Lack of guidance
On 4th July 2020, the hospitality sector is due to re-open including pubs, restaurants and hotels, following the coronavirus lockdown. However, those re-opening would be under an obligation to record the contact details of customers for at least 21 days in the event they are required to assist with the test and trace scheme.
This could prove dangerous as reports suggest that the hospitality sector, whilst being asked to do this, have not been provided with guidance how to gather and store sensitive data or how to ensure customers that their data will be kept secure. There are risks that the data gathered could be mishandled, misused or misplaced by the hospitality sector, opening up further risks of unwanted criminal activity.
The Information Commissioner’s Office (ICO) are continuing to assess the potential risks of the matter. Regardless of the current situation, businesses are not exempt from the data protection principles to protect data, handle and process is correctly, ensure it is secure and not held for longer than necessary.
The key message for those re-opening under the hospitality business are to:
- Collect the minimum amount of information necessary for the test and trace scheme. This should only be the necessary information such as a person’s full name, contact phone number or email address and the date and times of their visit.
- Explain what data you are collecting and why.
- Inform where the information will be kept and the customers’ right to access/correct any information.
- That the information will be secure.
- That the information will only be used for the test and trace scheme.
- Do not hold the information for longer than necessary.