Ensure collection of customer details meets data protection requirements

Operators must ensure any contact info taken as part of Test and Protect system is handled safely, writes lawyer Stephen Connolly

THE Scottish Government’s easing of the lockdown restrictions has now come into force for the licensed trade.

As part of the reopening of the hospitality sector, the UK government has indicated that establishments will have to obtain contact details for customers so that they can be contacted as part of Track and Trace efforts in the event of a coronavirus outbreak which can be linked to the premises. The Scottish Government has indicated that a similar approach will be taken in Scotland.

The guidance produced by the government provides that taking contact details will be voluntary, but states that “it is important that both businesses and individuals cooperate, as it will be crucial to national efforts to suppress the virus”. The guidance indicates this measure is part of enabling businesses in the hospitality industry to open safely while reducing the risk of future restrictions.

There are other benefits in opting to take contact information, such as customer perception that the business is taking their safety seriously and that it is safer to attend the premises than another which is not taking these steps.

The guidance suggests that relevant data is kept for staff. This would include what dates and times they were working and, if possible, what tables or areas they were serving in order to better identify where staff might have been placed at risk. In light of this, a measure to consider when reopening is assigning staff to specific areas in order that this data can more readily be kept track of.

For customers, it is suggested that the details taken are:

  • name,
  • contact number,
  • date of visit, and
  • arrival and leaving times where possible.

If the customers attend as a small household group, only one lead member’s details will be required. If they do not have a contact number, they can give a postal or email address instead. Although the details to be taken are not particularly extensive, obtaining such data from customers raises issues around data protection that hospitality businesses would generally not require to deal with. Some points to consider include:

Registration with the Information Commissioners Office (ICO)

Organisations which process personal information need to be registered with the ICO. Many hospitality businesses may not be registered as organisations which process personal data only for staff administration are exempt, although businesses which operate CCTV should already be registered. A business which is not currently registered but intends to use an electronic system to keep contact details of customers for tracing purposes will require to be registered with the ICO.

Privacy notices

Individuals must be provided with information from anyone who is storing or holding their data (a data controller) about how their personal data will be used at the point it is collected. This includes the lawful basis on which their data is being processed, who it might be shared with, how long it will be retained and what rights they have in relation to their information. Businesses will therefore need to consider how this information will be given to customers when taking their contact details. The Scottish Government has produced posters which can be displayed explaining the requirements. It will likely be sufficient to display posters at entrances/prominent places within a venue and have a more detailed policy available online or in hard copy.

Data security

In order to comply with data protection principles, steps will need to be taken to ensure the security of the data and that it is only retained for the appropriate period, after which it must be destroyed. The Scottish Government guidance provides that the data should be retained for 21 days and then destroyed. It cannot be retained for other purposes such as marketing. Ideally the data will be stored electronically and password protected, but if on paper it should be locked away securely and not left unattended.

Sharing data with the NHS

Where a business has taken customer details for the purposes of the Track and Trace system, in the event of an outbreak the NHS may contact it to advise that there has been a case of coronavirus and requesting details of those who attended the premises in order to carry out contact tracing. Consideration will have to be given to the security of such data and ensuring compliance with data protection principles in sharing it, making sure this is done in a secure way and that the body the information is being shared with has appropriate security measures in place itself.

The Information Commissioner’s Office has produced a useful checklist which considers five key steps when collecting customer details here.

Stephen Connolly is a partner at Glasgow-based legal firm Miller Samuel Hill Brown.