As part of the reopening of the hospitality and leisure sectors, operators are being asked to collect information on staff, customers and visitors for contact tracing purposes. These rules will require operators to consider a number of data protection issues.

In England and Scotland guidance has been published asking certain businesses, including hospitality and leisure operators, to keep a temporary record of all staff and customers for 21 days for the purpose of facilitating the NHS Trace and Test strategy. Operators are asked to hold this information in electronic form. Since 14 August 2020, the obligation to collect information is mandatory in Scotland. On 9 September 2020, the Prime Minister announced that collecting information would also become mandatory in England.

While the opening of the hospitality industry is certainly welcome news for all involved in the sector, there is a lot of work to be done before the first service. As well as undertaking risk-assessments, welcoming back staff, implementing safety measures and applying a fresh lick of paint, establishments in England and Scotland will also need to get familiar with key data protection principles in order to stay on the right side of the law when it comes to contact tracing.

What are the data protection issues for hospitality businesses?

Anyone who has worked a shift in beer garden on a sunny summer's day would shudder at the thought of recording the contact details of every customer, as well as keeping on top of clearing the glasses. The practicalities of implementing this rule should not be underestimated. 

Businesses that take advance bookings (for example, a restaurant) may already collect this information. Other businesses will not ordinarily collect information on their customers and will need to think about how the information is collected (and in what form) and put in place appropriate policies and procedures.

What is your legal basis?

First of all, operators will need to identify what legal basis they are relying upon when collecting and holding this information. 

England

In England, the guidance states that information should be collected "where possible". Operators do not have a legal obligation to collect the information, and the guidance is not underpinned by legislation. The guidance acknowledges that individuals may not want to provide the information, or opt out of it being shared. 

However, the guidance also states that it is not necessary to rely upon consent as a legal basis for processing unless the nature of the establishment would comprise special category personal data (for example, it indicates religious belief, political views, sexual orientation or trade union membership).

The Information Commissioner's Office (ICO) suggests that operators should rely upon legitimate interests as the legal basis for processing, on the basis that the processing is " is likely to be in the interests of the individual, the organisation, and the public health efforts to tackle COVID-19, as long as individuals’ rights are protected and data protection principles are followed."

If the operator is relying upon legitimate interests, then it will need to carry out a legitimate interests assessment (LIA) to assess the impact of its proposed approach on the rights and interests of individuals. Operators should bear in mind that while the ICO may suggest that they rely upon legitimate interests, each operator will need to be able to justify that approach and explain the LIA that it has carried out.

Scotland

In Scotland, as from Friday 14 August, operators of restaurants, pubs, cafes and hotels serving food and drink have a legal obligation to collect this information. 

While there is no legal obligation on customers to provide information, the Scottish Government's guidance states that anyone refusing to provide contact information should be "refused service" (and presumably invited to leave the premises).

Identifying a legal basis is not only essential for ensuring that processing is lawful. It also determines how an organisation should deal with a request by and individual to exercise his or her rights under data protection law. Given that collection of information is mandatory in Scotland, customers in Scotland will have more limited rights under data protection law than those in England.

Accountability and transparency

Hospitality businesses will need to think about how they ensure that the data is used only for the purpose for which it is being collected and how they comply with their other obligations under data protection law. For example, information collected should not be added automatically to marketing lists or retained for an excessive period of time, and should be kept secure, and disposed of securely. The security measures required will depend on how the information is held. 

Staff not used to handling personal data will also need to be provided with appropriate training. 

If the information is already collected as part of the booking process, how will customers be informed that some of this information may be shared with public health authorities? Are customers in England given the opportunity to opt-out if they so wish? How will you record that? 

How will operators in Scotland deal with customers that refuse to provide information?

Some businesses may also be considering using apps to allow customers to place orders with minimum face to face contact with staff. Again, this will require care. Who is providing the app? Is there a contract in place? What is done with the information? Is it going to be used for marketing purposes?

In both cases, businesses should carry out a data protection impact assessment to assess the risks and ensure that they have in place clear and transparent privacy notices and signs to explain to customers how their data will be used and their rights. In the case of contact tracing information, this will include providing information on when and how it is shared with public health authorities. 

The Scottish Government has provided operators in Scotland with a template privacy notice and posters for operators to use. Again, each operator should review this and ensure that it accurately describes how that operator will collect and use the information. These will not be suitable for operators in England and Wales as they will not be able to rely on legal obligation as the legal basis for collecting this information.

Operators may also need to register as a controller with the ICO if they have not already done so. A fee applies, which is based on the organisation's headcount and turnover.

Who is being asked to collect information?

In both Scotland and England, the guidance applies to:

  • hospitality, including pubs, bars, restaurants and cafés
  • tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
  • close contact services, including hairdressers, barbershops and tailors
  • facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
  • places of worship, including use for events and other community activities

For organisations in other sectors see our general guide to collecting customer and visitor contact information.

What information are operators asked to collect?

In both England and Scotland, operators are being asked to collect the following information:

  • staff
    • the names of staff who work at the premises
    • a contact phone number for each member of staff
    • the dates and times that staff are at work
  • customers and visitors
    • the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
    • a contact phone number for each customer or visitor, or for the lead member of a group of people
    • date of visit, arrival time and, where possible, departure time

In Scotland, larger establishments are also asked to record table numbers or sections where customers were seated.

The England, if a customer will interact with only one member of staff (for example a hairdresser), then the name of the assigned staff member should be recorded alongside the name of the customer.

ICO guidance

The Information Commissioner's Office (ICO) has warned that it will not hesitate to take action if it discovers negligent data processing practices. However, the ICO has also stressed that it is keen to support businesses as they navigate what may be unfamiliar territory for some.

The ICO has published simple and user-friendly contact tracing guidance. The five key guiding principles are:

  • Ask for only what’s needed – refer to the government trace and testing rules and only collect what is strictly required.
  • Be transparent with customers – let customers know what you are doing and why you are doing it.
  • Carefully store the data – ensure the data is stored in a safe and secure manner, with access being granted to staff on a need-to-know basis.
  • Don’t use it for other purposes – as tempting as it may be, the data cannot be used to bolster your email mailing lists or for social media marketing.
  • Erase it in line with government guidance – only keep the data for as long as the government rules require. When disposing of the data, again, make sure this is done in a safe and secure manner.

The ICO has also published a more detailed Q&A on collecting customer and visitor details for contact tracing purposes.

Preparing for reopening

Businesses in the hospitality sector should ensure that they have a solid understanding of the requirements, have identified a legal basis, set out clear processes and procedures detailing how data collection will fit into their order of service and how the information will be held and, lastly, ensure that all relevant staff have appropriate training. 

With this covered, the sector can focus on the safety requirements, keeping the punters happy and getting the vibrant and much-missed industry back up and running.

More information:

If you have any questions about contact tracing and your data protection obligations and responsibilities, please get in touch.

Contributor

Martin Sloan

Partner