Processing Customer Data for COVID-19 Contact Tracing

October 01, 2020

The Data Protection Commission have issued a guide for Organisations who process customer data for COVID-19 Contact Tracing. 

This guide will assist Organisations to maintain records of customers who have visited their business while keeping their personal data safe and ensuring clients’ and visitors’ privacy rights.

Employers are advised to:

1. Minimise the amount of data they collect – Only collect the details that are needed to provide for contact tracing or compliance purposes, e.g. name, contact number, time and date of attendance. As this process does not require Employers to ask people to verify their identity, the customers should not be asked to do so.

2. Be transparent with their customers about the reason of collecting this data – Organisations should be able to explain clearly the purpose for collecting personal data. If an online system is used, information could be provided at this point to advice customers that their details will be retained for contact tracing.

3. Store this information carefully – It is not necessary to use technology to store this information but if Employers decide to keep it electronically, they must ensure that the system they use is secure and delete the information at regular intervals when it is no longer required. Contact tracing details should not be kept in such a way that they are visible to other customers and it is important that this information is kept securely and confidentially.

4. Limit this data to the purpose for which it was collected - This data should not be used for direct marketing purposes or to make contact with customers for any reason. The data should not be disclosed to any third parties except the public health authorities who will request it for contact tracing purposes if necessary.

5. Ensure to delete contact details when it is no longer required to keep them for contact tracing or compliance purposes - The current public health requirement is for a retention period of one month. Employers are advised to schedule deletion and destruction regularly and ensure the data is disposed of safely, shredding any manually held data. Data should be deleted from the recycle bin and any cloud based back up files if storing electronically.