As part of the re-opening strategy, the government asked businesses to support the NHS Test and Trace effort. VWV’s specialist data protection solicitor, Sarah Thorley, answers your critical questions on how the GDPR affects your outdoor hospitality business during this coronavirus pandemic.
Which businesses does the NHS Test and Trace apply to?
All businesses in the hospitality sector, including pubs, bars, restaurants, cafés, hotels, campsites, wedding venues, museums, zoos and theme parks have been asked to assist with Test and Trace. The government has confirmed that it applies to any establishment that provides an on-site service and to any events that take place on its premises.
It does not apply where services are taken off-site immediately (for example, a food or drink outlet which only provides takeaways, or someone collecting a pre-reserved item). If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are staying in.
This guidance does not apply to drop-off deliveries made by suppliers or contractors.
Businesses should note that it remains illegal to have a gathering of more than 30 people, as released by the government on 23 June.
What information do we need to take?
- the names of staff who work at the premises (including any casual staff)
- a contact phone number for each member of staff
- the dates and times that staff are at work
For customers and visitors:
- the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date and duration of visit, arrival time, and where possible, departure time
- if a customer will interact with only one member of staff (e.g. only one member of waiting staff), the name of the assigned staff member should be recorded alongside the name of the customer
Government guidance on isolation for those returning from abroad changes regularly. While there is no requirement to check whether people attending your venue have returned from abroad, it might be prudent to remind customers when they book whether they have recently returned from any countries on the relevant lists and to check with members of their party before arriving.
How should we collect the information?
The guidance explains that the way you collect information should be manageable for your business. It should be collected at the beginning of the person’s or group’s visit. The government would also ideally like it to be collected in a digital format, however this is not mandatory. If you already take booking details, there is no need to duplicate your system.
What if we think people are being dishonest and providing a false name?
The government guidance has said that hospitality businesses do not have to verify a customer’s identity against the information they provide. That said, it is up to business owners and their staff to decide if you think a person providing false information might pose a risk to your staff and other customers, and to make a decision on whether you would like to offer your services to them.
You need to make a risk assessment as to whether you think it might have an impact on your business if there was a discovery of an infected person at your venue.
While the government guidance says that if you receive a request for information from NHS Test and Trace, this does not mean that you must close your establishment. You will however have to undertake a further risk assessment and colleagues may need to isolate or take tests. This might have practical implications for running your venue but also it could have some negative impact on your reputation.
How do we comply with the GDPR rules?
The Information Commissioner’s Office (ICO) has provided a five point checklist to assist organisations which re-iterates the GDPR principles:
- only ask for what is needed
- be transparent about why you are collecting data and what you will use it for
- store the data carefully
- do not use it for anything that you did not initially collect it for
- erase or destroy it securely after the required period.
Your visitors are entitled to be given a privacy notice explaining how you will use and protect their information, and their rights. You may wish to have a dedicated privacy notice for this processing, or would need to update your existing privacy notice to cover this. If you need assistance with your privacy notice, please contact VWV’s Information Law team.
If someone doesn’t want to provide their information, what can we do?
The government has not made it mandatory for customers to provide their data to a business in order to use their service. Customers and visitors can opt-out. If a customer does opt-out of providing information, then you should not share information that is collected with Test and Trace.
How long should we keep it?
Test and Trace information should be securely deleted or destroyed after 21 days.
Can we use the information we collected for marketing purposes?
In brief, no. Test and Trace information should not be used for other purposes unless that has been clearly explained to the customer in advance (and for e-marketing in line with the Privacy and Electronic Communications Regulations (PECR)). The rules on digital marketing can be quite complicated so if you are not sure, check with a specialist Data Protection legal adviser.
How will I know if a request from NHS Test and Trace team for our data is genuine?
The government has said that there will never be a charge or purchase linked to providing the information and it will not require you to call a premium rate number, link through social media or download any software to a computer. If anyone asks you or a member of staff to do these things in connection with Test and Trace, it is probably a scam. You should report any suspected dealings to Action Fraud. The genuine Test and Trace number is: 0300 0135 000.
We suggest a staff briefing to ensure all staff are clear on your organisation’s protocol for sharing data to make sure only a suitably senior member of staff provides the information to Test and Trace to avoid any mishaps or a data breach.
What should we do if we think we have shared or deleted data by mistake?
Your business should already have a robust system for recording and reporting breaches (and near misses) in place, so that everyone in the business knows how to react when issues occur.
If you have lost personal data, or if someone else has gained access to it, for example, because you have shared it with another party by mistake or if you have been hacked, this could be a data breach. You might need to contact the people whose data has been shared and you might need to report it to the ICO.
- First, take steps to stop any further data being breached. If you have been hacked or your premises are not secure, sort this out immediately.
- Next, assess what data has been shared. You need to inform the ICO unless the breach is unlikely to result in any risk to individuals. You also need to inform the individuals themselves if the breach represents a “high risk”.
As such, the threshold for notifying the ICO is lower than the threshold for reporting directly to those individuals who are affected, however, similar factors will be relevant to both.
In making the assessment, consider whether the effect of the breach might include emotional distress, risk to the person’s finances or identity fraud. If you don’t think you need to report the breach, you should record your decision in case you need to justify this at a later date. Heavy fines (2 per cent of global turnover) can be applied if you get it wrong, so if you are not sure, it is wise to take legal advice. Don’t forget to notify your insurers as well. You should also notify other organisations such as the police and banks, if relevant.