Updated guidance released on how businesses should collect customer details
At the time of the Prime Minister’s statement, there were a number of question marks over how this would be compatible with data protection law, which the ICO has sought to clarify in its most recent guidance.


Following on from our recent article “Relaxation of lockdown: new guidance requires restaurants, bars and other businesses to collect customer details” published last week, the Information Commissioner’s Office (“ICO”) has published supplemental guidance for those businesses that will be asked to collect customer details when opening from tomorrow onwards.
When the initial announcement was made by the Prime Minister that bars, restaurants, cafes and businesses such as hairdressers would be allowed to open from Saturday 4 July 2020, one of the many caveats was that these businesses should collect the contact details of any customers visiting the business’ premises. The need for such businesses to collect this data is on the basis that it will be necessary to support the NHS Test and Trace system.
At the time of the Prime Minister’s statement, there were a number of question marks over how this would be compatible with data protection law, which the ICO (as the independent regulator responsible for governing data privacy rights of individuals) has sought to clarify in its most recent guidance. The broad message for businesses is as follows:
Ask for only what is necessary
This is as set out in the Government’s guidance and includes details such as the individual’s name, contact details and date and time of arrival at the premises. It also includes the details of any staff that are working on a particular day. Whilst it had been thought that businesses may have been required to collect a person’s ID, this does not appear to be the case.
Be transparent with customers
This accords with one of the main principles of data protection requiring businesses to inform data subjects what their data will be used for and why it is necessary. A simple onsite notice, as suggested in our previous article, or website statement would satisfy this requirement so that a business’ employees do not have to inform every single customer personally. Any privacy notice must also set out that personal data may be disclosed to the NHS for the purposes of contact tracing.
Carefully store the data
As with other data collected or processed by these businesses, it should be stored in a way that is secure, digitally or otherwise.
Do not use the data for other purposes
The data that is collected for the purposes of contract tracing cannot be used for any other purpose. For example, businesses cannot add customer details to their direct marketing list.
Erase the data in line with government guidance
Businesses must not keep customer data for longer than 21 days after collection. Erasure should be conducted in a secure manner to prevent others from using the data.
It would appear from the above that the ICO has tried to keep things simple for businesses and to encourage a common sense approach. It has not sought to impose any “new” practices, but has instead re-stated existing data protection principles. For those businesses that are re-opening and will be collecting data for NHS Test and Trace purposes, it will be important to have in mind the data privacy rights of individuals during the collection process.
Further Government guidance provides that individuals will be able to refuse to share their data for the purposes of NHS Test and Trace if they wish. Where data is collected, businesses will only be required to share it with NHS Test and Trace when requested.
For full ICO guidance, see here.
If you have any questions or queries on how best to approach such guidance and re-open, please contact the Data Protection Team at Leathes Prior on 01603 610911 or by email.
Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.


Leathes Prior advises Complete Strategy on sale to Flint Global
Alex Saunders, Partner in Leathes Prior's Corporate Team, advised Complete Strategy on the sale of its business to Flint Global. The acquisition marks Flint Global's first acquisition and represents the first step in its M&A growth strategy.

.jpg)

Maternity Services in England: Recent Reports and What They Mean for Families
In a follow up to our recent article on maternity safety, Polly Langford, Partner in our Personal Injury & Clinical Negligence Team has written on the findings of the Ockenden Report and what this means for families.



Competing uses of farmland - what the new Land Use Framework means for your business
The Government has published the Land Use Framework – which DEFRA says is “a plan for delivering new homes, nature restoration, clean energy and food security." Rebecca Allen, Senior Associate in our Agriculture Team explains what this means and what to consider for your business.

















%20cropped.jpg)








.jpg)

%20website.jpg)

.jpg)




%20cropped.jpg)

-3.jpg)