As restrictions have been lifted, businesses have had to adjust to the new “normal” of trading in a pandemic, and to start keeping a record of customers who visit in a bid to help with track and trace. This obligation was thrust upon relevant businesses with little time to consider what was expected and to plan what to do. While some companies, particularly bigger ones, have likely been used to considering data protection principles, smaller businesses may have been concerned about the changes. The questions arising are what should we be doing and how can we properly (and lawfully) manage data collection?
Who Does It Apply To?
The Health Protection (Coronavirus)(Restrictions & Requirements)(Scotland) Regulations 2020 (the “Regulations”) apply to the hospitality sector, like pubs, restaurants and cafes and to hotels where food and drink are sold for consumption on the premises. The Regulations do not apply where food or drink is offered for take away. Where a business offers both sit in and take away, the Regulations will only apply to those sitting in. Other industries which have high levels of customers might consider keeping similar details to assist with track and trace although there is no obligation to do so at the moment.
What Can/Should You Collect?
Under the Regulations, hospitality businesses should hold visitor information for at least 21 days. This means the name and telephone number of one member of each household visiting, the date and arrival time of their visit and the number of members in that household visiting. In addition to this, it is important for businesses to remember to record details of staff who are working each day as well. Out with the hospitality sector, business can still collect visitor information although there is no obligation to do so and the lawful basis for doing so will be different.
Customers have understandably been nervous about handing over this information, and may even refuse to do so. Customers are not obliged to give the information, but businesses (especially those in hospitality) should consider whether they allow customers in who refuse to provide this information into their premises.
Any Other Rules To Remember?
Rule of 6
There has been a lot said about “Rule of 6” and for hospitality it means that no more than 6 people are permitted in a group (excluding any children under 12) and those 6 people cannot come from more than 2 households. When taking bookings, staff should be aware to check how many households are attending, get contact details for each household (not just one number for the booking party) and avoid any bookings which exceed the permitted numbers.
The information to be collected by businesses is considered personal data so the standard data protection principles will still apply. That means you need to make sure there is a lawful basis for processing, respect data minimisation, keep data as accurate and secure as possible and delete when appropriate. While it may be tempting to use consent as a lawful basis, remember that if a customer withdraws consent, you can no longer process that information. If you are in the hospitality sector, a much safer basis would be legal obligation (complying with the Regulations) so long as the data is only used to help with track and trace. For other industries, the information can be collected and could likely be processed under legitimate interests (on the basis the personal data required is minimal, it is held for a short period and it balances against your need to keep your business open and operating).
One point which may cause some concern for businesses is whether the information is accurate or not, particularly if customers are reluctant to provide information. As long as businesses are recording the information provided and taking reasonable steps to ensure accuracy (acknowledging that Mickey Mouse is unlikely to visit most restaurants), you are likely to meet your obligations under the data protection law.
The other point to consider under data protection rules is whether your business needs to register with the ICO in respect of processing the data collected.
The Regulations require hospitality businesses to provide the visitor information to a public health officer as soon as possible, and no later than 24 hours after request. The reason for providing this is to prevent and monitor the spread of Covid-19. This means that if (a) the person is not a public health officer or (ii) the reason for requesting is no to prevent or monitor the spread of Covid-19, businesses should consider very carefully whether or not to share the information. If you do share without a legal obligation to do so, you could have inadvertently breached data protection rules and be liable to enforcement action by the Information Commissioners Office (the “ICO”).
What’s The Risk Of Non-Compliance?
If you fail to comply with the Regulations, you are committing an offence under the Regulations, so any hospitality business which allows customers in without recording visitor information could face a fine if convicted or a fixed penalty notice. There is also a potential fine for breaching data protection rules and compensation claims from customers if there is, for example, a data breach or if data is used for marketing. The other risk to consider for non-compliance is the impact on reputation if, for example, you fail to keep data secure or misuse data given for track and trace purposes.
What To Do
Here’s my five steps on what businesses should be doing with visitor information:
- Only take the details you really need. You should ask for the minimum, avoid taking unnecessary information (like health issues or previous places visited). It might be tempting to ask to take a copy of ID but this is probably beyond what is needed.
- Train your staff so they can answer any customer questions. Also train staff to ensure visitor information is not used for other purposes either by individuals or by your business (like marketing). Not only would this be unlawful under data protection rules, it will harm your business if customers do not have trust in how you store and use their information.
- Keep records, but only for as long as necessary. The privacy notice should say how long the visitor information is held for and you should let staff know when data can be deleted/destroyed. The minimum period under the Regulations is 21 days from the visit.
- Limit access to the contact list to a ‘need to know basis’. Any data collected should be kept confidential (unless it requires to be shared with public health officials) and businesses should not allow contact details to be viewed by other customers or by staff who have no need to see it.
And What Not To Do
And as a final tip, businesses should be very careful who they share contact information with. There is a legal obligation in hospitality to share with a public health official but we have already seen instances where individuals are contacted by fraudsters pretending to be from track and trace. Businesses should be alert to this and remember as the data controller, you are responsible for the security and safety of the data collected and it should only be shared where the person is legitimately entitled to the data.
For help and advice on any of the topic covered in this article please speak to a member of the Blackadders Corporate & Commercial team.
Ruth Weir, Associate Solicitor
Corporate & Commercial
The opinions expressed in this site are of the author(s) only and do not necessarily represent the opinions of Blackadders LLP.
Blackadders takes all reasonable steps to ensure that the content of this site is accurate and up to date. The site is not, however, intended as a substitute for seeking legal or other professional advice but rather as an informative guide to the services provided by Blackadders and topical legal developments. Site visitors should always seek advice tailored to their specific situation. Consequently, Blackadders accepts no responsibility for any loss or damage suffered by anyone acting or failing to act on the basis of information contained on this site. Downloading of material contained on this site is at the user’s own risk and all necessary virus checks must first be carried out by the user. Blackadders is not responsible for the material found on any web sites linked to this one and links to this site may only be made with Blackadders prior consent.
Blackadders owns the copyright in this blog and all material contained on it. The material on this site may be downloaded for personal use only and must not be altered. Otherwise, Blackadders’ written consent is required before any material on this site is reproduced, copied or transmitted in any way.
Information passed to us via this site is kept confidential and will not be disclosed to third parties except if authorised by you or required by law.
© Blackadders LLP 2022
Members of the Law Society of Scotland.
Blackadders Solicitors is a trading name of Blackadders LLP, a limited liability partnership, registered in Scotland No SO301600 whose registered office is 30 & 34 Reform Street, Dundee, DD1 1RJ. Reference to a ‘partner’ is to a member of Blackadders LLP.