‘Don’t create your own records of customer status’ – ICO warns venues on Covid Pass data-protection duties
Regulator updates guidance after introduction of new measures
Credit: Lufc83/CC BY-SA 3.0
After the introduction of domestic vaccine status checks, businesses have been warned not to keep records of customers’ vaccination or testing information.
As of 6am yesterday, the presentation of an NHS Covid Pass is a condition of entry for nightclubs and some large events, including concerts and sports fixtures.
Following the implementation of the measures across England, the Information Commissioner’s Office has published update guidance to help businesses in scope of the new rules to keep on top of their data-protection responsibilities.
Venues that perform only visual checks on digital or hard-copy documents are advised that this does not constitute the processing of personal data and GDPR is not applicable in this case.
Those that use a scanning app to automatically validate users’ passes are engaged in personal-data processing, the ICO advised, and must thus ensure compliance with GDPR and all other data-protection statutes.
This includes establishing a lawful basis for the processing – in this case the legal obligation to do so is likely to be sufficient.
Other considerations include being open and transparent about how, why, and what data is collected, and that staff can answer customers’ questions about data collection and processing. Firms are also reminded to ensure that all processes are secure, and that only the official NHS Covid Pass Verifier app is used to scan customer’s passes.
Whether status checks are digital or only visual, businesses are instructed: “Don’t create any of your own lists or records with your customers’ status.”
“Data protection is one of a number of factors to consider when… implementing Covid-status checks,” ICO guidance said. “You should take into account: employment law and your contracts with employees (if you are considering checking employees’ COVID status); health and safety requirements; and equalities and human rights, including privacy rights.
“You should also consider other regulations specific to your sector, as well as current public health advice and the latest government guidance in your part of the UK.”
The NHS Covid Pass is available via the NHS app, where it can also be downloaded as a document that be printed or displayed offline. Citizens can also request a letter to be sent to them which, as with the digital versions, will include a secure QR code.
The passes provide evidence of all doses received of a coronavirus vaccine – including third and booster jabs. The passes are also available for anyone who has recorded a negative test in the previous 48 hours.
The certifications are, however, no longer issued on the basis of natural immunity, where someone has recorded a positive test in the prior 180 days.
Lord Evans tells MPs that personal messaging platforms should only be used by ministers if doing so can be properly regulated
Department plans discovery exercise to explore potential use of new tools and data sources
The Centre for Data Ethics and Innovation has called for a competitive market for assurance providers
Digital and data once again had a starring role in supporting – and, occasionally, hampering – government’s work this year. PublicTechnology looks back at the most significant events.