Is your business or event collecting guest information for COVID-19 contact tracing? As the pandemic continues, tracing infecting individuals is effective for limiting community spread, but gathering contact tracing information comes with its own challenge. Before you start collecting names, emails or phone numbers, here are 10 points you need to know.
10. The Information You Collect for Contact Tracing Is Only for Contact Tracing.
Privacy laws globally are clear on this one. Personal information collection for specific purposes can only be used for those purposes. Never add contact tracing contact details to marketing databases, CRM systems or research lists.
9. Are There Privacy Laws That Apply?
When collecting personal information, are there any privacy laws that apply? An increasing number of countries worldwide have privacy laws. These may stipulate what you can do with personal information, and how it should be treated. For example, a restaurants in Germany must be in compliance with the EU's General Data Protection Regulation. In New Zealand, The Privacy Act of 1988 often applies. In Canada, PIPEDA and some provincial laws lay down privacy requirements for the private sector.
8. Ask for the Minimum Amount of Information Needed.
COVID-19 tracing does not need an individual's birth date, SIN number, credit card or blood type. Getting the name of the individual and how to get in touch if an exposure has occurred is plenty. You may also collect information about where the party is from, or if they’ve travelled recently, but don’t go overboard. Detailed demographics are not needed, and raise questions on the purpose of your PI gathering.
7. Verify the Information Is Accurate
Can't read someone's handwriting? Uncertain if you've spelled their name and email address correctly? Take one minute and get the individual to confirm there are no errors in the information they've provided. Nothing like bad data to cause frustration down the road.
6. Never Give Out Contact Information
Don’t assume you’re free to disclose personal information as you please. Individuals are giving their information to you, and only you. If someone asks to see the information, the answer is no, unless:
- They can verify they are the original data subject. In most circomstance, data subjects have a legal right to access their own information.
- Verification they are a health official intending to use the information as part of COVID tracking , per municipal/ provincial/ state/ national health department efforts. This disclosure is part of the original purpose for collection. To avoid confusion, tell individuals their information may be subject to such disclosures at the time of collection.
- They have a warrant, subpoena, or court order. Here, get the request in writing, and confirm the legal provision that allows access the PI. Hold on to your records as evidence of the formal request.
5. Keep Contact Tracing Information in a Secure Location
When storing PI, some level of safeguards must be in place to prevent unauthorized access. Never leave contact tracing information out in the open. If on print media, consider a locked drawer or office, while digital files should be at least password protected. Take reasonable precautions that PI isn't lost, stolen or seen by the wrong persons.
4. Find Out How Long Information Should Be Retained, and Then Get Rid of It.
A common component of privacy laws is that you can only hold PI while it fulfills the original purpose. For tracking potential COVID-19 exposure, that means PI has a short shelf life. Consider shredding or deleting information one month after collection. This will give officials time to find and notify potentially exposed individuals if there's an active case. After a month, the PI no longer has contact tracing value.
3. Be Open, and Prepare to Answer Questions on What You Will Do With the PI
Individuals have a right to know what you intend to do with the information you collect. This is the reasoning behind privacy notices and website privacy policies. One of the easiest ways to be open about privacy practices is to explain them in writing, that an individual can access anytime. If collecting contact details for COVID-19 tracing, the requirement for a written notice will depend on the law. More importantly, have information on your privacy practices readily available upon request. If asking for PI, be ready to explain why you need it, intended use and how you will protect it.
2. You Are Accountable for the Personal Information Your Organization Collects
Personal information differs from many other data types. Wrongful disclosures and abuse of PI can cause minor inconveniences or substantial harm. The damage depends on the information, individual and specific abuse. Organizations are responsible for PI under their control, and someone must be accountable.
Take charge: establish the rules for what you’re doing, how and why. What about your team: do they understand limits over use, disclosure, and any care instructions? Does everyone need access to it in the first place? Make sure everyone who will be helping you collect, process and retain the information is onboard.
1. Without Trust, the Entire Exercise Is Moot Point
Contact tracing is a valid way to determine COVID-19 cases and exposures. Getting potentially infected individuals to isolate is critical for public health. But there's a hitch: it doesn't work if individuals don't trust you with their information. If you can't be trusted with PI, contact tracing goes out the window. Why should individuals hand over PI to you if they don't trust you to be responsible in its use? Why go to your event, your business, when they can go elsewhere? What's to stop them from giving out incorrect names or contact details, rendering the PI worthless? Inaccurate information means discomfort, future distrust, and renders the exercise moot point. If your business or event is going to go through the trouble to collect contact information, give individuals a reason to trust you. Pay attention to privacy.