New COVID-19 guidelines and data protection: what businesses need to do now

On 4 July, many businesses will be reopening. There’s a lot to do in a short time, including keeping records to help with NHS Test and Trace. Here’s what you need to do to comply with data protection.

Bill Bryson once wrote that he’d never been attracted to danger: ‘It’s not my sort of thing. I am more attracted to pubs and cafes. The known, safe and comfortable world.’

Of course, COVID-19 has turned this safe and comfortable world on its head. The pandemic has had a profound impact on the hospitality sector, and others such as tourism and hairdressing, and it will no doubt continue to present a danger for some time to come. Most businesses are keen to reopen but there are many unknowns, such as how businesses will collect information on their customers, visitors and staff, so that this information can be handed over, if needs be, to NHS Test and Trace.

What does the guidance from the government say?

The government advice is that: ‘you should assist [NHS Test and Trace] by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed.’ Helping the national testing and tracing service in this way ‘could help contain clusters or outbreaks’.

While many businesses that take bookings already have systems for recording their customers and visitors, such as restaurants, hotels, and hair salons, this will be a significant cultural change for pubs and cafes and a challenge to implement.

On 3 July the government published guidance, ‘Maintaining records of staff, customers and visitors to support NHS Test and Trace’, on how businesses should collect this data.

Who does it apply to?

The new guidance applies to:

• hospitality, including pubs, bars, restaurants and cafés
• tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
• close contact services, including hairdressers, barbershops and tailors
• facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
• places of worship, including use for events and other community activities

What information needs to be collected?

The information to be collected is:

• staff: the names of staff who work at the premises; a contact phone number for each member of staff; and the dates and times that staff are at work
• customers and visitors: the name of the customer or visitor (if there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group); a contact phone number for each customer or visitor, or for the lead member of a group of people; date of visit, arrival time and, where possible, departure time; if a customer will interact with only one member of staff (eg, a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer. 

A particular challenge is dealing with departing customers or visitors as they are often are used to leaving quickly and might forget to tell a member of staff, particularly if one is unavailable. For businesses that are using paper forms to collect NHS Test and Trace information, one solution is for businesses to ask their customers or visitors to place a form in a box on leaving, noting their departure time.

What does the ICO say?

The ICO has also provided guidance on contract tracing, publishing on 2 July an ‘ABCDE’ five-step guideto help businesses understand what they need to think about and do from a data protection point of view:

The ‘ABCDE’ steps are:

• Ask for only what’s needed
• Be transparent with customers
• Carefully store the data
• Don’t use it for other purposes, and
• Erase it in line with government guidance

To date, the guidance doesn’t yet provide much in the way of specific detail, such as what the legal basis for collecting this information is although the ICO says that further Q&As will be published. The government guidance says that ‘while consent is not required, we recommend that consent is sought in sensitive settings such as places of worship and for any group meetings organised by political parties, trade unions, campaign or rights groups, other philosophical/religious groups or health support groups. This is because of the potentially sensitive nature of the data collected in these circumstances.’

What happens if pubs and restaurants don’t collect this data?

It is unclear whether there is or will be a specific statutory obligation for businesses to assist NHS Test and Trace by collecting customer data, although this looks unlikely. The use of the wording ‘should assist’ in the government guidance (as opposed to ‘must assist’) also suggests that it isn’t, and isn’t going to be, a legal duty as such. At least not yet.

That said, many would regard helping the government contact tracing scheme as being the right thing to do, whatever the legal status of this requirement is. What’s more, if this data isn’t collected it is likely to be much more difficult, if not impossible, for relevant businesses to apply for the ‘We’re Good to Go’ industry standard and consumer mark, which is designed to reassure customers that businesses adhere to government and public health guidance.

Local authority teams may also take an interest in businesses that don’t collect this data. Enforcing authorities are empowered to take a range of actions to improve control of workplace risks. As the government guidance says, ‘there is also a wider system of enforcement, which includes specific obligations and conditions for licensed premises’, adding ‘regulators are carrying out compliance checks nationwide to ensure that employers are taking the necessary steps.’

What happens if customers or visitors don’t give this data?

The government guidance is that it is not mandatory for customers or visitors to give their details, although the guidance says, ‘please encourage customers and visitors to share their details in order to support NHS Test and Trace and advise them that this information will only be used where necessary to help stop the spread of COVID-19’.

The guidance also says that customers or visitors, ‘do not have to verify an individual’s identity for NHS Test and Trace purposes.’

What should you do now?

• Keep an eye on developments. Things are moving quickly in this area and guidance is likely to be issued or updated at the last minute
• Organisations such as UK Hospitality are also giving advice on NHS Test and Trace on their website
• Update your records of processing activities. As the ICO notes, ‘keeping a record of your processing activities is not a one-off exercise; the information you document must reflect the current situation as regards the processing of personal data. So you should treat the record as a living document that you update as and when necessary’
• Display a notice at your premises or on your website setting out what the data will be used for and the circumstances in which it might be accessed by NHS Test and Trace. An easy way of doing this is to pdate your relevant privacy policies (your policies should always be a living document that reflect the way you collect and process data). In addition, you could, say, add a banner or section to your home page to direct your customers or visitors to your privacy policy and specific information on the NHS Test and Trace scheme. Some businesses are doing this as part of their publicity campaigns on reopening safely. Make sure that any changes are concise, transparent, intelligible, easily accessible and in clear and plain language. The updated policy should state when it is effective from. Let customers and visitors aware of your (updated) privacy policy
• After 21 days, the information you collect for the NHS Test and Trace scheme should be securely disposed of or deleted. Records for other business purposes do not need to be disposed of after 21 days (the requirement to dispose of the data relates to a record that is created solely for the purpose of NHS Test and Trace)
• Don’t use this data for any other purpose such as marketing or any other purpose unrelated to the NHS Test and Trace scheme
• Don’t forget to keep a copy of any outdated records of processing activities and outdated privacy notices
• Train staff on the new requirements