NHS Test and Trace: due diligence for your data

Here at Varese, we’ve avoided weighing in on the ongoing coronavirus discussion. We simply haven’t had anything to say that hasn’t already been said regarding working from home or the plight of small business in the pandemic-stricken economy. But now the government is collecting data, and data security is our strong suit, so here we go.

Testing times

As the race is on to mitigate the disastrous effects of a second wave, the government is putting its Test and Trace app at the forefront of the fight against COVID-19. The app promises to provide venue check-in, real-time reporting and contact tracing. The nationwide launch of this app got off to a rather rocky start, with spotty data collection and case reports not getting through to the people in charge of processing them. Fortunately the system seems to be up and running now, with pubs, restaurants and other venues legally obliged to collect customer data via the app; if you’ve been out and about recently, you may have been asked to download the NHS COVID-19 app and scan a venue’s QR code to check in.

To protect and serve

With customer data collection, naturally, comes customer data protection. Government guidelines require that any Test and Trace data which venues collect is not only kept secure (customers are giving out sensitive information after all), but also disposed of after 21 days. This 21-day restriction isn’t some arbitrary rule imposed by the government. The European GDPR, as well as the UK’s own Data Protection Act, mandate that data should only be held for as long as necessary. Disposing of data is exactly what it sounds like – these venues must make sure that customer information is thoroughly destroyed and can’t be recovered by any means. They may have collected information digitally through the Test and Trace app, or they may simply have taken down customer details with pen and paper. Either way, the law requires this data to be eliminated.

Happy trails

The means by which this data is destroyed will naturally vary from business to business, but will generally involve either physical shredding of paper documents, or secure erasure of data on hard drives. We usually advocate for hard drive destruction via degaussing, but this would be total overkill for most businesses. The truth of the matter is, the method doesn’t particularly matter. As long as that sensitive customer information is unrecoverable, the choice of destruction process is but a means to an end. The important part is creating an audit trail. Just as the proof of the pudding is in the eating, the proof of data erasure is in the evidence; businesses should be able to provide a “trail of breadcrumbs” which shows the journey that customer data takes through the venue’s systems, from being input to being erased.

Under the terms of the GDPR, citizens have a right to know what data is held on them by any particular business. Given that personal information about every one of us is being collected at the moment, keeping track of that data is more important than ever. Sadly there’s not a great deal we ourselves can do; it’s up to businesses of all sizes to practice good data security habits. In these challenging times, there have been more pressing matters on our minds – but data fraud never stops, and we must be ever vigilant.