Charities need to maintain contact tracing records to help protect their staff and service users. Here’s how to do that in a safe and secure way
Contact tracing is a key part of the battle to keep COVID-19 under control. Charities need to do their part to help NHS Test and Trace now that some staff have returned to the office by keeping contact tracing records about their staff - as well as service users who come into close contact with those staff.
Some of the information that needs to be collected and stored – name and contact phone number for the staff member or service user, the date and time that they were in the charity premises, and the name of the assigned staff member, if a service user or visitor interacts with only one member of staff – is regarded as personal information, and that means it is subject to the General Data Protection Regulation (GDPR).
As a result, it needs to be stored securely and deleted when it is no longer needed. Your charity will likely need to store the records for twenty-one days - fourteen days reflecting the incubation period of the virus, plus an additional seven to allow for testing and tracing.
Recording contact tracing information and keeping track of how long that information been stored and if they should be deleted (to comply with the GDPR) can be a complex task, and for that reason, it can help to use software to help you.
Dedicated applications designed to help organisations store and manage contact records include:
You could also manage the details electronically in a spreadsheet or word processor document, or alternatively you can keep paper records.
However you decide to keep contact tracing records, the Information Commissioner’s Office (ICO) points out that you must:
If you decide to keep contact tracing records on paper, then there are a number of points you should consider to ensure that your records remain secure. These include:
It can be tempting to use a simple sign-in book so that staff and service users can enter their contact details and the date and time when they were there, but doing so means that all the contact details on a page are visible to everyone. To maintain confidentiality, it is better practice for designated contact record staff to write down the information when a staff member of service user arrives at your premises.
Only designated contact record staff should be allowed to access the paper records, and these staff numbers should be restricted as far as possible.
Paper records should not be left out in a place where anyone could access them without authority to do so. In practice that means that they should be secured in a safe place such as a lockable cabinet or a safe.
When you no longer need records stored on paper, ensure that the records are destroyed (for example by shredding) rather than just discarded them in a bin.
If you decide to store your contact records digitally, either on a computer or in the cloud, then security is equally important. To keep digital records secure you should:
As with paper records, you need to ensure the physical security of any devices you use to store contact records by locking them away somewhere secure when they are not in use.
To prevent staff or visitors from accessing records if the device is left unattended for any reason, be sure to protect them with a strong password. If you store contact data in a spreadsheet or other computer program it is sensible to encrypt the data file as well. In many applications, you can encrypt a file by choosing to protect it with a password.
Strong account passwords are particularly important to protect data stored in the cloud because these could potentially be accesses from anywhere without physical access to the computer you use to create the records.
This is actually much harder than it sounds because your data files should be backed up regularly, and therefore more than one copy of your contact records exists. That means that every time you delete records you should replace existing backups with new ones
Regardless of whether you choose to store contact details electronically or on paper, it is very important that staff understand exactly what they can and cannot do with the data. In particular, make sure that they are aware that disclosing the information without your charity’s consent is a criminal offense under the Data Protection Act.