How to keep secure contact tracing records

Contact tracing is a key part of the battle to keep COVID-19 under control. Charities need to do their part to help NHS Test and Trace now that some staff have returned to the office by keeping contact tracing records about their staff - as well as service users who come into close contact with those staff.

Some of the information that needs to be collected and stored – name and contact phone number for the staff member or service user, the date and time that they were in the charity premises, and the name of the assigned staff member, if a service user or visitor interacts with only one member of staff – is regarded as personal information, and that means it is subject to the General Data Protection Regulation (GDPR).

As a result, it needs to be stored securely and deleted when it is no longer needed. Your charity will likely need to store the records for twenty-one days - fourteen days reflecting the incubation period of the virus, plus an additional seven to allow for testing and tracing.

Recording contact tracing information and keeping track of how long that information been stored and if they should be deleted (to comply with the GDPR) can be a complex task, and for that reason, it can help to use software to help you.

Dedicated applications designed to help organisations store and manage contact records include:

• Salesforce Contact Tracing for Employees – a Salesforce.com module
• Time to Spare – an online app which is free for charities
• Safe2Go – a commercial contact tracing app which stores data in the cloud

You could also manage the details electronically in a spreadsheet or word processor document, or alternatively you can keep paper records.

However you decide to keep contact tracing records, the Information Commissioner’s Office (ICO) points out that you must:

• ask only for the information that is needed
• be transparent with customers about why you need the information and what you will do with it
• store the data carefully
• ensure that the information is not used for any other purpose such as direct marketing or profiling
• not keep the information longer than the government guidelines specify (usually 21 days)

If you decide to keep contact tracing records on paper, then there are a number of points you should consider to ensure that your records remain secure. These include:

Keep them out of sight

It can be tempting to use a simple sign-in book so that staff and service users can enter their contact details and the date and time when they were there, but doing so means that all the contact details on a page are visible to everyone. To maintain confidentiality, it is better practice for designated contact record staff to write down the information when a staff member of service user arrives at your premises.

Limit access

Only designated contact record staff should be allowed to access the paper records, and these staff numbers should be restricted as far as possible.

Lock them away

Paper records should not be left out in a place where anyone could access them without authority to do so. In practice that means that they should be secured in a safe place such as a lockable cabinet or a safe.

Dispose of records securely

When you no longer need records stored on paper, ensure that the records are destroyed (for example by shredding) rather than just discarded them in a bin.