One measure that has a significant impact on privacy is the one involving contact registration and health checks. These are required in connection with the source and contact tracing efforts of the local Public Health Department (GGD). The Data Protection Authority BES is informing the public on privacy protection under the new measures.
Source and contact tracing is important to prevent the possible spread of the coronavirus. What is source and contact tracing and what does it entail in practice?
Source and contact tracing is an investigation carried out by the local Public Health Department whenever someone tests positive for the coronavirus. The local Public Health Department then contacts all others who were present at the public venue on the same day as the infected person. In this way, the local Public Health Department seeks to minimize the spread of the virus.
The venues where contact registration and health checks are mandatory are determined by law. The requirement applies to public venues, such as: restaurants, including restaurant terraces, all other establishments where food and drink may be purchased and consumed on the spot, such as beach terraces and other buildings that are open to the public, such as churches, sports halls, spa and wellness centers and casinos. Supermarkets and grocery stores have no contact registration requirement.
Contact registration involves recording patrons and visitors’ personal data which the local Public Health Department may require in order to contact these persons if the need arises. The date and the person’s name and telephone number and/or e-mail address is sufficient for the intended purpose. It is not necessary to record the person’s home address, ID number and birth date. The patron/visitor’s consentThe data subject’s consent
any freely given, specific and informed indication of his or her wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed. is required before recording any personal information.
Owners of restaurants, (beach) terraces and other buildings that are open to the public must ensure that their patrons/visitors’ contact information cannot be accessed by any unauthorized persons, including staff and other patrons/visitors’. Owners of such premises must also ensure that the contact information is stored safely, to prevent any loss or unauthorized use. In total, contact information must be retained for 14 days and be destroyed in a careful and safe manner at the end of that 14-day period.
The processing of personal dataPersonal data processing
any operation or set of operations carried out on personal data, at least including the collecting, recording, organizing, storing, updating, altering, retrieving, consulting, using, disclosing by transmission, dissemination or any other form of provision, compiling, combining, as well as blocking, erasing, or destroying data. concerning a person’s health is prohibited in the absence of a legal basis unless such processing is needed by a relevant institution or professional practice. That need must always be proven.
Recording patrons/visitors’ temperature is considered a form of personal health data processing. Reading the temperature alone is not considered processing and is therefore not in violation of the Wbp BES. Processing includes any operation or set of operations carried out on personal data, at least including the recording and storing of data.
The privacy of patrons and visitors must be guaranteed at all times. Only necessary personal data should be recorded/processed. The breach of a patron/visitor’s privacy should never exceed what is necessaryNeed
The personal data must be necessary to achieve the intended purpose, without disproportionately intruding on the patron/visitor’s privacy. for the intended purpose.