How to navigate data protection duties whilst following contact tracing rules
6th July 2020
If your name’s not down, you’re not getting in!
Having to give your name and number before going for a pint or a meal out is going to be part of the new normal.
As pubs, restaurants and other businesses begin to open up, new legal obligations are being placed on business owners to take customers’ details before letting them onto the premises, to help with contact tracing if someone later turns out to contract (or have had) the Covid-19 coronavirus.
Business owners still need to be mindful of their data protection obligations though, as the kind of information collected will be personal data and protected by law. Breaching that law can lead to stiff fines, and other sanctions.
The Information Commissioner, the official regulator for data protection, has published some initial guidance on how businesses should act:
A - Ask for only what’s needed
You should only ask people for the specific information that has been set out in government guidance. This may include things like their name, contact details and time of arrival for example.
You should not ask people to prove their details with identity verification (like showing a passport or driving licence), unless this is a standard practice for your business, eg ID checks for age verification in pubs.
B - Be transparent with customers
You should be clear, open and honest with people about what you are doing with their personal information. Tell them why you need it and what you’ll do with it. You could do this by displaying a notice in your premises, including it on your website or even just telling people.
If you already collect customer data for bookings, you should make it clear that their personal data may also be used for contact tracing purposes.
C - Carefully store the data
You must look after the personal data you collect. That means keeping it secure on a device if you’re collecting the records digitally or, for paper records, keeping the information locked away.
For example: if you keep a list at the welcome point in your restaurant, be mindful of how easy it is for other customers to glance over the list and see the details. Crafty nightclub patrons are already used to reading the guest list upside-down!
You should also only hand it over to the proper authorities dealing with contact tracing. Beware of scammers trying to steal data, and don’t be hesitant in asking for ID or other evidence of authority.
D - Don’t use it for other purposes
You cannot use the personal information that you collect for contact tracing for other purposes, such as direct marketing, profiling or data analytics. Use it for the contact tracing only, and nothing else.
E - Erase it in line with government guidance
You should not keep the personal data for longer than the government guidelines specify. It’s important that you dispose of the data securely to reduce the risk of someone else accessing the data. Shred paper documents and permanently delete digital files from your recycle bin or back-up cloud storage, for example.
For any advice in relation to any particular aspects of the above, please contact Angus MacLeod (firstname.lastname@example.org)
The information contained in this newsletter is for general guidance only and represents our understanding of relevant law and practice as at July 2020. Wright, Johnston & Mackenzie LLP cannot be held responsible for any action taken or not taken in reliance upon the contents. Specific advice should be taken on any individual matter. Transmissions to or from our email system and calls to or from our offices may be monitored and/or recorded for regulatory purposes. Authorised and regulated by the Financial Conduct Authority. Registered office: 302 St Vincent Street, Glasgow, G2 5RZ. A limited liability partnership registered in Scotland, number SO 300336.