Get the party started – but remember to protect personal data!
It is a legal requirement in England for pubs, bars, hotels, restaurants and cafes to collect the personal data of their customers to help prevent the spread of coronavirus. The Government introduced the ‘NHS Test and Trace’ to assist establishments with this requirement. In addition, all personal data collected must be handled in accordance with the Data Protection Act 2018.
Although England is currently being regulated by a tier system, once establishments reopen fully, the following principles will need to be followed:
- You are required by law to participate in NHS Test and Trace and therefore you do not need to seek consent from your customers – though information should be given voluntarily.
- You should display the privacy notice that the Government has provided which explains how your business will manage a customer’s personal data to support NHS Test and Trace.
- Not all customers have the NHS Test and Trace App so you are required to offer a secure alternative. Venues must take reasonable steps to refuse entry to a customer who does not provide their name and contact details, is not in a group where one other member has provided their details, or who has not scanned the NHS QR code.
- You cannot collect the information for marketing purposes or any other business reason, it must only be used for contact tracing purposes.
- If the customer does not have the NHS App, accurately limit the information taken to only the name of the customer, their phone number and the date and time of their arrival. If there will be a designated member of staff to the customer, their name should also be recorded. You cannot ask a customer for their details again if they have checked in using the NHS App.
- As with all personal data, it should only be kept for as long as is needed. For the purposes of NHS Test and Trace, the Government has stipulated 21 days. After this time digital records should be permanently deleted and paper records should be shredded.
- You must ensure that all personal data you hold is safely protected. This is your responsibility and you must have measures in place to ensure all data held is not stolen, lost or destroyed. Measures you should take include staff training, policies and procedures and a secure electronic system.
- With contact tracing, the customer does not have an absolute right to request their personal data be erased. They do have the right to access the data you hold for them and they can ask for any inaccurate data to be corrected.
- It is not your responsibility to contact anyone if you discover that someone has tested positive while visiting your premises. This responsibility lies with the NHS tracing team. You only need to share the details if you are asked to do so by the team.
- You must carry out a Data Protection Assessment, similar to a COVID 19 Risk Assessment, as you have introduced a new system to manage contact details of your customers.
Please click here for the link to print and display the Government Privacy Notice.