“A pint of beer and a packet of crisps, Sir? That’ll be £3.90 and your personal data please.”
For some businesses, such as restaurants and pubs, the government is also intending to place an additional obligation. The guidance document states:
“The opening up of the economy following the COVID-19 outbreak is being supported by NHS Test and Trace. You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.”
This new requirement to collect and store personal data, alongside encouraging or compelling customers, clearly raises data protection and privacy implications.
In a statement to the House of Commons on 23rd June 2020, Boris Johnson said, “We will work with the sector to make this manageable.” Speaking to the Guardian newspaper the next day, the Information Commissioner’s Office (ICO), said it was “assessing the potential data protection implications of this proposed scheme and is monitoring developments”. With a week to go before the new rules come into force, both need to get a wriggle on!
Reaction on to the Prime Minister’s statement on social media was nothing but predictable. People immediately started discussing which fake name they would use rather than hand over their personal data. Dominic Cummings and Matthew Hancock seem popular choices.
As we publish this blog, there have been no changes in legislation and no further emergency COVID-19 regulations. Nor have any changes to licensing laws been proposed in order to enforce the collection of this data.
So how can a restaurant manager or pub landlord justify collecting personal data in these circumstances? Let’s consider the lawfulness conditions under Article 6 of GDPR for processing data. If a business will not allow someone to dine or drink in its premises unless a name and address is recorded, they cannot use consent as their condition for processing. The customer is not freely giving their data as they have no real choice if they want to use the premises. There is no contract between the parties at the stage of entering the premises. There’s no statutory requirement in law to demand it or any official authority for businesses to require it. No-one is going to die immediately if the data is not handed over so vital interests cannot be used.
Unless emergency legislation is passed in the next week it appears businesses will have to rely on the “legitimate interests” condition under Article 6 to collect and process the personal data of customers.
If businesses decide it is in their legitimate interests to collect customer contact data, they also need to demonstrate fairness and transparency to meet the requirements of the first data principle. This brings us to Privacy Notices. A quick sampling of my local pubs showed only 3 out of the 10 currently have Article 13 compliant Privacy Notices on their websites. All three were part of national chains. The more local independent pubs do not appear to have a Privacy Notice on their website. How will these pubs explain to customers why they want their data and what they are going to do with it? Perhaps there will be signs to be read upon entering.
Security of the Data
One of the biggest risks to businesses is not keeping this newly collected personal data secure, which could result in the possibility of a data breach under GDPR. Under Article 32 the business needs to take appropriate organisational and technical measures to keep the data secure. Devices will need to be password protected if not encrypted. Access will have to be controlled. New security policies and procedures will need to be put in place by next week.
In addition, all staff will need to be trained, quickly, regarding handling this newly collected data. Stories have already surface in New Zealand, after this system was introduced there, of female customers being harassed by staff who had taken their details from the contact list.
The government has said that businesses need to keep customer contact data for 21 days. This raises more questions for businesses to consider. How will this be implemented?
Do systems allow this retention period? How will paper records be disposed of securely? There’ll be a run on shredders soon!
The government is also asking pubs and restaurants to use apps to enable customers to order at their tables thus limiting contact with others. The Wetherspoons chain has had such an app for ‘table service’ for some time. We know the government likes apps but they too need to be GDPR-compliant.
Furthermore those customers who are unwilling or unable to comply with the new requirements, whether because they object to the collection of data, do not have ID documents or are economically excluded as they do not have smartphones and/or bank accounts face discrimination as they will be unable to access the social spaces that are pubs and restaurants. There could be challenges against such measures on this basis.
Trust and Burden
Ultimately it will be down to individuals as to whether they care about their data enough or would prefer a pint or a pie after 3 long months. It may be that they trust their local restaurant and landlord with their data. Some individuals will decide it’s just not worth the hassle and risk for the sake of a socially distanced Sunday lunch.
Some small businesses may decide that the requirement to processes customers’ personal data in a GDPR complaint way is too much of a burden considering they have 8 days to prepare on top of re-opening, getting staff back and trained and making their premises COVID-secure.
Our GDPR Essentials E learning course is designed to teach frontline staff essential GDPR knowledge in an engaging, fun and interactive way. In just over 30 minutes staff will learn about the key provisions of GDPR and how to keep personal data safe.