Pubs, restaurants, and other local businesses in England that reopened over the weekend are now requested to collect customers’ and visitors’ contact details in order to assist with the NHS Test and Trace app. UK Government guidance has been published in respect of England.
Beer gardens and outdoor restaurants in Scotland were allowed to reopen yesterday, 6 July 2020, with indoor hospitality due to follow suit from 15 July 2020. The Scottish Government has also issued its own guidance.
What data should businesses collect?
According to guidance from the UK Government, businesses should assist the test and trace effort by keeping a temporary record of customers and visitors, for 21 days, in a way that is “manageable” for business, as well as complying with requests for that data if required.
The UK Government Guidance further notes that the personal data collected should include, where possible for each venue, the name, contact number and dates and times that each member of staff is working, and the name, contact number, date of visit, as well as the arrival and, where possible, departure time of each customer and visitor.
Where there is more than one person in a group, a business may record only the name and contact number of the ‘lead member’ of the group and the number of people in the group. Where a customer will interact with only one member of staff, for example, a hairdresser, the name of the assigned staff member should be recorded with the name of the customer.
In Scotland, businesses serving customers who remain on their premises will be encouraged to gather similar contact details to support NHS Scotland’s Test and Protect service.
Where customers are attending as a small household group, the contact details for one member of the group – a ‘lead member’ – will be sufficient, and where a business offers both sit-in and takeaway services, contact information only needs to be collected for customers who are sitting in.
The Scottish Government has also provided a style Privacy Notice which hospitality businesses can provide to customers and aids in ensuring compliance with the General Data Protection Regulation (GDPR). The notice sets out the types of data that should be collected, as well as the lawful basis on which the data will be processed. This is the ‘legitimate interest’ of assisting Scotland’s Test and Protect strategy.
Information collected will, alongside the date and time of a customer’s arrival or departure, include a customer’s name and contact number and, if they do not have a number, either their postal or e-mail address. Again, along the same vein as the UK Government Guidance, personal data will be retained only for the purpose of contact tracing and should be held by businesses for no more than 21 days.
How should businesses handle this data?
Businesses will be expected to handle all personal data in line with the GDPR and, to assist with this, the ICO has published a set of initial easy-to-follow guidance for businesses as they introduce these new measures.
The ICO offers the following advice:
• Ask for only what's needed
• Be transparent with customers
• Carefully store the data
• Don't use it for other purposes
• Erase it in line with government guidance
The ICO will continue to update its guidance on this and other COVID-19 related data protection issues on its dedicated online hub, as well as its helpline for small businesses.