Supporting NHS Test and Trace: practical advice for businesses

In his daily briefing on 23 June, the prime minister asked businesses to help NHS Test and Trace by collecting contact details from customers when they start to reopen after 4 July (we'll save the big picture 'surveillance state' commentary for another time/place). There's no official guidance or agreed-upon technical solution just yet, so what should businesses in-scope actually be doing in the meantime?  Here are our seven practical tips to get you started.

1) Don't panic!

• Privacy groups have been quoted as saying that businesses are being asked to become data controllers "overnight" but that's highly unlikely to be true. Most affected businesses will not be starting from scratch. They have staff, take bookings and market to customers… they're already handling lots of personal data and the legal principles are the same here.

2) Look for easy wins

• Do you already have electronic booking systems in place or do you already keep handwritten table booking information that you could use as a starting point?
• Could your HR team help develop the commercial/ops teams' thinking, given that they're used to handling lots of sensitive personal data?

3) Keep it very simple

• Think about what you can do… this doesn't have to be slick/beautiful/expensive
• We'd strongly suggest that you keep things simple. In our experience ease of use is key to good data governance, otherwise people can go horribly wrong (often with good intentions)
• Beware the solution that's too good to be true. These are your customers and you will be responsible for protecting the data. If a third party offers a solution that seems too good to be true, ask the hard questions: what do they get out of it, where's the data going, who's seeing/using it?

4) Keep almost everything to a minimum

• Minimise the amount/types of data that you collect, minimise the number of people given access to it, minimise the period for which you retain it…
• But don't scrimp on transparency – the public will become used to this but you will still need to be open about what you're collecting and why (think notices front of house, updates to online privacy policies etc.)

5) Be accountable

• If it isn't already, make data and privacy someone's job. Give that person time and access to information. There will almost certainly at some point be specific guidance from relevant authorities in the UK, but in the meantime there is generic but helpful guidance and information available on the ICO's website
• You will need to be able to demonstrate compliance with data protection law – this is easier when there are clear structures and processes in place. This is especially true in industries that engage a lot of casual or short-term staff

6) Awareness and training

• Make sure everyone understands what data needs to be collected (and what doesn't) and why, and that it's everyone's responsibility to protect the data from unauthorised access, misuse, loss etc. (and everyone's responsibility to act quickly and appropriately if something does go awry)…
• Deliver and reinforce messages about the seriousness of the issue: taking or misusing the data could result in personal criminal liability for staff members and serious impacts on the business (e.g. big fines, major reputational harm)

7) Think really hard about information security

• What CAN you do? No-one expects you to rival security at MI5, but you absolutely must not ignore or take shortcuts on this issue
• For example, can you put notebooks in locked rooms/cabinets, can you keep access logs, can you password protect electronic documents?  Make sure you securely destroy hard copies and permanently delete electronic copies as soon as you can.

The situation will evolve. Businesses' role in NHS Test and Trace (and their approach to the privacy risks that go along with that) will need to be agile yet robust. We must hope that our Government will learn from other countries as well as from some of their own previous mistakes on this issue and that clear and appropriate guidance will be forthcoming soon. That's the cautious optimism that we all now know and love…