the end of the 21 day retention period. Staff need to be identified and appropriately trained for this. To minimise the risk of virus transmission during this process, any written information should be noted by a designated member of staff and not by each individual visitor/customer or group.
The ability to record departure times where possible, as well as arrival time (including staff shift times) is important to reduce the number of customers/visitors/staff needing to be contacted (and potentially asked to self-isolate) by NHS Scotland's Test and Protect service, although it is acknowledged that in certain circumstances this may be more difficult.
If someone does not wish to share their details
When individuals share their contact details for this purpose, it will support NHS Scotland's Test and Protect service to control the spread of the virus and therefore we are asking that people continue to play their part. You should encourage the individual to share their details in order to support NHS Test and Protect and advise them that this will only be used in the event of an outbreak or if a number of new cases are tracked back to the premises. Their information will then be used to inform them if they may have been exposed to a positive case or cases.
If the individual still does not want to share their details but wishes to proceed with a booking and/or use your service, you should make a note not to share this if you still need to collect their details for booking purposes. If you do not need their details for booking purposes, then simply do not collect their details. It is also within the rights of individuals to request to access the data held on them, or to request that it is deleted or corrected. In those circumstances, premises should comply with such requests.
There is no legal requirement that individuals provide their data for NHS Test and Protect purposes, so if you want to continue to offer your services to customers or visitors that do not choose to provide their information, then you can do so. Establishments are also equally entitled to refuse to allow a member of public onto their premises if they do not share their contact details for the benefit of Test and Protect. Employers should make clear to their employees the approach that they wish them to take in these circumstances.
How to store data securely
Once contact details have been gathered either electronically or physically, the business will be the data controller, The data must not be shared with individuals or organisations other than those specified in the privacy notice. All contact data should be stored somewhere secure. Establishments should not use the data to directly contact visitors, customers or staff, even in the event of a known outbreak within premises.
You should hold records for 21 days from the date of each separate visit of a staff member/customer/visitor. This will ensure full cover of the typical incubation period and additional time during which people may be infectious whether after symptom onset or not to allow for testing and contact tracing.
Following this, data will no longer be required to be held by the premises and must be disposed of securely.
If data is shared with NHS Scotland on the basis of individuals being identified as at risk of having been exposed to COVID-19, NHS Scotland may need to retain the data for longer than the 21 day period and will hold the data in line with NHS information governance processes. NHS Scotland may also need to share information with other local and statutory delivery partners as part of responding and containing the virus, such as Local Authority Environmental Health Departments. More information about the NHS Scotland information governance arrangements is available here: https://www.informationgovernance.scot.nhs.uk/covid-19-privacy-statement/
How to dispose of data
After 21 days, data must be disposed of.
If you are using a paper register then pages can be removed daily after the retention period is over and destroyed through secure shredding or other destructive process. Where IT systems are used, establishments will need to ensure that data collected for Test and Protect and other epidemiological purposes are not retained beyond the stated period and do not become part of a wider marketing or other resource.