Business & Data Protection

Test-and-trace data sharing: a healthy lesson for private-sector businesses on the importance of transparency



The BBC reported this week that the UK Department of Health and Social Care could share contact-tracing information with police in England, given there is a legal requirement to isolate after a positive test. The news of this practice quickly prompted a flurry of concerned commentary from public health officials and privacy campaigners, with the British Medical Association warning that police involvement could be counterproductive, insofar as it could deter individuals from testing for COVID-19.

Though this news concerns the public sector, the public reaction to it serves as a useful reminder of the importance of transparency to private-sector organisations who process personal data. If you collect individuals’ personal data and share that data with third parties, even if only occasionally, the GDPR requires that you give clear information about these data sharing practices to those individuals at the time when you collect their personal data. This should ideally be communicated via your privacy notice, which must state the recipients of the shared personal data.

Provided your lawful basis for processing the shared personal data is not consent, it is possible for only ‘categories of recipients’ to identified rather than named, individual recipients, but if you opt to take this less specific approach, you will need to be able to demonstrate why it is fair to do so and endeavour to be as specific as possible about the type of recipient (such as what industry or sector it belongs to) and its location. If, however, you are relying on consent as your lawful basis, then your privacy notice should specifically identify the recipients of the personal data, especially if they are third-party independent or joint controllers. Otherwise, there is a risk that the GDPR’s requirement for the consent to be specific will not be met.

As this news story illustrates, the more upfront with individuals you are at the outset about the way you handle their personal data, the more confidence they will have in your organisation. It is more difficult to gain back trust once lost than it is to lose it in the first place.




You are contacting

Raj Shah

Senior Associate