Track and Trace - the Fairy Tale Ending?

16th July 2020 Media Law

As a lover of the theatre, I was disappointed to hear that pantomime season may not commence as planned this year due to the current COVID-19 situation.

One pantomime that springs to mind is Cinderella. We’re all aware of the storyline. To recap: Cinderella is invited to Prince Charming’s ball but her wicked stepmother and ugly sisters prevent her from going to the ball. Luckily Cinderella’s fairy godmother comes to her rescue and she does indeed go to the ball. Just before midnight, Cinderella, fearing her carriage will turn back into a pumpkin, departs and leaves only a glass slipper. Prince Charming tracks down Cinderella and they all live happily ever after.

In the data rich version of the story, Prince Charming would have presumably taken a note of potential owners of the shoe or they may even have connected on social media. When Cinderella left at midnight, palace security could have looked at the CCTV to confirm her identity and maybe even taken down the registration number of the carriage in question.

The reason for retelling this classic tale is that over the weekend a modern day prince charming reportedly tracked down a young lady and contacted her using social media. The young lady tweeted that she got a free drink from the person behind the bar and that he’s now messaged her on Facebook.

The message sent by the member of bar staff confirmed that he did not obtain her details using track and trace (and there is no suggestion that this is not correct). He explained that he saw her on the dating platform Tinder (even though she hadn’t used Tinder for two years). He also suggested that she had come up as a suggested friend on Facebook.

The lady who tweeted this is clearly a very private person and has been critical of the newspapers for running the story.

The use of track and trace data can obviously only be used for specified purposes.  What if it was, purely hypothetically, to be used for other purposes?

As a starting point it may be helpful to explain what track and trace is exactly. Following the COVID-19 pandemic, the Government has asked certain organisations to maintain records of staff and customers. I know this first hand because when I took my son to have his hair cut at the weekend I was asked for my name and mobile number.

The Government has clearly explained the purpose of track and trace on its website:

“By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, you can help us to identify people who may have been exposed to the virus.”

Organisations have been asked to collect the following customer data:

  • the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group; 
  • a contact phone number for each customer or visitor, or for the lead member of a group of people;
  • date of visit, arrival time and, where possible, departure time; and
  • if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer.

Therefore customers visiting a pub shouldn’t be surprised if they are asked to share their name, phone number and details of times of visit. Providing the information is entirely voluntary and it is possible to opt out.

Customers should only be asked to provide necessary data. I have outlined the current Government guidelines above. In other words, organisations shouldn’t collect a lot of additional but not needed data. Limit collection to the data that is required.

The GDPR says that data should only be used for the purpose that it is collected for, so if an organisation such as a pub has collected personal data to pass on to authorities to prevent the spread of COVID-19 it should only be used for that purpose. The data should not be used by staff to contact customers for other purposes and if data has been used to contact customers then such conduct may amount to a data breach – and have implications for the bar and the staff member concerned.

Organisations should carefully consider how best to protect the personal data they collect for track and trace. They should ensure that they have appropriate organisational and technical measures in place to protect the data, such as password protection or perhaps a login system to limit staff access. Organisations should educate their staff regarding data protection. This will hopefully ensure that the outcomes are more fairy tale than Grimm Tales!​​​​​​

We're Social

Dominic Walker is a Solicitor located in Manchesterin our Media Law department

View other posts by Dominic Walker

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest