Data protection warning for pubs taking customer details

How-can-pubs-take-customer-details-for-NHS-Test-and-Trace.jpg
Top tips: legal experts have outlined how businesses can take customer details and comply with data laws

Pubs need to be careful when taking customer details upon reopening under Government guidance to ensure they don’t fall foul of data protection laws, experts have urged.

As part of the Government's guidelines for opening, operators have been asked to take customer details to assist the NHS Test and Trace scheme.

Businesses will need to brush up on their data protection knowledge and processes quickly in order to open their doors on Saturday 4 July, national law firm Clarke Willmott senior associate Amy Peacey advised.

She said: “The loosening of the lockdown restrictions comes as a welcome relief to businesses within the retail and food and drink sector.

“However, the ability to reopen will impose upon business owners’ additional requirements they will not have encountered before, in addition to ensuring effective social distancing measures are in plan for both employees and customers."

Process change

She added: “The Government has requested businesses keep a temporary record of their customers for 21 days, in a way that is manageable for the business, to assist the NHS Test and Trace scheme with requests for that data if needed.

“Many businesses that take bookings will already have systems in place for recording customer details such as restaurants, hotels and hair salons however, there will be several establishments that do not collect customer data details currently such as pubs and cafés, which will need to change their processes.

“Becoming data collectors means these businesses are subject to data protection rules under the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).

“Data will need to be stored securely and only kept for a reasonable period of time. Businesses will need to think about who can access this information, how they inform customers of their policies and also about how they ensure the information given by customers is legitimate.”

Peacey highlighted tips on how businesses can comply with data protection legislation.

Restrictive measures

This included ensuring any data collected for Covid-19 requirements is not used for any other purposes such as sending marketing communications about offers and promotions.

Pubicans should only take the details they need from customers such as a name and telephone number or email address.

Customers must be provided with a privacy notice, outlining why operators are collecting data and what they will be doing with it. This will need to include among other things, details about using the information provided to contact them in the event of a Covid-19 outbreak and passing their details to the NHS (if required) for the purposes of the Test and Trace scheme.

Operators should also have clearly documented processes in place for how the business will collect, store and dispose of personal customer data and all staff should be aware of this and follow the required procedures.

Peacey added: “We are all looking forward to life returning to as near to normal as possible and it’s great the Government is taking these restrictive measures to allow for the safe reopening of businesses but with more guidance and businesses being stringent in their data collection procedures, this could turn into a data protection nightmare.”

The Morning Advertiser has contacted the Department for Health and Social Care for further clarity on how pubs can take customer details and understands the details to ensure pub data collection is manageable and consistent with data protection legislation is currently being finalised.