Businesses across a number of sectors are being asked to collect information on staff, customers and visitors for contact tracing purposes. These rules will require businesses and other venue operators to consider a number of data protection issues.

In England and Scotland guidance has been published asking certain businesses, including hospitality and leisure operators, providers of "close contact" services (such as hairdressers), libraries and places of worship to keep a temporary record of all staff and customers for 21 days for the purpose of facilitating the NHS Trace and Test strategy. Operators are asked to hold this information in electronic form.

While being able to reopen businesses will be welcome news for operators, businesses will also need to get familiar with key data protection principles in order to stay on the right side of the law when it comes to contact tracing.

Who is being asked to collect information?

In England and Scotland, the guidance applies to:

  • hospitality, including pubs, bars, restaurants and cafés
  • tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
  • close contact services, including hairdressers, barbershops, beauticians, tattoo parlours, massage therapists, and tailors
  • facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
  • places of worship, including use for events and other community activities

In Scotland, the guidance also applies to cremation authorities, burial authorities, or funeral director service rooms offering funeral services.

The guidance applies to the premises that provide a service on-site or to any events that take place on the premises. It does not apply where services are taken off site straight away (for example, a takeaway food outlet or a library with a click and collect service).

What information are operators asked to collect?

In both England and Scotland, operators are being asked to collect the following information:

    • staff
      • the names of staff who work at the premises
      • a contact phone number for each member of staff
      • the dates and times that staff are at work
    • customers and visitors
      • the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
      • a contact phone number for each customer or visitor, or for the lead member of a group of people
      • date of visit, arrival time and, where possible, departure time

    In Scotland, larger establishments are also asked to record table numbers or sections where customers were seated. In England, if a customer will interact with only one member of staff (for example a hairdresser), then the name of the assigned staff member should be recorded alongside the name of the customer.

    What are the data protection issues?

    The practicalities of collecting customer information in lawful manner should not be underestimated, particularly in busy environments such as pubs and cafes. 

    Businesses that take advance bookings (for example, a restaurant) may already collect this information. Other businesses will not ordinarily collect information on their customers and will need to think about how the information is collected (and in what form) and put in place appropriate policies and procedures.

    What is your legal basis?

    First of all, operators will need to identify what legal basis they are relying upon when collecting and holding this information.

    Identifying a legal basis is not only essential for ensuring that processing is lawful. It also determines how an organisation should deal with a request by and individual to exercise his or her rights under data protection law.

    In England, the guidance currently states that information should be collected "where possible". Operators do not have a legal obligation to collect the information, and the guidance is not underpinned by legislation. The guidance acknowledges that individuals may not want to provide the information, or may want to opt out of it being shared. 

    However, the guidance also states that it is not necessary to rely upon consent as a legal basis for processing unless the nature of the establishment would comprise special category personal data (for example, it indicates religious belief, political views, sexual orientation or trade union membership).

    On 9 September 2020, the Prime Minister announced that collecting customer and visitor information will become mandatory from 18 September for hospitality, close contact and leisure venues.

    In Scotland, as from 14 August, operators of restaurants, pubs, cafes and hotels that serve food and drink have a legal obligation to collect information customers. Those operators will therefore be able to rely upon the legal obligation condition in Article 6(1)(c) of GDPR. There is no legal obligation on individuals to provide contact information. The Scottish Government's Hospitality specific guidance states that such individuals should be "refused service" (and presumably asked to leave). 

    On 9 September the Prime Minister announced that collecting information will also become mandatory for the hospitality sector in England.

    As in England, in Scotland the provision of information in other sectors is voluntary. Guidance (Multi-Sector) from the Scottish Government suggests that operators should rely upon legitimate interests as the legal basis for processing, on the basis that the processing is "necessary" to assist "with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic".

    If the operator is relying upon legitimate interests, then it will need to carry out a legitimate interests assessment (LIA) to assess the impact of its proposed approach on the rights and interests of individuals and whether the processing is indeed necessary for the stated purpose. Operators should bear in mind that while the Scottish Government may suggest that they rely upon legitimate interests, each operator will need to be able to justify that approach and explain the LIA that it has carried out, taking into account the interests of data subjects and its proposed approach. Legitimate interests will also not be sufficient if presence at the premises or venue discloses information that constitutes special category personal data.

    The Information Commissioner's Office (ICO) suggests that operators should rely upon legitimate interests as the legal basis for processing, on the basis that the processing is " is likely to be in the interests of the individual, the organisation, and the public health efforts to tackle COVID-19, as long as individuals’ rights are protected and data protection principles are followed."

    Accountability and transparency

    Businesses and other venue operators will need to think about how they ensure that the data is used only for the purpose for which it is being collected and how they comply with their other obligations under data protection law. For example, information collected should not be added automatically to marketing lists or retained for an excessive period of time, and should be kept secure, and disposed of securely. The security measures required will depend on how the information is held. 

    Staff not used to handling personal data will also need to be provided with appropriate training. 

    If the information is already collected as part of the booking process, how will customers be informed that some of this information may be shared with public health authorities? Where applicable, are they given the opportunity to opt-out if they so wish? How will you record that? Is it even possible of you use a third party booking platform?

    In relation to pubs, restaurants and cafes in Scotland, how will staff deal with an individual that refuses to provide contact information (or clearly provides false information)?

    Some businesses may also be considering using apps to allow customers to place orders with minimum face to face contact with staff. Again, this will require care. Who is providing the app? Is there a contract in place? What is done with the information? Is it going to be used for marketing purposes? If so, is separate consent being sought for that?

    In both cases, businesses should carry out a data protection impact assessment to assess the risks and ensure that they have in place clear and transparent privacy notices and signs to explain to customers how their data will be used and their rights. In the case of contact tracing information, this will include providing information on when and how it is shared with public health authorities. 

    The Scottish Government has provided template privacy notices for hospitality and other operators and posters for operators to use. Again, any operator considering using the templates should review it carefully and ensure that it accurately describes how that operator will collect and use the information. Again, the template is not endorsed or approved by the ICO.

    Operators may also need to register as a controller with the Information Commissioner's Office if they have not already done so. A fee applies, which is based on the organisation's headcount and turnover.

    ICO guidance

    The Information Commissioner's Office (ICO) has warned that it will not hesitate to take action if it discovers negligent data processing practices. However, the ICO has also stressed that it is keen to support businesses as they navigate what may be unfamiliar territory for some.

    The ICO has published simple and user-friendly contact tracing guidance. The five key guiding principles are:

    • Ask for only what’s needed – refer to the government trace and testing rules and only collect what is strictly required.
    • Be transparent with customers – let customers know what you are doing and why you are doing it.
    • Carefully store the data – ensure the data is stored in a safe and secure manner, with access being granted to staff on a need-to-know basis.
    • Don’t use it for other purposes – as tempting as it may be, the data cannot be used to bolster your email mailing lists or for social media marketing.
    • Erase it in line with government guidance – only keep the data for as long as the government rules require. When disposing of the data, again, make sure this is done in a safe and secure manner.

    The ICO has also published a more detailed Q&A on collecting customer and visitor details for contact tracing purposes. 

    Preparing for reopening

    Businesses should ensure that they have a solid understanding of the requirements, have identified a legal basis, set out clear processes and procedures detailing how data collection will fit into their order of service and how the information will be held and, lastly, ensure that all relevant staff have appropriate training. 

    More information:

    If you have any questions about contact tracing and your data protection obligations and responsibilities, please get in touch.

    Contributor

    Martin Sloan

    Partner