Data protection considerations for re-opening the hospitality industry

open-sign

Authored by NMU

In its latest guidance on keeping workers and customers safe during COVID-19 in restaurants, pubs, bars and takeaway services (23 June 2020), the Government has recommended that businesses operating in these sectors keep a temporary record of customers and visitors for 21 days. This will assist NHS Test and Trace with requests for that data if needed.

However, there are measures that hospitality businesses will need to take to ensure that they collect, use, and dispose of personal data for these purposes in compliance with GDPR and other data protection legislation. Here are some practical steps to help your business comply with its obligations under data protection legislation when implementing Test and Trace measures.

Information collected

You should only collect the minimum amount of data that you actually need in order to comply with the Government guidance. In practical terms this is likely to mean:

Customer names

Contact email addresses and/or telephone numbers

Date of attending your venue (and estimated timings at your venue)

The Government Guidance does not currently recommend asking customers whether or not they have had COVID-19 symptoms or any other health-related questions before attending venues. If you do decide to do this, you must be aware that such information is considered special category data and additional legal considerations will apply. If you feel that it is important for your business to record this information, we suggest seeking specialist legal advice before proceeding.

Lawful basis

You are required to be able to demonstrate that you have one of the GDPR-specified lawful basis for processing this personal data. The most likely lawful basis in this context is ‘legitimate interests’. However, in order to rely on legitimate interests you should clearly document that you have:

Identified a legitimate interest: In this case, facilitating contact tracing for COVID-19.

Shown that the processing is necessary to achieve it: This is likely to be met given that the Government has recommended these measures; and

Balanced these against the individual’s interests, rights and freedoms: This analysis should be carried out in the context of your specific organisation, but again should be fairly easy to demonstrate.

 Customer notification 

You will need to notify your customers clearly as to:

Why you are collecting their data: This should be limited to contact tracing. 

Who you will be sharing it with: You will need to tell your customers that you may pass data collected to the NHS Test and Trace service, which is operated by The Department of Health and Social Care. For most hospitality businesses, there is unlikely to be any other organisations that you will need to share this data with. However, if you do need to share it with another third party you will also need to inform your customers that you will be doing so.

How long you will keep the data: See section on ‘retention time periods’ below.

This should all be communicated to your customers at the time of collecting their data for contact tracing purposes (e.g. when they make a reservation or before they enter your venue). You should also consider updating your general customer privacy policy.

There is other information that you are required to provide to individuals when you collect their personal data (e.g. the identity of the controller, details of data subject’s rights, right to complain to Information Commissioner).  However, depending on the method you’re using to collect the data, it may be easier to include a statement at the end of the short-form notice along the lines of: “For further information about how we process your personal data, please see our Privacy Notice at [insert URL, possibly with QR code for ease of consultation]”.

Security of data

 You should make sure that the information collected is kept secure. Consider implementing measures such as requiring passwords to access the data and encryption (if stored electronically) and limiting access to staff that strictly need to access the data to perform their role.  Your systems as a whole should have appropriate security measures, such as up to date versions of software, patching and antivirus,  .

Use of data

This data should only be used to assist with contact tracing and not for any other purpose. Please do not automatically add customers to your marketing lists or combine this data with any other customer databases that you may have.

If you want to also collect data for marketing purposes at the same time (e.g. if this collection step for contact tracing will be incorporated into an online booking process), then this will need to be clear in the collection process and you will need to obtain  separate consent to use this data for marketing. In other words, customers should not feel obligated to allow you to collect their data for marketing purposes at the same time that you collect this data to facilitate Test and Trace measures.

Retention time periods

The Government guidance recommends retaining the data for 21 days. You must ensure that any periods are no longer than necessary for contact tracing purposes. In practice, given that the Government guidance has specified a 21-day period, retention periods that are much longer than this are unlikely to be acceptable. You must also ensure that you tell customers how long you will be retaining the data for.

