Pubs, restaurants, hairdressers and other hospitality businesses are being asked to collect and record visitors' personal data in an effort to assist with contact tracing. The obligation to design and implement GDPR-compliant personal data collection, storage and contact tracing capability is a significant burden, particularly given the fact that governments around the world have struggled to do this lawfully. On top of this, businesses have only ten days in which to come up with a plan before the official reopening date of 4 July.
Key questions business will need to address include, among others:
- What data do we need to collect?
- How are we going to collect the data?
- How and where are we going to store the data?
- How long will we store the data for?
- How will we deal with data subject access requests and other data subject rights?
For many businesses, particularly given the short time frames, a risk-based approach will need to be taken whereby the most immediate and pressing issues are addressed first to get a system in place ready for opening. Business will also need to remember that personal data can only be used for the purpose for which it was collected. For example, email addresses and other contact details cannot be used for marketing purposes unless visitors have given their specific consent to be marketed to.
How long this situation will last nobody knows, but it places a significant burden on one of the industries that has been hit hardest during the pandemic. The ICO has said it is actively assessing this situation and will be monitoring developments, so watch this space for further comments.
If you have any questions or need any advice or guidance, please get in touch with a member of the data privacy team.
Bars, restaurants, hairdressers and churches face a minefield, privacy campaigners have warned, after the government instructed them to record people’s contact details in case they need to assist with test-and-trace efforts. From 4 July, hospitality businesses and other venues in England will be able to reopen. To minimise customer contact, restaurants will be limited to table service inside, Boris Johnson said on Tuesday, and will be asked to help NHS Test and Trace “by collecting contact details from customers, as happens in other countries”. He added: “We will work with the sector to make this manageable.” But privacy groups said the industry had been given no guidance on how to gather and store potentially sensitive data, while customers had been given no assurance that their information would be handled safely.