There are reasons to be cheerful both sides of the Atlantic this 4th of July. American friends will be enjoying Independence Day celebrations while the UK will be enjoying a bit more of their own independence with the further easing of lockdown restrictions… perhaps most excitingly, the long-awaited reopening of our beloved pubs, bars, cafes and restaurants. Is anyone else fed up of their own cooking and desperate for a cold pint?
The UK Prime Minister’s announcement that parts of the hospitality sector (and parts of other sectors like hotels/accommodation and personal care) can reopen on 4 July will undoubtedly have brought a huge sigh of relief to landlords, restauranteurs and hoteliers. But it has left them with hefty to-do lists before they can safely reopen.
If they didn’t have enough on their plates already, as well as having to implement new safety measures like reconfiguring seating, implementing regular cleaning, facilitating online ordering, using protective screens, limiting indoor service to table only and even changing shift patterns to fix staff in teams, the hospitality sector will also have to grapple with GDPR compliance.
Within his announcement, the PM explained that reopening businesses would also be asked “to help NHS Test and Trace respond to any local outbreaks by collecting contact details from customers, as happens in other countries, and we will work with the sector to make this manageable”. While the PM only referred to “customers”, this will of course apply equally to any visitors, e.g. guests of the customer who booked the table, and indeed any other visitors to premises.
In collecting visitor details for Test and Trace purposes, hospitality businesses will, from a data protection perspective, assume the role of “controller” and all the obligations that come with it. Strictly, there isn’t (yet?) a legal requirement for hospitality businesses to collect these details, at the moment it’s just a government request to assist the NHS in contact tracing.
This begs the question of quite how, in practice, hospitality businesses will comply with the General Data Protection Regulation (GDPR) when collecting visitor data for test and trace purposes. The UK Information Commissioner’s Office (ICO) has published an initial statement to businesses collecting personal data for contact tracing as well as more detailed guidance on coronavirus recovery, i.e. re-opening, and guidance for small hospitality businesses. The ICO has told the Guardian newspaper that it is “assessing the potential data protection implications of this proposed scheme and is monitoring developments” and more detailed guidance is likely to follow.
For some, the ask may not be a significant one. It might be that existing reservations software can be repurposed to safely house customer/visitor registers and add information about the dates and times of their visits. Some may also have existing Privacy Notices setting out how they use customer data for booking and marketing purposes.
But for those smaller businesses that usually manage bookings in a physical calendar or those don’t take bookings at all, being asked to collect potentially large volumes of visitor contact details and visit information may present additional headaches.
Clearly, achieving gold star GDPR compliance will not be as high a priority for some as simply reopening to stay afloat. So, as with all things during a global pandemic, a pragmatic approach to compliance will be the way forward.
The government has promised to work with the sector to “make this manageable” and said that “We will work with industry and relevant bodies to design this system in line with data protection legislation, and set out details shortly”, so further guidance seem to be on the horizon. Of particular interest will be if the guidance addresses what the sector should do in relation to visitors that will not provide any contact details for Test and Trace purposes. For the scheme to be effective, one would assume that the sector will need to refuse entry to such visitors. Private businesses can refuse entry to their premises for any reason, of course, but it’s hard to imagine all of the sector being willing to turn away business after such a lengthy hiatus solely in order to assist NHS Test and Trace.
It remains to be seen whether the government will pass a law forcing the sector to obtain such details before they are allowed to accept visitors.
In the meantime, we’ve set out some simple steps to help the hospitality industry seek to be as GDPR-compliant as possible in the time available, in a list of dos and don’ts. The key points are:
- Only collect what’s necessary
We expect the Government to provide further guidance as to what information is required for Test and Trace purposes, and industry should obviously be guided by that when it’s available. At a minimum, we’d expect this to include names and basic contact information as well as the date and time of each visitor’s visit. For GPDR purposes the bottom line is not to insist that visitors provide any more information than is necessary for Test and Trace purposes.
- Don’t use people’s information for other purposes
If visitors are required to provide their contact details for Test and Trace purposes, their details shouldn’t be used for other purposes. For example, Test and Trace lists shouldn’t be used for marketing unless you’ve explicitly asked the visitor for their permission to this additional use and they’ve consented.
- Keep people’s information safe
Make sure that access to Test and Trace contact details are restricted to as few people as possible and that both electronic and manual records are kept secure. Ensure that you share requested Test and Trace contact details through official channels (i.e. to official Test and Trace teams). Beware of potential fraudulent attempts from third parties posting as NHS Test and Trace. Ensure that you are sharing Test and Trace Information securely (e.g. an encrypted attached to an email).
- Dispose information securely
Ensure that Test and Trace contact details are only kept for 21 days in accordance with current Government guidelines, and are securely deleted or shredded after that. If the customer has agreed to their contact details being used for marketing, you could keep that for longer (again not forever, you need to delete them after an appropriate period, making sure any marketing complies with the separate rules on direct marketing). However, you should still be deleting the dates/times of visits after 21 days.
- Tell people why their information is being collected
The GDPR requires controllers to provide individuals with certain information about the ways in which their personal data will be used. This is typically housed in a Privacy Notice provided at the point at which information is collected. Again, further guidance as to best practice for the sector may be provided in due course but, in the meantime, hospitality businesses should at a minimum seek to explain to visitors:
- Who they are
- Why they are collecting contact details and how they will use it
- How and when they will delete information
- Individuals’ rights to the collected information
See the example Privacy Notice for these purposes within the do’s and don’ts.
Solutions for how hospitality businesses could present this information to its visitors might include posting visible signs on entry to its premises or adding the information to blackboards or A-frame menus, and drawing attention to this information when visitors arrive as well as when bookings are made online or on the phone. If feeling particularly creative, you might even consider printing them on beermats or placemats?
Update: The UK government have since released guidance on records businesses must maintain, with a press release. The guidance applies to the following sectors (beyond hospitality):
- hospitality, including pubs, bars, restaurants and cafés
- tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
- close contact services, including hairdressers, barbershops and tailors
- facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
- places of worship, including use for events and other community activities
It covers any establishment that provides on-site service (e.g. dining in) and any on-premise events, but not where services are taken off site immediately, e.g. food or drink takeaways. But it does not apply to drop-off deliveries by suppliers or contractors, the government has clarified.
The information to be collected extends to staff, not just visitors (so the privacy notice must be given to staff as well), and the government recommends collecting phone numbers (which in our view is more intrusive than email addresses). It does confirm, “If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group”. It also requests obtaining, “where possible, departure time“, and “if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer”.
It also confirms that visitors can “opt out” (the government’s phrasing!) although they should be “encouraged” to provide their contact details, and that businesses need not verify visitors’ identities.
If visitors are not legally required to give their contact details or even genuine contact details, this may of course undermine NHS Track & Trace efforts. But clearly the UK government doesn’t wish to go that far! It remains to be seen how effective these “voluntary” measures on the part of both businesses and their visitors will be.
Note: Detailed ICO guidance was published on 3 July.
This post first appeared on the Fieldfisher website on 30 June 2020 and is reproduced here with their kind permission.