UK: New COVID-19 rules for the hospitality industry on collecting visitor contact information : Data protection considerations

Andrew Dyson, Alexa Smith

The hospitality industry has been hard hit by COVID-19. Measures introduced this week by the UK government to ease restrictions for the sector come with a condition – if you open a pub, restaurant or other hospitality venue for business you must keep a record of patrons who visit and be ready to help with the national test and trace effort.

When collecting this information, it is important to understand that data protection laws still apply and operate data collection systems appropriately to comply with GDPR.

What is the hospitality sector being asked to do?

Guidance published on 23 June has asked venues to assist the NHS Track and Trace efforts by “keeping a temporary record of your customers and visitors for 21 days” . This rule applies regardless of whether a business already has the infrastructure in place to collect this information, so we expect to see a range of responses. Business that already require advance bookings should have processes in place to already collect the necessary contact information, through online systems. For others, it may be a case of creating a new app, or simply keeping a written log of people coming on site.

There are many questions still to answer about how this will all work and the level of detail needed, but whatever systems are used it is important for businesses to understand and manage the information they are collecting consistent with data protection laws.

What are the data protection issues?

Data protection laws like GDPR are designed to protect individuals from any situation in which their personal data are collected. The fact a business may be obliged to collect information in response to emergency public health regulations, doesn’t create a waiver from these responsibilities. Indeed GDPR is an important counterweight to the potentially excessive, or unsafe collection and use of information compliance with these regulations may cause.

Checklist

Here’s our checklist of practical steps hospitality and leisure businesses can take to stay on the right side of GDPR when complying with these new visitor record keeping obligations :

  • Data minimisation – Collect only the minimum amount of personal data needed. This is likely to be limited to name and contact information – i.e. telephone number or email address. Keep it to the basics and don’t overcomplicate by collecting more information than is needed.
  • Fair use – visitor information is being collected to assist national efforts to track infected individuals or those who may have come into contact with such individuals. Understand the information may only be used for these purposes. It might be tempting to re-use the information for marketing purposes for example, but this can only be done if you have obtained the correct permissions from those individuals.
  • Limits on disclosure – the data must only be shared with those bodies that are responsible for contact tracing.
  • Inform – clearly explain to customers and visitors what data you are collecting and why you are doing it. This will particularly be the case for environments where customers and visitors don’t readily expect to be handing over their data. Transparency is a cornerstone of data protection law and being open and honest is a way organisations can build trust with their clients and customers.
  • Confidentiality – ensure your system has the means to keep the data secure and appropriately train employees that they have a duty to keep the information confidential.
  • Retention – The guidance has removed the debate as to what an appropriate retention period for the data is and has requested that period be 21 days. Ensure you have processes to securely delete the information beyond this point.
  • Processors – if using third party technology (e.g. online booking app) to collect visitor information, ensure you use a reputable vendor and if they are processing data on your behalf, that they are properly appointed as a ‘processor’.

If you have any further questions, please contact the authors or your usual DLA Piper contact person.