Pubs, restaurants and other hospitality businesses are being asked by the government to collect customer information to assist with national contact tracing efforts. Matthew Gregson explains the legal considerations,
From 4 July, most of England's restaurants, pubs and bars were released from lockdown. But the long-awaited return wasn't exactly business as usual – in addition to precautionary social distancing and enhanced hygiene standards, the government announced that it expects hospitality venues to temporarily collect and record visitors' personal information as part of the national contact-tracing effort.
The announcement gave hospitality venues 10 days' notice to design and implement GDPR-compliant personal data collection, storage and contact tracing capability – a significant challenge, particularly as governments around the world have struggled to do this lawfully.
Keep it simple
If your business is not accustomed to collecting information about customers, or has not previously assessed compliance with data protection rules like GDPR, compliance can feel like a minefield.
That said, try not to feel overwhelmed. Remember you are only being asked to temporarily collect limited information about your customers, keep the information private and secure, share it with official contact tracers when asked, and delete the information after 21 days. If you keep things simple and follow our top 10 tips (below), you will be able to comply with the contact-tracing guidance and data protection rules.
10 tips for collecting customer data
1 Why? Compliance with government guidance is a critical part of the UK's response to the pandemic and the reopening of the economy. Everyone is encouraged to take part, but it is not mandatory for customers to provide their information.
2 What? You are encouraged to collect names, contact details and time of arrival. You do not need to collect ID, if you don't do that already.
3 Be aware By collecting name and contact information about your customers, you will need to comply with the UK data protection legal requirements.
4 Inform customers Let your customers know why you need their information and what you will do with it. You can do this by displaying a short notice on your premises or on your website, or by simply telling guests on arrival.
5 How? You can choose the solution that works best for you, eg digital or paper records. There is no requirement to develop or sign up to new apps or digital solutions.
6 Treat the information as private The information must be kept secure. If there is an unauthorised use or loss of information, you may need to notify the UK data protection authority (the Information Commissioner's Office) and the customers concerned within a 72-hour window. You should also be aware of scams – you may be targeted by fraudsters pretending to be contact tracers.
7 Should we contact or warn customers? Your obligation is simply to collect the information, share it with the NHS and local authority contact tracers, and then to delete the information after 21 days. Your staff should not be using the information to contact trace or notify people themselves.
8 What can we do with the information? The information should not be used for other purposes. Using the information to market to customers would constitute a breach of data protection rules. The contact tracing guidance does not prevent you using information you already collect, eg booking/registration information, for these purposes, so long as you comply with the necessary consent requirements.
9 Erasure and deletion Information should be erased after 21 days. Shred paper records, delete digital records and empty the recycle bin, and ensure cloud data is deleted.
10 Train your staff Ensure staff are following the guidance and data protection rules. There is room for human error. Make sure staff know contact-tracing information is confidential and that it should only be shared with official contact tracers. The information should not be shared between staff members (beyond what is strictly necessary) or other customers.
Matthew Gregson is a data protection and privacy specialist at law firm Kemp Little
You need to be a premium member to view this. Subscribe from just 99p per week.
Already subscribed? Log In