Hospitality industry – Data protection considerations for re-opening and implementing Government guidance3rd July 2020
In its latest guidance on keeping workers and customers safe during COVID-19 in restaurants, pubs, bars and takeaway services (23 June 2020), the Government has recommended that businesses operating in these sectors keep a temporary record of customers and visitors for 21 days. This will assist NHS Test and Trace with requests for that data if needed.
However, there are measures that hospitality businesses will need to take to ensure that they collect, use, and dispose of personal data for these purposes in compliance with GDPR and other data protection legislation. Here are some practical steps to help your business comply with its obligations under data protection legislation when implementing Test and Trace measures.
You should only collect the minimum amount of data that you actually need in order to comply with the Government guidance. In practical terms this is likely to mean:
- Customer names
- Contact email addresses and/or telephone numbers
- Date of attending your venue (and estimated timings at your venue)
The Government Guidance does not currently recommend asking customers whether or not they have had COVID-19 symptoms or any other health-related questions before attending venues. If you do decide to do this, you must be aware that such information is considered special category data and additional legal considerations will apply. If you feel that it is important for your business to record this information, we suggest seeking specialist legal advice before proceeding.
You are required to be able to demonstrate that you have one of the GDPR-specified lawful basis for processing this personal data. The most likely lawful basis in this context is ‘legitimate interests’. However, in order to rely on legitimate interests you should clearly document that you have:
- Identified a legitimate interest: In this case, facilitating contact tracing for COVID-19.
- Shown that the processing is necessary to achieve it: This is likely to be met given that the Government has recommended these measures; and
- Balanced these against the individual’s interests, rights and freedoms: This analysis should be carried out in the context of your specific organisation, but again should be fairly easy to demonstrate.
You will need to notify your customers clearly as to:
- Why you are collecting their data: This should be limited to contact tracing.
- Who you will be sharing it with: You will need to tell your customers that you may pass data collected to the NHS Test and Trace service, which is operated by The Department of Health and Social Care. For most hospitality businesses, there is unlikely to be any other organisations that you will need to share this data with. However, if you do need to share it with another third party you will also need to inform your customers that you will be doing so.
- How long you will keep the data: See section on ‘retention time periods’ below.
There is other information that you are required to provide to individuals when you collect their personal data (e.g. the identity of the controller, details of data subject’s rights, right to complain to Information Commissioner). However, depending on the method you’re using to collect the data, it may be easier to include a statement at the end of the short-form notice along the lines of: “For further information about how we process your personal data, please see our Privacy Notice at [insert URL, possibly with QR code for ease of consultation]”.
Security of data
You should make sure that the information collected is kept secure. Consider implementing measures such as requiring passwords to access the data and encryption (if stored electronically) and limiting access to staff that strictly need to access the data to perform their role. Your systems as a whole should have appropriate security measures, such as up to date versions of software, patching and antivirus, .
Use of data
This data should only be used to assist with contact tracing and not for any other purpose. Please do not automatically add customers to your marketing lists or combine this data with any other customer databases that you may have.
If you want to also collect data for marketing purposes at the same time (e.g. if this collection step for contact tracing will be incorporated into an online booking process), then this will need to be clear in the collection process and you will need to obtain separate consent to use this data for marketing. In other words, customers should not feel obligated to allow you to collect their data for marketing purposes at the same time that you collect this data to facilitate Test and Trace measures.
Retention time periods
The Government guidance recommends retaining the data for 21 days. You must ensure that any periods are no longer than necessary for contact tracing purposes. In practice, given that the Government guidance has specified a 21-day period, retention periods that are much longer than this are unlikely to be acceptable. You must also ensure that you tell customers how long you will be retaining the data for.
Once the retention period has finished, you should securely delete the data. This means shredding and/ or otherwise securely disposing of all hard copy records plus securely deleting any electronic copies.
The guidance also recommends keeping a temporary record of your staff shift patterns for 21 days and assisting NHS Test and Trace in the context of your staff.
The scope of this note does not cover any testing or other measures in relation to staff, but businesses should also be mindful that additional guidance has been published by the ICO setting out other considerations for employers in a COVID-19 world (see other useful resources).
Use of third-party booking systems
You may already have booking or reservations systems in place with third party booking platforms. Some of these service providers already facilitate the safe collection and storage of personal data in order to make bookings for your restaurant. They will no doubt also be keeping an eye on Government recommended measures so consider contacting them to see to what extent they can help you implement some of the other steps outlined in this note.
Other useful resources
This is a summary is intended to provide general information only, and should not be used as a substitute for legal advice.
Authored by our breach response provider RPC;
- Victoria Noto (Associate)
- Ridvan Canbilen (Associate)
- Richard Breavington (Partner)
Providing UK SMEs with a simple, robust solution for cyber liabilities, cybercrime and restorative support
Businesses and individuals have never been so connected. The data that this provides opens a wealth of opportunity that can help firms increase productivity, efficiency, quality and profitability. However, the trend towards global connectivity, along with the ever-increasing reliance on digital systems and processes, brings an unprecedented and ever-changing threat in the form of cyber risks.