Shorter Reads

Preparing for 4 July: Pubs and restaurants required to collect customers’ details

1 minute read

Published 30 June 2020

Authors

Share

Key information

There will be some respite from life under lockdown in England on 4 July, when pubs, bars, cafés, takeaway services, and restaurants will be able to re-open, subject to high-level guidance issued by the UK government in this last week, and which is linked to below.

Under the guidance, operators of the above-mentioned businesses are asked to keep a temporary record of customers’ contact details for 21 days in order to support the NHS’s Test and Trace response (see the extract quoted below).

Contact details such as names, phone numbers, and email addresses constitute personal data under the GDPR and Data Protection Act 2018. That means these businesses will need to ensure that their collation and retention of these contact details comply with this legislation. The guidance says little as to what exactly is expected of these businesses in terms of compliance. In the extract quoted below, the government has stated that it will announce further details “shortly”, but adds that it does expect these businesses to collect customer data “to help fight the virus”.

Although there is little time for these businesses to prepare and implement detailed data collection and retention procedures before Saturday, there are some key steps that businesses can take before collecting customers’ contact details. These include:

  • Informing customers that their contact details will be collected and letting them know how it will be processed and who it might be shared with (e.g. NHS contract tracers). Privacy notices ought to be updated if necessary and made available to view wherever bookings are made, whether online or at the premises.
  • Ascertaining the correct lawful basis or bases for the collection of customer data and stating this in the privacy notice. Relying on consent as the lawful basis in this scenario may be problematic, since this can be withdrawn by customers at any time, and it may not satisfy the requirement of having been “freely given” if access to the premises is made conditional upon customers disclosing their contact details.
  • Ensuring customers’ contact details are used only for the purposes for which they were collected. That means those details can be used to support the Test and Trace operation, but cannot be used for marketing or other purposes (unless another lawful basis for those other purposes has been established).
  • Training staff to keep customers’ contact details confidential. Businesses must have appropriate technical and organisational measures in place to prevent any misuse or unlawful access of this personal data.
  • Putting in place procedures to delete customers’ contact details after the 21-day period is over, unless there is another lawful basis established for the continued processing of that personal data.

The UK’s privacy regulator, the Information Commissioner’s Office (ICO), is unlikely to impose heavy fines on these already-challenged businesses in the leisure and hospitality sector for failure to achieve full compliance in such a short space of time. However, as the pandemic rages on and businesses continue to collect customers’ details, expectations of compliance will mount, not just from the ICO, but from the population at large.

https://www.gov.uk/guidance/working-safely-during-coronavirus-covid-19/restaurants-offering-takeaway-or-delivery

Message us with any questions

Related latest updates
PREV NEXT

Arrow Back to Insights

Shorter Reads

Preparing for 4 July: Pubs and restaurants required to collect customers’ details

Published 30 June 2020

Associated sectors / services

Authors

There will be some respite from life under lockdown in England on 4 July, when pubs, bars, cafés, takeaway services, and restaurants will be able to re-open, subject to high-level guidance issued by the UK government in this last week, and which is linked to below.

Under the guidance, operators of the above-mentioned businesses are asked to keep a temporary record of customers’ contact details for 21 days in order to support the NHS’s Test and Trace response (see the extract quoted below).

Contact details such as names, phone numbers, and email addresses constitute personal data under the GDPR and Data Protection Act 2018. That means these businesses will need to ensure that their collation and retention of these contact details comply with this legislation. The guidance says little as to what exactly is expected of these businesses in terms of compliance. In the extract quoted below, the government has stated that it will announce further details “shortly”, but adds that it does expect these businesses to collect customer data “to help fight the virus”.

Although there is little time for these businesses to prepare and implement detailed data collection and retention procedures before Saturday, there are some key steps that businesses can take before collecting customers’ contact details. These include:

  • Informing customers that their contact details will be collected and letting them know how it will be processed and who it might be shared with (e.g. NHS contract tracers). Privacy notices ought to be updated if necessary and made available to view wherever bookings are made, whether online or at the premises.
  • Ascertaining the correct lawful basis or bases for the collection of customer data and stating this in the privacy notice. Relying on consent as the lawful basis in this scenario may be problematic, since this can be withdrawn by customers at any time, and it may not satisfy the requirement of having been “freely given” if access to the premises is made conditional upon customers disclosing their contact details.
  • Ensuring customers’ contact details are used only for the purposes for which they were collected. That means those details can be used to support the Test and Trace operation, but cannot be used for marketing or other purposes (unless another lawful basis for those other purposes has been established).
  • Training staff to keep customers’ contact details confidential. Businesses must have appropriate technical and organisational measures in place to prevent any misuse or unlawful access of this personal data.
  • Putting in place procedures to delete customers’ contact details after the 21-day period is over, unless there is another lawful basis established for the continued processing of that personal data.

The UK’s privacy regulator, the Information Commissioner’s Office (ICO), is unlikely to impose heavy fines on these already-challenged businesses in the leisure and hospitality sector for failure to achieve full compliance in such a short space of time. However, as the pandemic rages on and businesses continue to collect customers’ details, expectations of compliance will mount, not just from the ICO, but from the population at large.

https://www.gov.uk/guidance/working-safely-during-coronavirus-covid-19/restaurants-offering-takeaway-or-delivery

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.