Information being gathered from customers at restaurants, pubs, bars and takeaways under the easing of lockdown must follow strict data protection laws, warns a legal expert.
Jon Esner, partner and Head of the Commercial team at regional law firm Napthens, says the government guidance is still unclear on the exact information venues need to collect, but expects it to at least include names and contact details including email and telephone number of each customer.
Further specific guidance is promised, but Jon highlights that information must be collected in accordance with existing data protection laws.
He explained: “Data protection rules are very strict, and businesses must be aware of their responsibilities before they begin collecting information from customers and visitors. Everything from legal notices on websites and in venues themselves, to staff training, and having a system in place to properly destroy the data afterwards must all be taken into account.
“As with so much relating to the pandemic, the situation is likely to change as more guidance is released by the Government so it is important to seek up-to-date advice and make sure these changes are dealt with as soon as possible.”
The Government’s latest guidance on the reopening of restaurants, pubs, bars and takeaways from July 4 says that businesses are instructed to collect a ‘temporary record’ of all customers and visitors, to be stored for 21 days in order to assist the NHS Track and Trace programme.
Jon’s advice for ensuring personal information is dealt with properly includes:
- Update online privacy notices to include data collected for Track and Trace and prepare a short explanation explaining why it is being collected to display or share at the time of collection.
- Staff training to ensure the information is collected and stored securely and confidentially.
- Data only to be used for complying with Track and Trace unless customers have been told otherwise. It cannot be used for marketing purposes, for example, without permission.
- A system must be in place to destroy the data once it is no longer required – likely to be after 21 days.
Napthens has been offering advice to navigate the coronavirus pandemic with a specially assembled team, offering advice on employment, health and safety, signposting for funding solutions and business support.
For more information on the support available, visit the firm’s COVID-19 Hub
