‘Don’t create your own records of customer status’ – ICO warns venues on Covid Pass data-protection duties

Written by Sam Trendall on 16 December 2021 in News

Regulator updates guidance after introduction of new measures

Credit: Lufc83/CC BY-SA 3.0

After the introduction of domestic vaccine status checks, businesses have been warned not to keep records of customers’ vaccination or testing information.

As of 6am yesterday, the presentation of an NHS Covid Pass is a condition of entry for nightclubs and some large events, including concerts and sports fixtures.

Following the implementation of the measures across England, the Information Commissioner’s Office has published update guidance to help businesses in scope of the new rules to keep on top of their data-protection responsibilities.

Venues that perform only visual checks on digital or hard-copy documents are advised that this does not constitute the processing of personal data and GDPR is not applicable in this case. 

Those that use a scanning app to automatically validate users’ passes are engaged in personal-data processing, the ICO advised, and must thus ensure compliance with GDPR and all other data-protection statutes. 

Related content

This includes establishing a lawful basis for the processing – in this case the legal obligation to do so is likely to be sufficient. 

Other considerations include being open and transparent about how, why, and what data is collected, and that staff can answer customers’ questions about data collection and processing. Firms are also reminded to ensure that all processes are secure, and that only the official NHS Covid Pass Verifier app is used to scan customer’s passes.

Whether status checks are digital or only visual, businesses are instructed: “Don’t create any of your own lists or records with your customers’ status.”

“Data protection is one of a number of factors to consider when… implementing Covid-status checks,” ICO guidance said. “You should take into account: employment law and your contracts with employees (if you are considering checking employees’ COVID status); health and safety requirements; and equalities and human rights, including privacy rights.

“You should also consider other regulations specific to your sector, as well as current public health advice and the latest government guidance in your part of the UK.”

The NHS Covid Pass is available via the NHS app, where it can also be downloaded as a document that be printed or displayed offline. Citizens can also request a letter to be sent to them which, as with the digital versions, will include a secure QR code.

The passes provide evidence of all doses received of a coronavirus vaccine – including third and booster jabs. The passes are also available for anyone who has recorded a negative test in the previous 48 hours.

The certifications are, however, no longer issued on the basis of natural immunity, where someone has recorded a positive test in the prior 180 days.


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on sam.trendall@dodsgroup.com.


Share this page




Please login to post a comment or register for a free account.

Related Articles

Ministers slammed over failures to respond to consultations
10 August 2022

Labour claims Conservatives are operating as a ‘zombie government’ as 15 online feedback-gathering exercises have been left dormant since 2019 election

Customer support contractors at DBS set to strike
9 August 2022

Workers delivering webchat and telephone service via outsourced deal vote for six-day walkout

Stats regulator censures DWP over employment claims
8 August 2022

OSR chief says that department failed to uphold principles that public data should be ‘trustworthy, of high quality, and offer public value’

FOI: Scottish reform proposals would bring commercial suppliers in scope
5 August 2022

Labour party to introduce bill intended to increase transparency and accountability