NHS Test and Trace data in the hospitality and retail sector
06 July 2020
Hoorah! Over the weekend, pubs (along with other equally exciting venues) have begun to re-open!
Government guidance has been released for those in the retail and hospitality sector on ‘contact tracing’, an effective tool in locating and containing suspected COVID-19 outbreaks. The UK government has requested that venues collect and store customer and visitor contact details to support NHS Test and Trace:
The opening up of the economy following the COVID-19 outbreak is being supported by NHS Test and Trace. You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed.This could help contain clusters or outbreaks. Many businesses that take bookings already have systems for recording their customers and visitors – including restaurants, hotels, and hair salons. If you do not already do this, you should do so to help fight the virus.
Most of us are used to handing over contact details to hairdressers and hotels when making bookings.
But to a pub? A fast-food restaurant? A place of worship?
These types of places tend not to collect any personal data from their day-to-day visitors. For NHS Test and Trace to be successful, patrons will need to trust that these venues will be keep their data safe from misuse.
Generating trust is key
The prospect of trustingly handing over one’s name and contact details when ordering a cheeseburger and a pint seems much less daunting when it’s clear:
- what the details will and won’t be used for;
- how long the details will be kept;
- who will see the details; and
- whether the details will be kept safe and secure from misuse.
Generating trust is often easier said than done, but a framework is found in the data protection principles which should always lie at the heart of using people’s data. Some in the hospitality and retail sector might be unfamiliar with these principles but will nonetheless be required to apply them to the customer and visitor data they are about to start collecting.
A data protection framework… but simplified!
A small amount of preparation and thought is all that’s required to set up good data practices. It doesn’t need to be complicated. Just put yourself in your customers’ shoes and do the things you would expect be done before handing over your private details to a stranger.
Tell your customers why you are asking for their details
Be transparent and honest about what you are asking your customers and visitors for and why. Tell your customers under what circumstances you will share their data with others. Provide reassurance that any details collected will be deleted or destroyed once they are no longer needed. It doesn’t really matter how you get all this information to them and there are many options available:
- Display a notice.
- Add a few introductory paragraphs to the top of the contact details form.
- Arm your staff with the right information to answer customer questions.
Do whatever suits your business; but just make sure the information gets out!
Only ask for the details you really need
Name, contact details and date and time of visit. In most cases, this is all the information that ought to be requested from customers to meet the government’s recommendations.
Unnecessarily asking for health information from your customers or taking copies of customer IDs when there is no need is particularly risky and should be avoided.
Don’t misuse contact tracing data
Few things are more likely to destroy a person’s trust in a business than finding out their data has been used in an unexpected or inappropriate way. Strictly ensure that data collected from customers and visitors is only used for contact tracing purposes. Clear instructions against data misuse (such as a direction not to improperly contact customers) might be appropriate, particularly where you employ a young workforce. Contact tracing details should never be used for marketing purposes unless the customers have been told that this would occur and (crucially) consent has been given.
Limit access to the contact list to a ‘need to know basis’. Do not allow contact details to be viewed by other customers or by staff who have no need to see the data. Keep the data under lock and key or password protected if held electronically.
Delete the details when they are no longer needed
Government guidance currently recommends retaining the contact details for only 21 days. Incorporate deletion of old data into your business’ daily set of activities.
Be able to demonstrate all your good work
Those responsible for compliance with the privacy principles need to be able to demonstrate how they respect and protect people’s privacy rights. Keep records of all the steps you have taken to protect personal data and why you have taken these steps. Put in place workplace policies so that your staff have a good understanding of what is required of them under the data protection principles. Take a risk-based and proportionate approach to compliance; larger organisations might need to implement a more formal privacy framework, whereas it might be appropriate for smaller organisations to take a smaller scale, less formal approach.
Keep it simple and be honest
Good data practices don’t have to be challenging or complicated. Keep it clear, simple and honest and you might generate a level of trust and confidence from your customers that didn’t exist before.
And don’t be afraid to ask for help.
Covid 19 - Coronavirus
Our advice on dealing with the impact of coronavirus.