Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps he is taking to ensure venues collecting information for Track and Trace purposes are adhering to the General Data Protection Regulations.

All personal data collected by venues to support NHS Test and Trace must be handled in accordance with the General Data Protection Regulations (GDPR) to protect privacy. Guidance on how to do this and how to dispose of records after 21 days is provided at the following link:

www.gov.uk/guidance/maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace

The Information Commissioner’s Office (ICO) has also published detailed guidance on how organisations can ensure they are GDPR compliant:

https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/collecting-customer-and-visitor-details-for-contact-tracing/

The ICO may issue penalties against businesses who are found to be in breach of GDPR.