Following on from our recent article “Relaxation of lockdown: new guidance requires restaurants, bars and other businesses to collect customer details” published last week, the Information Commissioner’s Office (“ICO”) has published supplemental guidance for those businesses that will be asked to collect customer details when opening from tomorrow onwards.
When the initial announcement was made by the Prime Minister that bars, restaurants, cafes and businesses such as hairdressers would be allowed to open from Saturday 4 July 2020, one of the many caveats was that these businesses should collect the contact details of any customers visiting the business’ premises. The need for such businesses to collect this data is on the basis that it will be necessary to support the NHS Test and Trace system.
At the time of the Prime Minister’s statement, there were a number of question marks over how this would be compatible with data protection law, which the ICO (as the independent regulator responsible for governing data privacy rights of individuals) has sought to clarify in its most recent guidance. The broad message for businesses is as follows:
Ask for only what is necessary
This is as set out in the Government’s guidance and includes details such as the individual’s name, contact details and date and time of arrival at the premises. It also includes the details of any staff that are working on a particular day. Whilst it had been thought that businesses may have been required to collect a person’s ID, this does not appear to be the case.
Be transparent with customers
This accords with one of the main principles of data protection requiring businesses to inform data subjects what their data will be used for and why it is necessary. A simple onsite notice, as suggested in our previous article, or website statement would satisfy this requirement so that a business’ employees do not have to inform every single customer personally. Any privacy notice must also set out that personal data may be disclosed to the NHS for the purposes of contact tracing.
Carefully store the data
As with other data collected or processed by these businesses, it should be stored in a way that is secure, digitally or otherwise.
Do not use the data for other purposes
The data that is collected for the purposes of contract tracing cannot be used for any other purpose. For example, businesses cannot add customer details to their direct marketing list.
Erase the data in line with government guidance
Businesses must not keep customer data for longer than 21 days after collection. Erasure should be conducted in a secure manner to prevent others from using the data.
It would appear from the above that the ICO has tried to keep things simple for businesses and to encourage a common sense approach. It has not sought to impose any “new” practices, but has instead re-stated existing data protection principles. For those businesses that are re-opening and will be collecting data for NHS Test and Trace purposes, it will be important to have in mind the data privacy rights of individuals during the collection process.
Further Government guidance provides that individuals will be able to refuse to share their data for the purposes of NHS Test and Trace if they wish. Where data is collected, businesses will only be required to share it with NHS Test and Trace when requested.
For full ICO guidance, see here.
If you have any questions or queries on how best to approach such guidance and re-open, please contact the Data Protection Team at Leathes Prior on 01603 610911 or by email.
Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.