From 4th July many businesses in the leisure, tourism, hospitality, personal service, and places of worship have opened their doors for the first time since March when lockdown began.
These businesses have had to adhere to strict measures to ensure they are keeping customers and staff safe. They are also being asked to collect information from their customers, visitors, and staff to enable contact tracing for the NHS.
Guidance from the government has asked these businesses to keep temporary records of all staff, visitors and customers that attend their premises for a period of 21 days following their visit. This is to assist the NHS with contact tracing. The collection of information is not mandatory now but is advised to collect information where possible,
For those businesses who regularly take bookings, the collection of this data will not be a new concept, but for those that are more relaxed who do not normally collect data, they will need to have new policies and procedures put in place to collate the information.
Business will need to ensure that they comply to data protection to prevent any breaches of data protection legislation.
Compliance with Data Protection
Once data has been collected from people it must be stored in a safe manner to ensure it cannot be compromised or passed on. Once the 21-day period for test and trace purposes has passed, the data needs to be disposed of confidentially.
Any information collected electronically will need to be deleted, and information collected by paper should be shredded.
Data collected should only be used for the NHS test and tracing service. It cannot be used to market products for the organisation or be kept indefinitely.
Training must be provided to all staff members who are required to collect individual’s information, so they are fully aware what to do with the information and how to safely dispose of the information.
Businesses should display signs to explain to their customers and visitors what information they will be collecting, how long they will keep it for and how they will dispose of that information.
Data being collected
Visitors and customers – Name, telephone number, date and time at the venue and name of staff member present.
Staff members – Name, telephone number, date and time present at the venue.
For groups of visitors, the data collected can just for the group’s leader.
Some visitors or customers may not wish to provide their information; this will need to be respected due to it not being a mandatory requirement.
Information Commissioner’s Office (ICO)
The ICO will be supporting organisations over the next few months but they will not hesitate to act against any business if they discover that they are not adhering to data processing practices.
There are five key principles business must adhere to:
- Only ask for what is needed;
- Be transparent with customers;
- Carefully store the data;
- Don’t use it for other purposes;
- Erase it in line with government guidance found on www.gov.uk.