Restaurants, pubs, bars and takeaway services are able to re-open from the 4th July amidst government recommendations and regulations. Businesses are being asked, by somewhat vague government advice, to support the NHS Test and Trace response by collecting contact details of customers. But key concerns such as what information is required, how the information will be used and the surrounding liability is not yet clear.
Contact details such as names, e-mail addresses and phone numbers all constitute personal data and must be collected in compliance with the GDPR. Businesses which previously may not have had much interaction with data protection will now have an urgent mandate to bring their processes into compliance. There are some key first steps that businesses should consider before they celebrate the 4th July.
Make sure customers are aware of what information is being collected, how that information is being processed (including if it is going to be shared with any third parties, such as the NHS contract tracers) and their rights in regards to that information. Privacy notices must be clear and accessible by your customers.
Lawful basis for processing
If you are relying on customers consent to collect the personal data, are they able to refuse and/or withdraw their consent at any time? If access to your venue is contingent on disclosing contact details, you may not be able to rely on consent and must consider a different lawful basis.
How can you use the information?
You can only use the personal data for the purpose for which it is collected. If the purpose is to support the NHS Test and Trace response, you cannot also use the contact details for other purposes such as marketing or sharing with a third party.
Keep it safe
You will likely be collecting a large amount of contact information that your business may not be accustom to holding. You must implement technical and organisational measures to protect the personal data you collect from any misuse or unlawful access. This may include technical safeguards as well as organisational such as training your staff on their confidentiality and security obligations.
After three months we are all ready to enjoy the summer sunshine with a pint in a beer garden, but thought will need to be had by businesses to ensure a lawful re-opening. There are still questions to be asked and answered before the 4th July!
You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed.