Advice: Storing customer details for test and trace? Don’t forget GDPR, says Lawgistics

Time 1 year ago

Keeping on top of GDPR is just as vital as it was before the pandemic – that’s the advice of automotive legal firm Lawgistics.

Speaking on Car Dealer Live yesterday (13 August), legal adviser Nona Bowkis explained the rules around storing details for NHS Test & Trace – a new hurdle that businesses across the country are getting to grips with.

‘We get quite a few GDPR questions’, said Bowkis. ‘Furlough and so on have taken over, but two years ago everything was about GDPR. You can’t forget that, and people can still – and are – complaining.


‘This should be a straightforward thing. The government has said, you need to take their details. And the ICO, who police all things data protection, there is some guidance from them.

While the motivations behind keeping this customer data may be honourable, businesses still need to keep themselves covered from a GDPR point of view, Bowkis told us.

‘You have to have it in your privacy policy and say: “We will be taking, as per government instructions, your details for [Test & Trace]”. You’re only allowed to take the details that you need: name, contact number and the time they arrived.

‘And the guidance at the minute is to keep [these details] for 21 days and then destroy them, so that needs to be written into the policy as well.’

Bowkis also urged caution for those seeing the increased data capture as a business opportunity.

‘You can’t use those details as a sneaky way of doing some marketing! They’re not for marketing purposes, purely for track and trace’, she added.

Test & Trace is just one of the many changes businesses across the UK have needed to make in the wake of Covid-19 – and it’s not the only thing you should be mindful of from a GDPR point of view, reminds Bowkis. Even changes to how you communicate with staff, such as Zoom or Skype, could have implications.

‘If you’re doing anything differently in your business, you need to keep reviewing that GDPR policy. It’s not something you did back in 2018 and can forget about: you need to update it all the time,’ she said.

As far as Test & Trace is concerned however, businesses don’t need to panic – providing that they’ve kept their privacy policy up to date, of course.

‘People will complain to the ICO, because people love complaining,’ joked Bowkis. ‘But GDPR article 6 sets out all the reasons why you can process data. One of them will be legitimate interest, and in this case particularly, it’s in the public interest.

Get more from Car Dealer

  • Premium stories
  • Used car data
  • Magazine early access

‘I would hope that the ICO would say that you’re quite entitled to keep those [details]. But it’s got to be in your privacy policy – if you get investigated, the ICO will know you’re taking it seriously and have tried to do all the right things.’

See what other legal advice Nona Bowkis and Kiril Moskovchuk had for dealers by clicking on the main image to watch the interview in full.

You can see all of our Car Dealer Live interviews by clicking here

Car Dealer Magazine's avatar

Car Dealer has been covering the motor trade since 2008 as both a print and digital publication. In 2020 the title went fully digital and now provides daily motoring updates on this website for the car industry. A digital magazine is published once a month.

More stories...

Server 190