Natalie Barnfield and Kuan Hon from Fieldfisher explain the GDPR responsibilities of those in the hospitality industry as restrictions begin to ease.
There were reasons to be cheerful both sides of the Atlantic this 4th of July. American friends were enjoying Independence Day celebrations while the UK was enjoying a bit more of their own independence with the further easing of lockdown restrictions… perhaps most excitingly, the long-awaited reopening of our beloved pubs, bars, cafes and restaurants. Is anyone else fed up of their own cooking and desperate for a cold pint?
The UK Prime Minister’s announcement that parts of the hospitality sector (including hotels/accommodation and personal care) could reopen on 4 July will undoubtedly have brought a huge sigh of relief to landlords, restauranteurs and hoteliers. But it has left them with hefty to-do lists before they can safely reopen.
If they didn’t have enough on their plates already, as well as having to implement new safety measures like reconfiguring seating, implementing regular cleaning, facilitating online ordering, using protective screens, limiting indoor service to table only and even changing shift patterns to fix staff in teams, the hospitality sector will also have to grapple with GDPR compliance.
Within his announcement, the PM explained that reopening businesses would also be asked “to help NHS Test and Trace respond to any local outbreaks by collecting contact details from customers, as happens in other countries, and we will work with the sector to make this manageable”. While the PM only referred to “customers”, this will of course apply equally to any visitors, e.g. guests of the customer who booked the table, and any indeed any other visitors to premises.
In collecting visitor details for Test and Trace purposes, hospitality businesses will, from a data protection perspective, assume the role of “controller” and all the obligations that come with it. Strictly, there isn’t (yet?) a legal requirement for hospitality businesses to collect these details, at the moment it’s just a government request to assist the NHS in contact tracing.
This begs the question of quite how, in practice, hospitality businesses will comply with the General Data Protection Regulation (or “GDPR”) when collecting visitor data for test and trace purposes. The UK Information Commissioner’s Office (‘ICO’) has produced guidance on coronavirus recovery, i.e. re-opening, and guidance for small hospitality businesses. But, neither guidance covers this particular issue, although the ICO has told the Guardian newspaper that it is “assessing the potential data protection implications of this proposed scheme and is monitoring developments”.
For some, the ask may not be a significant one. It might be that existing reservations software can be repurposed to safely house customer/visitor registers and add information about the dates and times of their visits. Some may also have existing Privacy Notices setting out how they use customer data for booking and marketing purposes. But for those smaller businesses that usually manage bookings in a physical calendar or those don’t take bookings at all, being asked to collect potentially large volumes of visitor contact details and visit information may present additional headaches.
Clearly, achieving gold star GDPR compliance will not be as high a priority for some as simply reopening to stay afloat. So, as with all things during a global pandemic, a pragmatic approach to compliance will be the way forward.
The government has promised to work with the sector to “make this manageable” and said that “We will work with industry and relevant bodies to design this system in line with data protection legislation, and set out details shortly”, so further guidance seem to be on the horizon. Of particular interest will be if the guidance addresses what the sector should do in relation to visitors that will not provide any contact details for Test and Trace purposes. For the scheme to be effective, one would assume that the sector will need to refuse entry to such visitors. Private businesses can refuse entry to their premises for any reason, of course, but it’s hard to imagine all of the sector being willing to turn away business after such a lengthy hiatus solely in order to assist NHS Test and Trace.
It remains to be seen whether the government will pass a law forcing the sector to obtain such details before they are allowed to accept visitors.
How to comply with GDPR in hospitality
In the meantime, we’ve set out some simple steps to help the hospitality industry seek to be as GDPR-compliant as possible in the time available, in a list of dos and don’ts at this link. The key points are:
- Only collect what’s necessary
We expect the Government to provide further guidance as to what information is required for Test and Trace purposes, and industry should obviously be guided by that when it’s available. At a minimum, we’d expect this to include names and basic contact information as well as the date and time of each visitor’s visit. For GPDR purposes the bottom line is not to insist that visitors provide any more information than is necessary for Test and Trace purposes.
- Don’t use people’s information for other purposes
If visitors are required to provide their contact details for Test and Trace purposes, their details shouldn’t be used for other purposes. For example, Test and Trace lists shouldn’t be used for marketing unless you’ve explicitly asked the visitor for their permission to this additional use and they’ve consented.
- Keep people’s information safe
Make sure that access to Test and Trace contact details are restricted to as few people as possible and that both electronic and manual records are kept secure. Ensure that you share requested Test and Trace contact details through official channels (i.e. to official Test and Trace teams). Beware of potential fraudulent attempts from third parties posting as NHS Test and Trace. Ensure that you are sharing Test and Trace Information securely (e.g. an encrypted attached to an email).
- Dispose of information securely
Ensure that Test and Trace contact details are only kept for 21 days in accordance with current Government guidelines, and are securely deleted or shredded after that. If the customer has agreed to their contact details being used for marketing, you could keep that for longer (again not forever, you need to delete them after an appropriate period, making sure any marketing complies with the separate rules on direct marketing). However, you should still be deleting the dates/times of visits after 21 days.
- Tell people why their information is being collected
The GDPR requires controllers to provide individuals with certain information about the ways in which their personal data will be used. This is typically housed in a Privacy Notice provided at the point at which information is collected. Again, further guidance as to best practice for the sector may be provided in due course but, in the meantime, hospitality businesses should at a minimum seek to explain to visitors:
- Who they are
- Why they are collecting contact details and how they will use it
- How and when they will delete information
- Individuals’ rights to the collected information
See an example Privacy Notice for these purposes within the do’s and don’ts list here.
Solutions for how hospitality businesses could present this information to their visitors might include posting visible signs on entry to its premises or adding the information to blackboards or A-frame menus, and drawing attention to this information when visitors arrive as well as when bookings are made online or on the phone. If feeling particularly creative, you might even consider printing them on beermats or placemats.