Calls for clarity on pub customer data and NHS Test and Trace

How-do-pubs-keep-customer-data.jpg
Swift clarification needed: the Department of Business, Energy and Industrial Strategy (BEIS) said it will design a data protection system to guide pub operators.

The pub sector has asked for prompt clarification of how operators should collect and keep data from customers after the Government requested venues to do so in a bid to support the NHS Covid-19 contact tracing system.

The Government’s guidance, Keeping workers and customers safe during Covid-19 in restaurants, pubs, bars and takeaways services​, was published after Prime Minister Boris Johnson announced on 23 June that pubs would be allowed to reopen from 4 July.

The 43-page document​, prepared by the Department of Business, Energy and Industrial Strategy (BEIS), states that pubs should assist the NHS Test and Trace service, which contacts those who have come into close contact with an individual who has tested positive for coronavirus. However, this is not mandatory and only guidance.

The document explains: “You should assist the Test and Trace service by keeping a temporary record of your staff shift patterns for 21 days and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.”

The guidance also asks pubs to assist the Test and Trace service by keeping a temporary record of staff shift patterns for 21 days.

BEIS has said a system will be designed in line with data protection legislation through collaboration with industry bodies and that details will be outlined “shortly”.

Pub trade bodies have said additional guidance is needed immediately in order to quash operator concerns that they may inadvertently breach existing data protection legislation.

Unfamiliar territory 

Some operators shared their alarm over the lack of clarity on social media, saying that while many pubs may collect data already it is unfamiliar ground for others. Charities including Liberty have also said questions need to be answered on how customer privacy will be protected.

The British Beer & Pub Association (BBPA) said it had significant concerns over the collection and storage of personal customer data. It said it would work with ministers to develop a practical system that helps the NHS with reducing the spread of coronavirus.

Data watchdog the Information Commissioner's Office (ICO) is monitoring the plans. 

Lawyers from Keystone Law told The Morning Advertiser (MA) that there could be several challenges for operators when asking for and storing customer data.

Niall McCann, licensing and regulatory lawyer at the firm, explained: “It’s not a legal obligation on any pub visitor in the UK to provide their details so there is no ‘forcing factor’ here.

"The guidance states that you ‘should’ rather than ‘must’ obtain data but it will be interesting to read to further details when they are released. How this can work for a busy ‘vertical drinking’ pub is a mystery.”

Not for marketing

Vanessa Barnett, commercial and intellectual property partner at the same firm, added: “There will be all the ‘normal’ challenges which come with data protection compliance: where’s it kept, how secure is it, who has access to it, etc. The behind the scenes updating of the data protection compliance documents, and updating the pub’s privacy policy, etc. But the larger challenge may well be the more human aspect of it: making sure that each customer understands why it’s being collected, that everything is very transparent.”

“As the guidance outlines, after 21 days, someone will need to press delete! As an aside, this log is for a specific purpose too – to aid track and trace – it’s not a new way of getting new marketing emails. So be careful not to do that by accident, that systems used to store customer information don’t cross-populate.”

A BEIS spokesperson said: “We are consulting with the hospitality sector on the design of a data collection system that is in line with strict data protection legislation and will set out details shortly.

“Many businesses like hairdressers and restaurants already record customer data through bookings. Businesses will temporarily be required to hold customer information like a person’s name and phone number so they can help the NHS Test and Trace Service if there is ever a local outbreak.

Vanessa Barnett, commercial and IP partner at Keystone Law outlines the potential challenges of taking and keeping customer data:

“When thinking about uses of personal data, the first question we need to ask is why have I got this and what am I doing with it? And then you need to hook one of the permitted reasons from the GDPR onto it. There are six of these permitted reasons (each known as a “lawful basis”) including these two: needing to use the data to comply with the law, or using the data because you’ve got a legitimate reason for doing so and there’s no reason that an individual’s rights should override that.

"So the first question each pub must ask is this: What’s my lawful basis for keeping my track and trace log of employees and customers?

"The ICO’s view – although we still await their formal confirmation of this - is that because the guidance is expressly “non-statutory”, keeping the log is not something a pub is doing to comply with the law. So the only lawful basis the pub can rely on is having a legitimate reason for keeping the log, relying on what’s called the “legitimate interests” lawful basis.

"What this means in practice is that each pub has had an additional layer of compliance added to their ‘day job’ when they least needed it: to rely on legitimate interests you need to perform a three stage legitimate interests assessment and document it (once for customers, once for staff). If you don’t do that, you’ll be in breach of the GDPR.

"Frankly a more satisfactory outcome would have been for the government to make this mandatory for an initial period, to remove a layer of complexity for pubs.”