Test and Trace in the hair & beauty industry – how to store clients’ data safely and legally
Surely you already know that as a hair or beauty salon owner, you are required to store your clients’ contact information for national safety purposes. This data is used for the Test and Trace service – an NHS project that aims to ensure that anyone who could have been infected with the coronavirus can be quickly traced, tested and if necessary, notified that they have to self-isolate. It doesn’t seem like a big deal, as you are used to recording customer data on a daily basis – however, this time, you have to make sure you store the right information for a proper amount of time. Moreover, it’s now more important than ever to ensure full data security. Let’s establish everything you need to know and find the safest and most convenient ways of taking and maintaining these important records!
What is the purpose of Test and Trace?
The main purpose of the project is to contain the outbreaks as much as possible, which is crucial to reduce the spread of COVID-19. Having records of your visitors stored, you can help the NHS to identify people who may have been exposed to the virus. The quicker they do this, the fewer people will be at risk of being exposed – so by properly storing your client data (and your staff’s), you can really be a life saviour!
What are you asked to do?
The terms are not complicated. When it comes to clients, you are supposed to note:
- Phone numbers
- Times of arrival
- Times of departure (if possible)
- Which team member served them
When it comes to your staff members, you will be asked to give away:
- Phone numbers
- Work schedules (dates and times that staff are at work)
Additionally, you are asked to become an ambassador-type of a figure – being ready to explain to your employees and customers why you request such information, how it helps public health and why it is so important to cooperate with the NHS on this project.
Update: Businesses will need to display the official NHS QR code posters so that customers can ‘check-in’ at different premises using this option as an alternative to providing their contact details once the app is rolled out nationally. You must register for an official NHS QR code and display the official NHS QR poster from 24 September 2020.
Is partaking in Test and Trace mandatory?
For the time being – it is not legally required. The government asks you to do so for the greater good. However, it was made clear that legislation may be introduced if people refuse to cooperate.
Update: From 18 September, taking part in Test and Trace will be enforced in law. Collecting contact details and maintaining records for NHS Test and Trace is a legal requirement and failure to comply is punishable by a fine. The person responsible for the business is liable.
What if a client disallows their data to be used for the project?
When collecting information needed for the project, you have to inform the client what it may be used for – and the client in question is in the right to opt out of the Test and Trace project if they choose to. In this case, you gather data needed for your regular booking purposes and don’t share it with the NHS Test and Trace project.
- Don’t give the NHS data from clients who refused to partake in the project – your intentions may be good, but it is considered a data leak and may get you in trouble.
- The accuracy of the information provided by the client for Test and Trace purposes is not your issue – you are not expected to check its validity.
- You should encourage your customers to take part in the project. The data collected will be used for its sake exclusively – ensure clients that the only goal of Test and Trace is to contain the spread of the coronavirus.
Update: Venues other than hospitality do not need to refuse entry to clients who disallowed their data to be used for this project, but should encourage customers and visitors to share their details or scan the official NHS QR poster in order to support NHS Test and Trace and advise them that this information will only be used where necessary to help stop the spread of COVID-19.
If in the rare case that a customer or visitor becomes unruly, you should follow your own security procedures. This may include calling the police if you feel the individual poses a risk to yourself or others.
And what about your staff?
Your employees may also refuse to partake in the Test and Trace project. In this case, you follow the same rules as with customers – try to encourage your staff members by explaining the aim of the project, but if they still don’t want their information to be shared with the NHS, you keep it to yourself and use it only for purposes they agreed upon.
How does it all relate to data protection regulations (GDPR)?
As you probably know, when collecting information, you have to comply with strict data protection regulations (GDPR). These regulations apply to all of the personal data you collect (important to notice – both on clients and employees!), electronically or on paper.
When it comes to Test and Trace, GDPR allows you to request contact information from your staff members and clients and share it with the NHS Test and Trace. You don’t have to get written consent from each person for that purpose, but have to make clear why the information is being collected and what you intend to do with it.
You absolutely cannot use the information you have collected for the Test and Trace for any other purpose. Using this data for marketing, profiling, analysis or other purposes unrelated to contact tracing will be considered a data breach.
You should also ensure that both your clients and staff members are able to exercise their data protection rights.
How should you maintain the data?
For Track and Trace purposes, you should keep the records for 21 days. Why? The incubation period for COVID-19 can be up to 14 days, and the NHS adds an additional 7 days to allow time for testing and tracing. After 21 days, all information gathered for the project should be securely disposed of or deleted.
Naturally, you only delete the information gathered exclusively for the project purposes – you can keep your regular customer records and dispose of them when you normally delete unwanted data.
How can you ensure data security?
Data security is a big topic. You are accountable for keeping your customers’ personal information safe – when falling victim to a data breach or leak, it’s you who takes legal responsibility. You may be unaware of that, but on a daily basis, you collect not only personal but also sensitive information – for example, notes on customers’ state of health (eg. allergies). In such circumstances, it is absolutely crucial to ensure you are able to keep it confidential.
In the government guidance regarding the Test and Trace, it was stated that hair and beauty salons are already in a good position to participate in the project, as they “already have systems for recording their customers”. It was made clear that although storing paper records is permitted, they are far more problematic (both in terms of storing, transmitting to the NHS and getting rid of). Digital systems are a far more convenient, reliable and safe option. To cite the guideline again – “we would prefer you to record and protect information electronically”.
If you are using Versum, you are all set. Our system was designed to ensure the highest possible level of data security. All data entered into the system is stored on rigorously protected servers located in guarded premises. All servers are separated from the public Internet by a firewall which allows only traffic necessary to provide the service. Each user needs to be authenticated with a password. Moreover, we provide a number of configuration features which enable the administrator to determine different access levels for particular employees. If you want to read more about how we ensure your collected data is 101% safe, you can do so here.
Tip: You don’t have Versum yet? Start your two-week free trial and see what a difference it makes to have a reliable digital helper!
When should you transfer the information to the NHS?
Finally, let’s establish what to do with the collected information. The NHS will ask you for it only if:
- Someone who has tested positive for COVID-19 has listed your premises as a place they visited recently.
- Your premises has been identified as the location of a potential local outbreak of COVID-19.
You have to be careful – unfortunately, you may be contacted by scammers who want to swindle data or money by pretending to be the NHS. The tracers crew will contact you ONLY BY:
- Calling you from 0300 013 5000
- Sending you text messages from ‘NHStracing’
- Asking you to sign into the NHS Test and Trace contact-tracing website
An NHS representative WILL NEVER:
- Ask you to pay or make any purchases
- Ask you to download any software
- Ask you to hand over control of your PC, smartphone or tablet to anyone else
- Ask you to access any website that does not belong to the government or NHS
- Ask for your bank account details
- Ask for your social media identities or login details
- Ask for any of your passwords or PIN numbers
- Ask for any information unrelated to those required for tracing
Stay alert and don’t be ashamed to check twice if you have any doubts! Read more about it here.
By taking part in the Track and Trace project, you are actively participating in the fight against the coronavirus – and your help cannot be overestimated. Start using Versum’s customer records and help contain clusters of outbreaks, while maintaining an excellent level of data security. It is a simple step for you but can truly save lives!