‘Don’t create your own records of customer status’ – ICO warns venues on Covid Pass data-protection duties

Written by Sam Trendall on 16 December 2021 in News

Regulator updates guidance after introduction of new measures

Credit: Lufc83/CC BY-SA 3.0

After the introduction of domestic vaccine status checks, businesses have been warned not to keep records of customers’ vaccination or testing information.

As of 6am yesterday, the presentation of an NHS Covid Pass is a condition of entry for nightclubs and some large events, including concerts and sports fixtures.

Following the implementation of the measures across England, the Information Commissioner’s Office has published update guidance to help businesses in scope of the new rules to keep on top of their data-protection responsibilities.

Venues that perform only visual checks on digital or hard-copy documents are advised that this does not constitute the processing of personal data and GDPR is not applicable in this case. 

Those that use a scanning app to automatically validate users’ passes are engaged in personal-data processing, the ICO advised, and must thus ensure compliance with GDPR and all other data-protection statutes. 

Related content

This includes establishing a lawful basis for the processing – in this case the legal obligation to do so is likely to be sufficient. 

Other considerations include being open and transparent about how, why, and what data is collected, and that staff can answer customers’ questions about data collection and processing. Firms are also reminded to ensure that all processes are secure, and that only the official NHS Covid Pass Verifier app is used to scan customer’s passes.

Whether status checks are digital or only visual, businesses are instructed: “Don’t create any of your own lists or records with your customers’ status.”

“Data protection is one of a number of factors to consider when… implementing Covid-status checks,” ICO guidance said. “You should take into account: employment law and your contracts with employees (if you are considering checking employees’ COVID status); health and safety requirements; and equalities and human rights, including privacy rights.

“You should also consider other regulations specific to your sector, as well as current public health advice and the latest government guidance in your part of the UK.”

The NHS Covid Pass is available via the NHS app, where it can also be downloaded as a document that be printed or displayed offline. Citizens can also request a letter to be sent to them which, as with the digital versions, will include a secure QR code.

The passes provide evidence of all doses received of a coronavirus vaccine – including third and booster jabs. The passes are also available for anyone who has recorded a negative test in the previous 48 hours.

The certifications are, however, no longer issued on the basis of natural immunity, where someone has recorded a positive test in the prior 180 days.


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on sam.trendall@dodsgroup.com.


Share this page




Please login to post a comment or register for a free account.

Related Articles

HMRC kick-starts project to create £180m digital one-stop-shop for UK traders
17 May 2022

Digital supplier sought to support work over the coming year

Supplier blacklists and non-compliance investigators: Government’s new procurement regime
13 May 2022

Bill introduced during Queen’s Speech proposes a range of reforms

Supercharged: Inside the ONS plan to become a data-science 'powerhouse'
12 May 2022

Five years after being established, the Data Science Campus of the ONS wants to do more to help address government's biggest policy issues – while still retaining its innovative edge. ...

MPs offer Elon Musk opportunity to ‘address critiques in public’
11 May 2022

Billionaire invited to appear before parliamentary committee