GRA reminds businesses collecting contact tracing information to comply with data laws

The Gibraltar Regulatory Authority has highlighted that establishments collecting personal data for contact tracing must comply with the Gibraltar Government’s regulations and data protection legislation.

The Data Commissioner stressed that personal data must only be used for the purposes of contact tracing, collected and stored securely, and destroyed after 10 days.

In a press statement the GRA said all establishments which are subject to the regulations should “ensure personal data is used in a way that is fair and lawful.”

“This means data must not be processed in a way that is unduly detrimental, unexpected or misleading to the individuals concerned,” the GRA said.

The GRA said establishments should also “ensure transparency at all times,” which includes informing customers who provide their information as to why and how their data is being used.

Avoiding keeping personal data for longer than 10 days as well as ensuring that only personal data specified in the regulations is collected was also highlighted by the Commissioner and establishments must ensure that only the minimum amount of personal data is processed.

“Organisations should only collect personal data which the regulations specify e.g. the name and contact telephone number of all the customers who have booked a table at the restaurant, cafeteria or bar,” the GRA said.

Personal data which qualifies under the regulations includes the name and contact telephone number of all the customers who have booked a table at a restaurant, cafeteria or bar.

The GRA made clear that all data collected must adhere to data protection law.

“Data protection law requires personal data to be collected and used with security measures to prevent personal data from being accidentally or deliberately compromised,” the GRA said.

“This includes protecting data from those persons who do not need access to that data and briefing staff on their responsibilities. It is also important that establishments do not display personal data (e.g. as a paper record) in clear, plain sight of other persons.”