There will be some respite from life under lockdown in England on 4 July, when pubs, bars, cafés, takeaway services, and restaurants will be able to re-open, subject to high-level guidance issued by the UK government in this last week, and which is linked to below.
Under the guidance, operators of the above-mentioned businesses are asked to keep a temporary record of customers’ contact details for 21 days in order to support the NHS’s Test and Trace response (see the extract quoted below).
Contact details such as names, phone numbers, and email addresses constitute personal data under the GDPR and Data Protection Act 2018. That means these businesses will need to ensure that their collation and retention of these contact details comply with this legislation. The guidance says little as to what exactly is expected of these businesses in terms of compliance. In the extract quoted below, the government has stated that it will announce further details “shortly”, but adds that it does expect these businesses to collect customer data “to help fight the virus”.
Although there is little time for these businesses to prepare and implement detailed data collection and retention procedures before Saturday, there are some key steps that businesses can take before collecting customers’ contact details. These include:
- Informing customers that their contact details will be collected and letting them know how it will be processed and who it might be shared with (e.g. NHS contract tracers). Privacy notices ought to be updated if necessary and made available to view wherever bookings are made, whether online or at the premises.
- Ascertaining the correct lawful basis or bases for the collection of customer data and stating this in the privacy notice. Relying on consent as the lawful basis in this scenario may be problematic, since this can be withdrawn by customers at any time, and it may not satisfy the requirement of having been “freely given” if access to the premises is made conditional upon customers disclosing their contact details.
- Ensuring customers’ contact details are used only for the purposes for which they were collected. That means those details can be used to support the Test and Trace operation, but cannot be used for marketing or other purposes (unless another lawful basis for those other purposes has been established).
- Training staff to keep customers’ contact details confidential. Businesses must have appropriate technical and organisational measures in place to prevent any misuse or unlawful access of this personal data.
- Putting in place procedures to delete customers’ contact details after the 21-day period is over, unless there is another lawful basis established for the continued processing of that personal data.
The UK’s privacy regulator, the Information Commissioner’s Office (ICO), is unlikely to impose heavy fines on these already-challenged businesses in the leisure and hospitality sector for failure to achieve full compliance in such a short space of time. However, as the pandemic rages on and businesses continue to collect customers’ details, expectations of compliance will mount, not just from the ICO, but from the population at large.
The opening up of the economy following the COVID-19 outbreak is being supported by NHS Test and Trace. You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks. Many businesses that take bookings already have systems for recording their customers and visitors – including restaurants, hotels, and hair salons. If you do not already do this, you should do so to help fight the virus. We will work with industry and relevant bodies to design this system in line with data protection legislation, and set out details shortly.