The Prime Minister’s announcement that parts of the hospitality sector could re-open on 4th July undoubtedly brought a huge sigh of relief to landlords, restauranteurs and hoteliers. Not to mention their customers! But, in working through long lists of guidance about 2 metre distancing (or is it one metre plus?), making plans for the collection of customer data probably didn’t feature.
However, the Prime Minister’s announcement explained that hospitality businesses planning to re-open would be asked “to help NHS Test and Trace respond to any local outbreaks by collecting contact details from customers, as happens in other countries, and we will work with the sector to make this manageable”. The ICO, in recent guidance, reassures us that it doesn’t need to be complicated, saying businesses can just choose the process that best suits them. As with many aspects of COVID-19 related guidance, it looks as if a pragmatic approach will probably be best in following the ‘five simple steps’ suggested by the ICO to help ensure that data protection is not a barrier to recovery (see further below).
Who is covered by this guidance?
There is a higher risk of transmitting COVID-19 in premises where customers and visitors spend a longer time in one place and potentially come into close contact with other people outside of their household. To manage this risk, establishments in the following sectors, whether indoor or outdoor venues or mobile settings, should collect details and maintain records of staff, customers and visitors:
- hospitality, including pubs, bars, restaurants and cafés
- tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
- close contact services, including hairdressers, barbershops and tailors
- facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
- places of worship, including use for events and other community activities
The guidance applies to any establishment that provides an on-site service and to any events that take place on its premises. It does not apply where services are taken off site immediately – for example, a food or drink outlet which only provides takeaways. If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are dining in.
The guidance does not apply to drop-off deliveries made by suppliers or contractors.
What information are businesses being asked to collect?
Businesses are being asked to collect information about both staff and customers/visitors to their premises. They are being asked, where possible, to collect the following information:
- the names of staff who work at the premises;
- a contact phone number for each member of staff; and
- the dates and times that staff are at work.
For customers and visitors:
- the name of the customer or visitor. If there is more than one person, then the name of the ‘lead member’ of the group and the number of people;
- a contact phone number for each customer or visitor, or for the lead member of a group of people;
- date of visit, arrival time and, where possible, departure time; and
- if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer.
The guidance states specifically that no additional data should be collected for supporting NHS Track and Trace.
How should the information be collected?
Many organisations that routinely take bookings already have systems for recording details about their customers and visitors – including restaurants, hotels, and hair salons. Due to the COVID-19 outbreak, more organisations are planning to implement an ‘advanced booking only’ service to manage the numbers of people on the premises. The guidance anticipates that these booking systems will be able to serve as the source of the information that businesses are being asked to collect.
However, there is no requirement to collect information in any particular way: businesses are asked to collect the information in a way that is manageable for their own establishment. If not collected in advance, information should be collected at the point that visitors enter the premises, or at the point of service if impractical to do so at the entrance. It should be recorded digitally if possible, but a paper record is acceptable too.
Recording both arrival and departure times (or estimated departure times) will help reduce the number of customers or staff needing to be contacted by NHS Test and Trace. The guidance notes, however, that recording departure times will not always be practicable.
What if someone does not wish to share their details, or provides incorrect information?
If a customer or visitor informs you that they do not want to provide their details, or do not want their details shared for the purposes of NHS Test and Trace, they can choose to opt out, and if they do so you should not share any information collected and used for booking purposes with NHS Test and Trace.
The guidance asks businesses to encourage customers and visitors to share their details – but there is (currently) no obligation on businesses to require this of customers – or on customers to provide it. The accuracy of any information provided will be the responsibility of the individual who provides it. There is no obligation on businesses to check or verify an individual’s identity for NHS Test and Trace purposes.
How long does the customer information need to be kept?
The guidance suggests that customer information collected to support NHS Track and Trace should be kept for 21 days. This reflects the incubation period for COVID-19 (which can be up to 14 days) and an additional 7 days to allow time for testing and tracing. After 21 days, this information should be securely disposed of or deleted. The usual requirements will apply when deleting or disposing of data – ie you must do so in a way that does not risk unintended access (e.g. shredding paper documents and ensuring permanent deletion of electronic files).
