The UK’s privacy watchdog has released new advice for venue owners and large event organizers on ensuring COVID-19 checks comply with data protection and digital privacy laws.
This week, the government avoided a humiliating defeat in the Commons after nearly 100 of its party’s own MPs voted against introducing new COVID passes for certain high-risk venues like nightclubs and large outdoor events with thousands of people.
However, the new rules passed, which means COVID-19 status checks must be carried out on entry at relevant locations.
The Information Commissioner’s Office (ICO) warned that event organizers and venue owners must be “clear open and honest” about what they’re doing by sharing their privacy notices online and in venues.
It added that they should check whether local rules mandate full digital scans of COVID passes or simply a visual check. Staff should answer any questions on this and treat any information gathered confidentially. Venues should not make their own lists featuring the COVID status of customers.
The ICO has a handy web page on the privacy implications of COVID pass checks. The GDPR only kicks in if organizers physically scan pass QR codes – deemed “processing” under the strict European data protection law.
Health information like this is classed as “special category data” under the law and mirrored in the UK Data Protection Act 2018. That means it requires more protection since it’s deemed more sensitive.
To ensure they follow the critical GDPR principle of data minimization, venue owners and event organizers in the UK must also ensure any use of the data they collect is “fair, relevant and necessary for a specific purpose,” the ICO warned.
That means anything that isn’t needed should be deleted periodically to ensure it does not become a target for threat actors.
Privacy advocates have in the past raised severe concerns about the Scottish government’s Check-In Scotland app and the NHS Track and Trace app