Creepy Callers…

The Pit Falls of the NHS Track and Trace Service

What is Track and Trace and how does it work?


• The contact tracing app is designed to let users know if they have been in close contact with someone who tests positive for COVID-19.

• The purpose of the app is to track down people who have been in contact with an infected person and alert them to self-isolate.
• 
The app keeps track of people you have been in contact with through Bluetooth signals.

• If another person tests positive for the virus you will be notified and told to self-isolate.


Creepy callers…


Despite the positive intent for the service, there are many examples of personal information being used for the wrong reasons.


Bus worker sacked for sending text messages


A worker has been sacked for sending creepy text messages to a woman using the track and trace contact details.


The woman went on a bus tour in Windsor and provided her name and phone number in case she needed to be contacted if there was a coronavirus outbreak. She was then shocked when she received several text messages from the bus driver asking if he could see her again.


The bus driver was subsequently sacked following an investigation. The company are now introducing a new system for track and trace where personal data will be stored more securely.


This is not an isolated incident


A University student from Glasgow went out for a meal and drinks in Edinburgh and gave her number at the restaurant. She later got a text from a man asking if she wanted to meet up. The student confirmed that she had not given her number out apart from the Track and Trace system.


All business owners are supposed to ensure they have a secure method for storing the data before it is passed on to a Test and Trace team then destroyed within 21 days—and failure to comply can result in a fine between £1000 and £4000.


A Department of Health and Social Care spokesperson said “The unauthorised use of customers’ information provided for contact tracing is unacceptable and every business must comply with all data protection legislation.”


What can employers do to protect themselves?


Collect customer and staff information


As well as collecting the information of customers it is vital to collect information from your staff. While you may think this information is easy to maintain, many independent businesses may not be retaining all the information that is needed. With that being said make sure that both sets of information are GDPR compliant.


Collect only relevant information


The information you collect from both customers and staff doesn’t need to be extensive and certainly doesn’t need to be more personal than usual data collection. Keep the information you collect simple, their name, email, contact number and their time of arrival and departure in your business. Collecting other data can be seen as invasive and reflect poorly on your business.


Store your data appropriately


When you collect data from staff or customers make sure all this information has been organised properly. The information is important if needed so ensure it is all correct. Additionally, you must store the data securely, meaning that you should make sure this information cannot be seen by other customers or anyone that is not in charge of keeping these records. The customers are not bound by law to give their information to you, so by giving it to you they are trusting that you can keep it secure. A breach of this information is obviously not GDPR compliant, further demonstrating its importance.


Use your data professionally


Once you collect the information there are a few ways that the use of this data can fail your compliance. If you are a business, such as in the hospitality sector that normally collects personal information—as long as you are GDPR compliant—you are free to continue to store and use that information.


However, if your business does not normally collect personal information and are only collecting for the purpose of Track and Trace, then you cannot use this information in any other way and must dispose of it after the required length of time has been reached. It must not be used for general marketing and other opportunistic ways that fall outside of contact collection. Doing so would be a GDPR violation. Businesses that would want to use the collected information for marketing purposes must make this known at the time the information is collected. Customers are likely to be upset if they find this data being misused and will reflect poorly on your business.

Please speak to a DLP Advisor if you wish to discuss the above in more detail.