Last Saturday saw a further easing of COVID-19 restrictions with the opening of certain businesses and venues in England including cafes, restaurants and pubs. The government’s guidance to these businesses includes requirements around personal data capture.
The government wants such businesses to assist and support NHS Test & Trace by keeping a temporary record of customers and visitors for 21 days. The guidance suggests that names and contact numbers should be collected. Where there is more than one person in a group, the name and contact number of the ‘lead member’ will suffice. Such data, it is hoped, could help contain clusters and outbreaks.
The guidance confirms that if such data cannot be collected in advance (for example, when a customer pre-books a table), the information should be collected at the point of entry to the premises, or where that is impractical, at the point of service. Such data should be recorded digitally where possible although a paper record will also suffice.
Leaving aside the moral question of whether customers should be encouraged to hand over their personal data, the practicalities of safely managing such data has to be considered. Where will the data be recorded? How will it be kept secure and who will be able to access it?
Somewhat ironically perhaps, the fact that these businesses are not legally required (yet) to obtain their customers’ details – they are currently simply being encouraged to do so - in some ways increases the risk of them falling foul of data protection regulation.
GDPR sets out six permitted justifications for processing data (one being legal requirement). If legislation made it mandatory for pubs and restaurants to obtain and record customer data then there would obviously be a legal requirement for doing so. Absent that, the lawful basis for ‘processing’ the data would probably come under the ‘public task’ (performed in the public interest) or ‘legitimate interests’ bases. It will however require businesses to record and justify their reasoning, adding another layer of convolution to what is already a stressful time for managers and staff alike.
ICO advice to businesses
The Information Commissioner’s Office (ICO) does provide some guidance for the use of personal information specific to coronavirus recovery. This includes a requirement to only collect and use what is necessary and to only hold it for as long as is needed.
Pubs and the like will therefore need to have a system in place for monitoring the length of time the data is kept and for its safe deletion once it is no longer required. So for NHS Test & Trace purposes, there would be no reason to keep the data beyond a 21 day period.
Potential misuse of data
Care must also be taken to ensure there is no unintended use or worse, deliberate misuse of customer’s personal data, such as using it for marketing purposes. This is perhaps the biggest regulatory risk to unwary businesses.
Whilst the ICO is at pains to assure businesses that they are adopting a pragmatic and sympathetic approach during the COVID-19 crisis, one would imagine they would be far less understanding if personal data was being retained to actively market consumers. Indeed, the ICO has made it clear it will come down hard on those who seek to use or obtain personal data unlawfully or inappropriately during COVID-19.
The fact that pubs and restaurants are now able to reopen after months of lockdown is surely a huge boost for the sector and local economies. Spare a thought though for those owners, managers and staff who are now expected to securely collect, store and appropriately manage personal customer data in addition to the other operational issues they face in these most testing of times.