A potential requirement to register on entry to pubs and restaurants brings with it concerns about the impact on data protection rights and requires the government to once again find a balance between public health and protection and minimisation of personal data.
In its coronavirus briefing at the start of this week, the government announced that while pubs, bars and restaurants are among the list of businesses which will be able to open from 4th July, there may be a requirement to register when entering so that individuals can be easily traced if they come into contact with COVID-19. In a government guidance document on keeping workers and customers safe in restaurants, pubs, bars and takeaway services which was last updated on 23 June, the government has asked venues to keep “a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed… We will work with industry and relevant bodies to design the system in line with data protection legislation”.
The leisure industry has raised concerns about how venues will capture the data, what they should do if a customer refuses to provide their data and whether the requirement to provide details could result in fewer visits to pubs and restaurants. The government will need to provide those industries with clear advice to minimise the risk associated with this unprecedented capturing of personal data.
Issues and key GDPR principles that will need to be considered by the government and advised upon include:
- Data minimisation – venues will need clear guidance about the personal data they will be required to process for the purpose of coronavirus tracing and ensure processing is limited to those categories of personal data.
- Transparency – how will customers be informed of the data processing? Will pubs, restaurants and bars need to draft or update their own privacy policies to deal with processing of data for COVID-19 tracing purposes? Will the government provide standard wording? How will the information be made available to customers?
- Purpose of processing – do venues understand the limitations in terms of how they may use the data? Will they try to use the data collected to, for example, send marketing information?
- Data sensitivity - will special categories of data be processed? What happens if a customer arrives with COVID-19 symptoms - will those symptoms be recorded by the venue? Do venues know how to look after this kind of particularly sensitive information?
- Data security - how should venues keep the data secure, whether on paper or on a computer?
- Data destruction - will the data be securely destroyed or erased at the end of the 21-day period? Do the venues have existing processes in place that will enable them to do this?
For larger, national venues, the collection of this type of data may not be daunting if they already have processes in place relating to data protection and compliance with GDPR. For smaller venues, such as community owned pubs, it may be much more challenging to ensure they remain GDPR compliant, particularly if these are issues they have not previously been required to consider.
If you or your organisation may be affected by the requirements around data processing for coronavirus tracing purposes, or have any other data protection queries, please don’t hesitate to contact Matthew Hattersley or Florence Maxwell.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.