A guide for businesses in the hospitality sector
One of the government’s key tools in preventing the spread of coronavirus is ‘NHS Test and Trace’. NHS Test and Trace requires pubs, bars, restaurants and cafes to collect the personal data of their customers.
In England, it is a legal requirement for these establishments to participate in the scheme. It is also a legal requirement for the collected data to be handled in accordance with data protection law. This blog will set out some key questions you should ask yourself, and provide answers that will help you remain compliant. While this blog is being published during a second national lockdown, these principles will still be relevant as and when establishments are re-opened.
When you are collecting the data of customers, it is important to explain why you are doing it. It will be obvious to most people, but clarity and honesty are fundamental pillars of data protection law, and if you fail to explain your reasons clearly, you may find yourself in breach. The government has also provided a privacy notice specifically dealing with records held by businesses to support NHS Test and Trace (see the end of this blog for links) and you should display this at your premises.
You do not need to seek the consent of your customers in the way you would normally do when collecting information for marketing purposes for example – you are required by law to participate in NHS Test and Trace – but the information should be provided voluntarily.
You should only collect the information needed for contact tracing purposes. In England, if the customer has not checked in using the NHS App (and so you are for example using a digital booking system to request the required information or a pen and paper), this is limited to:
- their name;
- their phone number;
- the date of their visit and their time of arrival; and
- the name of the member of staff assigned to them (if they will only interact with one member of staff).
If a customer has made use of the NHS App, you are not permitted to ask for their details again for the purposes of NHS Test and Trace.
Personal data should only be kept for as long as it’s needed. The government has stipulated that 21 days is the appropriate length of time for the purposes of NHS Test and Trace. Once that time has elapsed, you should either shred the paper records or permanently delete the digital files.
You are required to record the information provided by the customer in an accurate way. You are not required to verify that information unless you have reason to believe it is wrong or out of date.
In relation to contact tracing, customers have two main rights. The first right is to access the personal data you hold for them. The second is to ask for the data to be corrected if it proves to be inaccurate. The customer does not have an absolute right to ask for data to be erased.
Where you are collecting the data, you must ensure that the data is physically safe if it is recorded on paper and digitally safe if it is recorded electronically. The responsibility to do this lies with you. In addition, you must have measures in place to ensure that the information is not lost, stolen or destroyed. These measures could include staff policies and staff training, not just locks on doors and firewalls. Please note that the use of a sign-in register where customers’ details are visible to everyone is not recommended. However, you do not have control of or responsibility for data collected via the NHS QR Code (through the NHS App).
No. Customers are not obliged to use the NHS QR Code or the NHS App. Some people object to it and others do not have a smartphone. You are required to offer those people a secure alternative. For further guidance on the meaning of ‘secure’, please see point 7 above and the links at the bottom of the page.
Hospitality venues must take reasonable steps to refuse entry to a customer or visitor who does not provide their name and contact details, is not in a group (for which one other member has provided name and contact details), or who has not scanned the NHS QR code. Venues in other settings do not need to refuse entry but should encourage customers and visitors to share their details or scan the NHS QR Code.
You must not use the data for marketing or other business purposes. Your sole right in relation to the data is to share it with a legitimate public health authority – and only when they ask you to do so. When contacted by a representative of the contact tracing scheme, you should take steps to ensure that the request is legitimate.
Do not contact the person yourself. That is the responsibility of contact tracing personnel. Your responsibility is simply to share the details you have collected if requested to do so.
You do not need to ask for contact details for those under the age of 16. If an individual says they are under the age of 16, you should not ask for identification unless you judge this to be false.
Yes. The government guidance indicates that any venue which introduces new systems to manage contact details must conduct a Data Protection Assessment.
You are required to display the NHS QR Code at your premises. You can use an alternative QR code system as well, but the government has issued guidance advising businesses to cease using other QR codes and switch solely to the NHS QR system. This is to ensure that customers do not become confused as to which code to use and to encourage the widespread use of the NHS App.
Guidance from the ICO and GOV.UK
Please follow the links below for more detailed guidance on this topic:
Information Commissioner’s Office
- Maintaining records of staff, customers and visitors for contact tracing purposes.
- Individual rights