Restarting your business and implementing Government guidance to support NHS Test and Trace

In its latest guidance on keeping workers and customers safe during COVID-19 in restaurants, pubs, bars and takeaway services (23 June 2020), the Government has recommended that businesses operating in these sectors keep a temporary record of customers and visitors for 21 days. This will assist NHS Test and Trace with requests for that data if needed.

However, there are measures that hospitality businesses will need to take to ensure that they collect, use, and dispose of personal data for these purposes in compliance with GDPR and other data protection legislation. Here are some practical steps to help your business comply with its obligations under data protection legislation when implementing Test and Trace measures.

Information collected

You should only collect the minimum amount of data that you actually need in order to comply with the Government guidance. In practical terms this is likely to mean:

• customer names
• contact telephone numbers
• date of attending your venue (and estimated timings at your venue).

The Government Guidance does not currently recommend asking customers whether or not they have had COVID-19 symptoms or any other health-related questions before attending venues. Such information is considered special category data and additional legal considerations will apply. Additional guidance recently released by the Information Commissioner's Office (ICO) sets out specific circumstances where data that some businesses might collect in their response to the pandemic is considered special category data. Where this is the case, the ICO makes clear that the business may need to consider a different lawful basis for collecting and processing such data. 

You are required to be able to demonstrate that you have one of the GDPR-specified lawful basis for processing this personal data. The most likely lawful basis in this context is ‘legitimate interests’. However, in order to rely on legitimate interests you should clearly document that you have:

• identified a legitimate interest: in this case, facilitating contact tracing for COVID-19
• shown that the processing is necessary to achieve it: this is likely to be met given that the Government has recommended these measures, and
• balanced these against the individual’s interests, rights and freedoms: this analysis should be carried out in the context of your specific organisation, but again should be fairly easy to demonstrate in the present circumstances.

Customer notification

You will need to notify your customers clearly as to:

• why you are collecting their data: this should be limited to contact tracing
• who you will be sharing it with: you will need to tell your customers that you may pass data collected to the NHS Test and Trace service, which is operated by The Department of Health and Social Care. For most hospitality businesses, there is unlikely to be any other organisations that you will need to share this data with. However, if you do need to share it with another third party you will also need to inform your customers that you will be doing so
• how long you will keep the data: see section on ‘retention time periods’ below.

 
“For further information about how we process your personal data, please see our Privacy Notice at [insert URL, possibly with QR code for ease of consultation]”

This should all be communicated to your customers at the time of collecting their data for contact tracing purposes (eg when they make a reservation or before they enter your venue). You should also consider updating your general customer privacy policy.

Security data

You should make sure that the information collected is kept secure. Consider implementing measures such as requiring passwords to access the data and encryption (if stored electronically) and limiting access to staff that strictly need to access the data to perform their role. Your systems as a whole should have appropriate security measures, such as up to date versions of software, patching and antivirus.

Use of data

This data should only be used to assist with contact tracing and not for any other purpose. Please do not automatically add customers to your marketing lists or combine this data with any other customer databases that you may have. If you want to also collect data for marketing purposes at the same time (eg if this collection step for contact tracing will be incorporated into an online booking process), then this will need to be clear in the collection process and you will need to obtain separate consent to use this data for marketing. In other words, customers should not feel obligated to allow you to collect their data for marketing purposes at the same time that you collect this data to facilitate Test and Trace measures.

Retention time periods

The Government guidance recommends retaining the data for 21 days. You must ensure that any periods are no longer than necessary for contact tracing purposes. In practice, given that the Government guidance has specified a 21-day period, retention periods that are much longer than this are highly unlikely to be acceptable. You must also ensure that you tell customers how long you will be retaining the data for. Once the retention period has finished, you should securely delete the data. This means shredding and/ or otherwise securely disposing of all hard copy records plus securely deleting any electronic copies.

Staff considerations

The guidance also recommends keeping a temporary record of your staff shift patterns for 21 days and assisting NHS Test and Trace in the context of your staff. The scope of this note does not cover any testing or other measures in relation to staff, but businesses should also be mindful that additional guidance has been published by the ICO setting out other considerations for employers in a COVID-19 world (see other useful resources).

Use of third-party booking systems

You may already have booking or reservations systems in place with third party booking platforms. Some of these service providers already facilitate the safe collection and storage of personal data in order to make bookings for your restaurant. They will no doubt also be keeping an eye on Government recommended measures so consider contacting them to see to what extent they can help you implement some of the other steps outlined in this note.