New data collection obligations for the leisure, food and drink sector
Businesses in the leisure, food and drink sector are being required to keep records of staff, customers and visitors in order to assist NHS Test and Trace in the event of a local outbreak.
This requirement is putting businesses in an already stretched sector at risk of breaching data protection laws if their records are not handled properly.
This article is intended to help those operating in the leisure, food and drink sector understand their obligations and how to avoid falling foul of data protection laws.
The new record keeping requirements apply to businesses in the following sectors which provide on-site services and events:
- hospitality, including pubs, bars, restaurants and cafés (excluding takeaway-only services)
- tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
- close contact services, including hairdressers, barbershops and tailors
- facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
- places of worship, including use for events and other community activities
There are different record keeping obligations for staff and customers / visitors. For staff, the main requirement is to keep a contact telephone number and a record of the dates and times when staff are at work. For customers, the following information needs to be collected:
- the name and contact telephone number of the customer or visitor. Or, if there is more than one person, the name and contact telephone number of the ‘lead member’ of the group and the number of people in the group
- the date of visit, arrival time and, where possible, departure time
- if a customer will interact with only one member of staff (for example, a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer
Many businesses such as restaurants, hotels, theme parks, zoos and hair salons, will already be collecting the required information via online booking systems.
Where online booking systems are not in operation, or where businesses are also accepting visitors without advance bookings, the government guidance is that the information should be collected at the point that visitors enter the premises, or at the point of service if impractical to do so at the entrance.
The government guidance advises that the information should be recorded digitally if possible but acknowledges that paper records are acceptable too and confirms that businesses should collect the information in a way that is manageable for that business whilst having regard to their obligations to keep the information secure.
Business should take the following steps to ensure that their customer, visitor and employee records are kept secure:
- Make sure staff understand what they should and shouldn’t do with customer records.
- Do not use an open access sign-in book where customer details are visible to everyone.
- Keep any paper records in a safe place with measures such as locked doors / safes to prevent unauthorised access.
- Consider limiting the number of staff who have access to the customer records.
- Do not store customer records in an accessible, unsecured electronic or paper file.
- Follow good cyber security practices including complex passwords and role based access.
The General Data Protection Regulation (GDPR) states that where businesses collect personal data, the data subject (i.e. the customer / visitor / employee) should be made aware what information is being collected, why it is being collected and how it is going to be handled.
As a result of this new information collection requirement, businesses should update their policies and notices to make staff, customers and visitors aware that their contact information may now also be shared with NHS Test and Trace.
The GDPR requires businesses to identify which of the six prescribed lawful bases applies to their collection of any personal data.
In most circumstances ‘legitimate interests’ is likely to be the most applicable lawful basis for private organisations to collect the information required by NHS Test and Trace. This basis recognises that collecting the data is likely to be in the interests of the individual, the organisation, and the public health efforts to tackle COVID-19.
However, where the information is being collected in sensitive settings such as places of worship, group meetings organised by political parties, trade unions, campaign or rights groups, other philosophical/religious groups or health support groups, the organisation will need to obtain the individual’s consent to collect their personal data for NHS Test and Trace purposes.
This is because of the potentially sensitive nature of the data collected in these circumstances.
Where personal data is collected for NHS Test and Trace and would not usually be collected in an organisation’s ordinary course of business, that personal data must only be used to share with NHS Test and Trace and must not be used for other purposes, including marketing, profiling, analysis or other purposes unrelated to contact tracing.
Whilst businesses are required to have in place mechanisms to collect the information outlined above, the provision of information by customers and visitors is voluntary.
This means that customers and visitors have the right to refuse to provide their information for use in relation to NHS Test and Trace.
Where a business needs to collect a visitor’s contact information anyway, for example in order to accept their advance booking and issue tickets, the business should not share that information with NHS Test and Trace if the customer has indicated that their information should not be used for that purpose.
The government guidance states that the records should be kept for 21 days. After 21 days, the information should be securely disposed of or deleted. This should involve shredding paper documents and permanently deleting electronic files.
Where the records are also being kept for other legitimate business purposes they do not need to be disposed of after 21 days but, as with all other personal data, the records should not be kept for longer than is necessary.