‘Don’t create your own records of customer status’ – ICO warns venues on Covid Pass data-protection duties

Written by Sam Trendall on 16 December 2021 in News

Regulator updates guidance after introduction of new measures

Credit: Lufc83/CC BY-SA 3.0

After the introduction of domestic vaccine status checks, businesses have been warned not to keep records of customers’ vaccination or testing information.

As of 6am yesterday, the presentation of an NHS Covid Pass is a condition of entry for nightclubs and some large events, including concerts and sports fixtures.

Following the implementation of the measures across England, the Information Commissioner’s Office has published update guidance to help businesses in scope of the new rules to keep on top of their data-protection responsibilities.

Venues that perform only visual checks on digital or hard-copy documents are advised that this does not constitute the processing of personal data and GDPR is not applicable in this case. 

Those that use a scanning app to automatically validate users’ passes are engaged in personal-data processing, the ICO advised, and must thus ensure compliance with GDPR and all other data-protection statutes. 

Related content

This includes establishing a lawful basis for the processing – in this case the legal obligation to do so is likely to be sufficient. 

Other considerations include being open and transparent about how, why, and what data is collected, and that staff can answer customers’ questions about data collection and processing. Firms are also reminded to ensure that all processes are secure, and that only the official NHS Covid Pass Verifier app is used to scan customer’s passes.

Whether status checks are digital or only visual, businesses are instructed: “Don’t create any of your own lists or records with your customers’ status.”

“Data protection is one of a number of factors to consider when… implementing Covid-status checks,” ICO guidance said. “You should take into account: employment law and your contracts with employees (if you are considering checking employees’ COVID status); health and safety requirements; and equalities and human rights, including privacy rights.

“You should also consider other regulations specific to your sector, as well as current public health advice and the latest government guidance in your part of the UK.”

The NHS Covid Pass is available via the NHS app, where it can also be downloaded as a document that be printed or displayed offline. Citizens can also request a letter to be sent to them which, as with the digital versions, will include a secure QR code.

The passes provide evidence of all doses received of a coronavirus vaccine – including third and booster jabs. The passes are also available for anyone who has recorded a negative test in the previous 48 hours.

The certifications are, however, no longer issued on the basis of natural immunity, where someone has recorded a positive test in the prior 180 days.


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on sam.trendall@dodsgroup.com.


Share this page




Please login to post a comment or register for a free account.

Related Articles

Standards watchdog flags up accountability concerns over ministers’ use of WhatsApp
13 January 2022

Lord Evans tells MPs that personal messaging platforms should only be used by ministers if doing so can be properly regulated

DfT to explore ‘digitisation of the kerbside’
6 January 2022

Department plans discovery exercise to explore potential use of new tools and data sources

DCMS agency recommends industry kitemark for AI systems
5 January 2022

The Centre for Data Ethics and Innovation has called for a competitive market for assurance providers

Year in review: How technology defined 2021’s biggest stories
31 December 2021

Digital and data once again had a starring role in supporting – and, occasionally, hampering – government’s work this year. PublicTechnology looks back at the most significant events.