Data protection warning issued to hospitality sector businesses by Clarke Willmott LLP
03 July 2020
THE MUCH-anticipated re-opening of businesses in the food and drink sector has been given the green light for Saturday 4 July. It’s a welcome decision for both those in the industry and consumers, but the re-opening of these businesses comes with additional responsibilities and requirements which specialist lawyers are warning could leave them falling foul of the data protection rules if they’re not careful.
Amy Peacey, a senior associate in the commercial team with national law firm Clarke Willmott LLP, has asserted that businesses in the sector will need to review and update their data protection knowledge and processes as a matter of urgency.
“The loosening of the lockdown restrictions comes as a welcome relief to businesses within the retail and food and drink sector,” commented Peacey. “However, the ability to re-open will impose upon business owners additional requirements they they will not have encountered before. That’s in addition to ensuring effective social distancing measures are in place for employees and customers alike.”
Peacey continued: “The Government has requested that businesses keep a temporary record of their customers for 21 days in a way that’s manageable for the business and to assist the NHS Test and Trace scheme with requests for that data if needed. Many businesses such as restaurants and hotels tht take bookings will already have systems in place for recording customer details. However, there will be several establishments like pubs and cafes that don’t currently collect customer details. They will need to change their processes.”
On that note, Peacey further explained: “Becoming data collectors means that these businesses are subject to data protection rules under the Data Protection Act 2018 and the General Data Protection Regulation. Data will need to be stored securely and only kept for a reasonable period of time. Businesses will need to think about who can access this information, how they inform customers of their policies and also about how they ensure the information given by customers is legitimate.”
It’s likely that many businesses will come across customers who will not co-operate with the Government’s proposed requirements. It’s unclear at this stage the specific obligations that will be imposed upon businesses in relation to the collection of customer data and the transfer of such data to the NHS Test and Trace scheme.
The Government is working with industry bodies and the Information Commissioner’s Office to provide detailed guidance on how businesses should design their customer data collection systems to be compliant with data protection legislation and these new requirements. The Government has said that it will provide detailed guidance to businesses “shortly”.
With the lack of guidance at this stage and many businesses looking to re-open very soon, Peacey has set out a few key points to assist businesses with their obligations under the data protection legislation.
*Businesses must make sure that any personal data collected for compliance with COVID-19 requirements is not used for any other purpose such as sending marketing communications about offers or promotions
*When collecting personal data from customers, business should only take what they need such as a name and telephone number/e-mail address
*Businesses must provide their customers with a privacy notice setting out why they’re collecting the data and what will be done with it. This will need to include (among other things) details about using the information to contact them in the event of a COVID-19 outbreak and passing the information to the NHS (if required) for the purposes of the NHS Test and Trace scheme.
*Businesses need to have in place clearly documented processes for how the operation will collect, store and dispose of customers’ personal data. They will also need to make sure that all employees are fully aware of and follow the required processes
Peacey concluded: “We’re all looking forward to life returning to as near to normal as possible and it’s great that the Government is taking these restrictive measures to allow for the safe opening of businesses, but without more guidance and businesses being stringent in their data collection procedures, this could turn into a data protection nightmare.”