Records which are made and kept for other business purposes do not need to be disposed of after 21 days. The requirement to dispose of the data relates to a record that is created solely for the purpose of NHS Test and Trace. Bear in mind, however, the general principle of the GDPR which states that data should not be kept for longer than is necessary.
Is the GDPR relevant to collecting and holding this information?
Yes – any customer or visitor data you collect pursuant to the guidance is personal data (that is to say data that identifies a living individual) and must be handled in accordance with GDPR to protect the privacy of your staff, customers and visitors.
GDPR allows you to request contact information from your staff, customers and visitors and share it with NHS Test and Trace to help minimise the transmission of COVID-19 and support public health and safety. It is not necessary to seek consent from each person, but you should make clear why the information is being collected and what you intend to do with it.
For example, if you already collect this information for ordinary business purposes, you should make staff, customers and visitors aware that their contact information may now also be shared with NHS Test and Trace.
You do not have to inform every customer individually. You might, for example, display a notice at your premises or on your website setting out what the data will be used for and the circumstances in which it might be accessed by NHS Test and Trace. You may need to offer some people additional support in accessing or understanding this information – for example, if they have a visual impairment or cannot read English.
While consent is not required, the guidance recommends that consent is sought in sensitive settings such as places of worship and for any group meetings organised by political parties, trade unions, campaign or rights groups, other philosophical/religious groups or health support groups. This is because of the potentially sensitive nature of the data collected in these circumstances.
Personal data that is collected for NHS Test and Trace, which you would not collect in your usual course of business, must be used only to share with NHS Test and Trace. It must not be used for other purposes, including marketing, profiling, analysis or other purposes unrelated to contact tracing, or you will be in breach of the GDPR. You must not use the data in a way that is misleading or could cause an unjustified negative impact on people e.g. to discriminate against groups of individuals.
As is the case with all personal data collected, appropriate technical and security measures must be in place to protect customer contact information. These measures will vary depending on how you choose to hold this information, including whether it is collected in hard copy or electronically. Make sure that access to Test and Trace contact details are restricted to as few people as possible and that both electronic and manual records are kept secure. Ensure that you share requested Test and Trace contact details through official channels (i.e. to official Test and Trace teams). Beware of potential fraudulent attempts from third parties posing as NHS Test and Trace. Ensure that you are sharing Test and Trace Information securely (e.g. an encrypted attachment to an email).
In addition, individuals must be enabled to exercise their data protection rights, such as the right of erasure or the right to rectification (where applicable).
How, in practice, hospitality businesses will comply with the GDPR when collecting visitor data for test and trace purposes will probably be different for each business. For some, the ask may not be a significant one. It might be that existing reservations software can be used, adapted or repurposed to store customer/visitor registers and add information about the dates and times of their visits. Some businesses may have existing Privacy Notices setting out how they use customer data for booking and marketing purposes. But for those smaller businesses that usually manage bookings in a physical calendar or those that don’t take bookings at all, being asked to communicate privacy information and collect potentially large volumes of visitor contact details and visit information may present additional headaches. However, information can be presented to visitors in many ways – for example adding the information to blackboards or A-frame menus, and drawing attention to this information when visitors arrive as well as when bookings are made online or on the phone.
As always, there is a balance to be achieved. Achieving gold star GDPR compliance will not be as high a priority for some as simply trying to keep their business viable. So, as we said at the beginning of this note, a pragmatic approach to compliance will be the way forward and a ‘one size fits all’ approach is just not possible.
What does the ICO say about this?
The ICO has produced both basic and more detailed guidance for businesses. Its ‘five simple steps’ approach to ensuring that data protection is not a barrier to recovery is as follows:
Ask for only what is needed
Be transparent with customers and visitors – say clearly what are you asking for and why
Carefully store their data
Don’t use data for other purposes
Erase data in line with government guidance
The more detailed guidance expands on these five simple steps. The guidance is available here: https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/collecting-customer-and-visitor-details-for-contact-tracing/
The ICO continues to update its guidance on this and other coronavirus-related data protection issues on its dedicated web hub.
Please contact Caroline Redhead or your usual Burnetts legal adviser.