COVID-19 – REQUIREMENTS FOR MAINTAINING PERSONAL DATA RECORDS IN RESTAURANTS, PUBS, BARS, AND TAKEAWAY SERVICES ON RE-OPENING AFTER LOCKDOWN
On 23 March 2020, the UK government introduced restrictions on businesses and venues requiring many to close to assist in containing the COVID-19 virus. During May and June, the ‘lockdown’ has started to be eased and from 04 July 2020, further businesses and some venues are being permitted to re-open.
In re-opening, the government has issued guidance (published by the Ministry of Housing, Communities & Local Government, 23 June 2020) to assist those restaurants, pubs, bars, and takeaway services. This guidance provides information about how the venues and business should operate, and there is an additional requirement within the guidance which applies to those venues and businesses operating in England only, to ‘assist [the NHS Test and Trace] service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed’.
Most likely, all the businesses that this regulation concerns will be taking name and contact details through their booking systems and they will need to consider carefully how they will satisfy this requirement and maintain compliance with current data protection laws.
Things to consider:
- What will be the minimum personal data that needs to be collected to enable cooperation with NHS Test and Trace should they request information on attendees?
- There is no stipulation within the regulation of ‘what’ personal data should be processed to enable this.
- The regulation asks for a ‘temporary record of your customers and visitors’.
- This would suggest that you need to keep a record of full name, some form of contact information i.e., phone number, date and time of their visit, possibly a table number for their location within your premises, for EACH of your visitors not just the person making the booking.
- How will this personal data be processed (stored)?
- Will you add this personal data to your existing system and what complications regarding complying with the retention period will this method create?
- Will you create a separate database/record system for this purpose? How will it be secured, accessed and by whom?
- The regulation requires you to keep this personal data for 21 days.
- How will you ensure that this retention period is complied with and how will the personal data be deleted/erased at the end of this period?
- You will need to maintain a record of erasure i.e., what you deleted and when. This record may need to be kept for a period of 6 years – this is unclear, however; you will need to maintain a record of erasures so that you can prove X record was deleted and when.
- If you get a request from NHS Test and Trace to provide information about your visitors and a certain date and time, how will you deal with this?
- You must ensure that the request is lawful as you cannot simply You must ensure that the request is lawful as you cannot simply hand over the information.
- You may need to adjust your policies and procedures regarding handling personal data requests from a Government Agency (read our blog article on this).
- You will need to train staff in these changes.
- How will you ensure that this personal data does not get used for other purposes, e.g., marketing?
- You are collecting and processing this personal data to meet your legal obligations under the regulation, you cannot use this personal data for any other purpose no matter how inviting that may be.
- You will need to ensure that your privacy notice/statement is up to date for this collection and processing.
- If you have a generic purpose statement in your privacy notice something like: ‘We collect and store your personal data as part of our legal obligations…’, this may be sufficient.
- You will be required to comply with the requirements of Article 13 of the EU GDPR to provide the information in your privacy notice at the point of collection. How will you do this when they give you their personal data? You could do this via a simple statement: ‘We are collecting your personal data to comply with your legal obligations and support the NHS Test and Trace system. You can read about how we look after your personal data on our website’.
The above is not exhaustive but must be considered to comply with both the regulations permitting re-opening and your legal obligations under data protection law.
Feel free to get in touch with questions via our Contact Us form.
 GOV.UK: Guidance – Opening certain businesses and venues in England from 4 July 2020, (https://www.gov.uk/guidance/opening-certain-businesses-and-venues-in-england-from-4-july-2020) [accessed: 02 July 2020]
 n1. Track and Trace
 n1. Track and Trace
 The Gill Payne Partnership Ltd: What do you do when a Government Agency comes asking for access to personal data? EU GDPR / UK Data Protection 2018, (https://www.gillpayne.com/2019/06/what-do-you-do-when-a-government-agency-comes-asking-for-access-to-personal-data-eu-gdpr-uk-data-protection-2018/) [accessed: 02 July 2020]