As the Scottish Government eases some of the lockdown restrictions, businesses in the hospitality sector have been able to open outdoor areas, such as beer gardens, from the 6th July 2020 and indoor areas from 15th July. As part of the re-opening the government has indicated that establishments should obtain contact details for customers so that they can be contacted as part of Track and Trace efforts in the event of a coronavirus outbreak which can be linked to the premises.
The guidance produced by the Scottish Government provides that taking contact details is voluntary at the moment, but states that ‘it is important that both businesses and individuals cooperate, as it will be crucial to national efforts to suppress the virus.’ The guidance indicates this measure is part of enabling businesses in the hospitality industry to open and remain open safely while reducing the risk of future restrictions. There are other reasons to consider opting to take contact information, such as customer perception that the business is taking their safety seriously and potentially customers taking the view that it is safer to attend the premises than another which is not taking these steps.
The guidance suggests that data is kept for staff in terms of what dates and times they were working and, if possible, what tables or areas they were serving in order to identify where staff might be at risk and have to self-isolate. In light of this, a measure to consider is assigning staff to specific areas in order that this can more readily be kept track of. For customers, it is suggested that the details taken are name, contact number, date of visit and arrival and leaving times where possible. If the customers attend as a small household group, only one’ lead’ member’s details will be required. If they do not have a contact number, they can give a postal or email address instead.
Although the details to be taken are not particularly extensive, obtaining such data from customers raises issues around data protection that hospitality businesses would generally not require to deal with. Some points to consider include:
Registration with ICO
Organisations which process personal information need to be registered with the Information Commissioner (ICO). Many hospitality businesses may not be registered as organisations which process personal data only for staff administration are exempt, although businesses which operate CCTV should be registered. A business which is not currently registered but intends to use an electronic system to keep contact details of customers for tracing purposes will require to be registered with the ICO.
Privacy notices
Individuals must be provided with information about how their personal data will be used at the point it is collected. This includes the lawful basis on which their data is being processed, who it might be shared with, how long it is retained, and what rights they have in relation to their information. Businesses will therefore need to consider how this information will be provided to customers when providing their contact details. The Scottish Government has produced posters which can be displayed explaining the requirements. It will likely be sufficient to display posters and have a more detailed policy available online or in hard copy. Miller Samuel Hill Brown can assist with putting such policies in place.
Data Security and Retention
In order to comply with data protection principles, steps will need to be taken to ensure the security of the data, and that it is only retained for the period required or appropriate, after which it must be destroyed. The Scottish government guidance provides that the data should be retained for 21 days and then destroyed. It cannot be retained for other purposes such as marketing, and care should be taken to avoid situations where data is used for inappropriate purposes, such as incidents of staff using data to contact customers directly. Ideally the data will be stored electronically and password protected, but if on paper it should be locked away securely and not left unattended.
Sharing Data with NHS
If obtaining customer details for the purposes of the Track and Trace system, in the event of an outbreak the NHS may contact a business to advise that there has been a case of coronavirus and requesting details of those who attended the premises in order to carry out contact tracing. Consideration will have to be given to the security of such data and ensuring compliance with data protection principles in sharing it.
The Information Commissioner’s Office has produced a useful checklist which considers five key steps when collecting customer details. This can be found here.
Miller Samuel Hill Brown can provide further advice and guidance on such issues and can provide a set of documents for a fixed cost – contact us today for further details.