Once the retention period has finished, you should securely delete the data. This means shredding and/ or otherwise securely disposing of all hard copy records plus securely deleting any electronic copies.

Staff considerations

The guidance also recommends keeping a temporary record of your staff shift patterns for 21 days and assisting NHS Test and Trace in the context of your staff.

The scope of this note does not cover any testing or other measures in relation to staff, but businesses should also be mindful that additional guidance has been published by the ICO setting out other considerations for employers in a COVID-19 world (see other useful resources).

Use of third-party booking systems

You may already have booking or reservations systems in place with third party booking platforms. Some of these service providers already facilitate the safe collection and storage of personal data in order to make bookings for your restaurant. They will no doubt also be keeping an eye on Government recommended measures so consider contacting them to see to what extent they can help you implement some of the other steps outlined in this note.

Acknowledgement

Authored by our breach response provider RPC;

Victoria Noto (Associate)

Ridvan Canbilen (Associate)

Richard Breavington (Partner)

Providing UK SMEs with a simple, robust solution for cyber liabilities, cybercrime and restorative support

Businesses and individuals have never been so connected. The data that this provides opens a wealth of opportunity that can help firms increase productivity, efficiency, quality and profitability. However, the trend towards global connectivity, along with the ever-increasing reliance on digital systems and processes, brings an unprecedented and ever-changing threat in the form of cyber risks.

If you would like to speak to someone at NMU about Cyber Risks, CLICK HERE, leave a message and youTalk-insurance will pass your enquiry on.

CLICK HERE TO SIGN UP FOR OUR
FREE BI-WEEKLY NEWSLETTER

About NMU

NMU is an award-winning provider of specialty insurance solutions

We are the first choice for brokers looking for specialty insurance, offering solutions that are not simply off-the-shelf, but built upon a real understanding of the risks faced by policyholders. This, together with our ability to write risks such as storage, installation, construction and exhibitions outside of the UK and offer terrorism cover on overseas property, sets us apart from the competition.

You can count on us, when you need us most! We are NMU

Our team of professionals based across the UK, provides customers with an in-depth product knowledge and a real personal service.

We provide bespoke insurance products that are not simply off-the-shelf solutions, but built upon a real understanding of the risks faced by policyholders as well as offering added value services to benefit our clients.

Our product and services range comprises:

Cargo InsuranceMarine cargo policies cover goods during import and export, including any incidental storage, as well as domestic distribution. Stock throughput polices can cater for all this plus other, intentional storage…read more

Freight Liability InsuranceCovering the liabilities to which hauliers, freight forwarders and warehouse keepers are exposed when they contract to move or store goods owned by others…read more

Engineering InsuranceCovering contractors’ all risks (CAR), erection all risks (EAR) and contractors’ plant; machinery movement (and installation), breakdown and business interruption; deterioration of stock; and electronic risks…read more

Marine Equipment InsuranceCovering remotely-operated and autonomous underwater equipment – ROVs, AUVs and the like…read more

Terrorism and Sabotage InsuranceStandalone terrorism cover can be a more flexible and cost-effective alternative to traditional placement routes…read more

Motorsport InsuranceDesigned for commercial risks, our motorsport policy offers 24/7 cover for teams at all levels across all disciplines…read more

Cyber InsuranceProviding SMEs with a simple, robust solution for cyber liabilities, cybercrime and restorative support…read more

Risk ControlWhilst we pride ourselves on our claims service, there is far more benefit to policyholders in preventing loss and damage in the first place…read more

Online FacilitiesTo complement our award-winning service, we use online facilities to assist NMU policyholders and brokers alike…read more

Claims ManagementWe pride ourselves on prompt and efficient claims management, which is supported by the use of independent surveyors and adjusters to quantify larger losses and to give advice on mitigation measures…read more

Latest video

NMU video: Celebrating 40 years in business

Authored by NMUA lot has changed over the last four decades – the way we work and communicate, the risks we insure, the technology we use to provide the best... click here for more