When the UK government announced that the re-opening of pubs, cafes and restaurants in England was to go ahead on Saturday 4 July, a sigh of relief was felt throughout the industry.
However, the easing of lockdown measures for these businesses came with a caveat – businesses are being asked to collect and store the contact details of their customers in order to assist with the NHS Test and Trace system, should it become necessary. These additional responsibilities and requirements could leave businesses falling foul of data protection rules.
The government has requested that businesses keep a temporary record of their customers for 21 days, in a way that is manageable for the business.
Many businesses who take bookings will already have systems in place for recording customer details such as restaurants, hotels and hair salons, however, there will be several establishments who do not collect customer details currently such as some pubs and cafes which will need to change their processes.
Becoming data collectors means that these businesses are subject to data protection rules under the Data Protection Act 2018 and the General Data Protection Regulations (GDPR). Data will need to be stored securely and only kept for reasonable period of time. Businesses will need to think about who can access this information, how they inform customers of their policies and also about how they ensure the information given by customers is legitimate.
It is likely that many businesses will come across customers who will not co-operate with the government’s proposed requirements. It is unclear at this stage the specific obligations that will be imposed upon businesses in relation to the collection of customer data and the transfer of such data to the NHS Test and Trace scheme.
The government is working with industry bodies and the Information Commissioners Office (ICO) to provide detailed guidance on how businesses should design their customer data collection systems to be compliant with data protection legislation and these new requirements. The government has said that it will provide detailed guidance to businesses “shortly”.
With the lack of guidance at this stage and many businesses looking to open in early July, I have set out below a few points to assist businesses with their obligations under the Data Protection legislation.
1. You must make sure that any personal data collected for compliance with Covid-19 requirements is not used for any other purpose such as sending marketing communications about offers or promotions.
2. When collecting personal data from your customers only take what you need such as a name and telephone number/email address.
3. You must provide your customer with a privacy notice setting out why you are collecting the data and what you will be doing with it. This will need to include amongst other things, details about using the information to contact them in the event of a Covid-19 outbreak and passing the information to the NHS (if required) for the purposes of the NHS Test & Trace scheme.
4. You need to have in place clearly documented processes for how your business will collect, store, and dispose of customer personal data. You will also need to make sure that all your employees are aware of and follow the required processes.
We’re all looking forward to life returning to as near to normal as possible and it’s great that the government are taking these restrictive measures to allow for the safe opening of businesses, but without more guidance and businesses being stringent in their data collection procedures, this could turn into a data protection nightmare.
If you would like any further information about your obligations under the Data Protection legislation in connection with the collection of customer personal data or the drafting of appropriate privacy notices, contact Amy Peacey on 0345 209 1329 or email@example.com
Amy Peacey is a senior associate in the commercial team with national law firm Clarke Willmott LLP