Select Page

by | Jul 2, 2020 | Coronavirus COVID-19

Covid-19 track and trace in hospitality. 10 steps to compliance

By Duncan Reid Consultancy

Deserted Streets. Boarded up shops. Silent Hotels and empty restaurants. These are the post-apocalyptic scenes we’ve become used to seeing in our once thriving and bustling hospitality hotspots.

But the sleeping giant of the hospitality and leisure industry is starting to awake. Everywhere you look, the streets are being reclaimed, hoardings are coming down and it seems like every pub, café & eatery is getting a fresh lick of paint in readiness for the easing of lockdown.

The early days are bound to be fraught with uncertainty as staff, owners and public alike all get used to new ways of working and challenging unacceptable behaviours but one of the main changes apart from the physical clues of PPE, sanitiser and screens is the guidance from the Government to keep name and address details of all customers for 21 days to help with NHS Track and Trace efforts should any cases come to light. 

It’s easy to think of this measure just in the troubles your front of house staff might have getting these details in the first place if you don’t already run an exclusive booking system but did you also think about what this means in terms of data protection? Because all of a sudden, you’re going to be keeping some quite personal data about all your customers and just keeping it as a sign-in sheet on your desk is not going to cut the mustard.

Cast your minds back to early 2018 and the advent of GDPR. Regardless of Brexit, The European General Data Protection Regulation has passed into UK Legislation as part of the Data Protection Act 2018. GDPR was complained about by many, as yet another legislative overhead on the SME sector but really, it’s all about bringing existing legislation up to date. After all, when the original Data Protection Act was implemented, we didn’t all carry smartphones and freely allow our data to be slurped, used and abused by a myriad of businesses, large and small.

Data protection is actually about reasonableness and common sense. If something feels excessive then it probably is. The main thrust of GDPR is to collect as little data as possible, to have a really good reason for it (there are six lawful bases for processing data under GDPR. And yes, simply storing names and addresses counts), not to pass it around and to delete it once you no longer need it.

Of course, there’s more to it than that but get the basics right and you won’t go far wrong. Remember, there’s always guidance available from the UK Data Protection Enforcer who are genuinely helpful to organisations that are looking to do the right thing.

Follow our top ten steps to Covid compliant Data Protection so you can get on with greeting your returning customers

1. Decide just how you’re going to collect and store this data. Pen & Paper? Tablet App? Smartphone App?

2. Think about are how easy and quickly you can collect the data and how securely you can then store it. How will you access it if the NHS require it?

3. Consider where the data is stored if in the Cloud or managed through a 3rd Ensure it’s stored within the EU or an approved country with an EU adequacy decision.

4. Do you know what lawful basis you’re going to use to collect this data? Lots of people assume Consent is the easiest one as the customers must give consent for the data to be collected in order to be allowed in. But GDPR frowns on coerced giving of consent and insists that Consent can be freely withdrawn.

So, the basis of Legal Obligation would be far more appropriate given that the 21-day rule comes from Government regulation. This then requires no consent on the part of the customer and is simply a condition that your front of house staff can insist on for entry.

Don’t even think of using this data for anything other than the Track and Trace reason you collected it! If you want to add customers to your mailing list, then you need to make this clear and get separate consent.

5. As you’re changing how you deal with data, conduct a DPIA – A Data Protection Impact Assessment – it doesn’t have to be lengthy but needs to show that you’ve considered what risks collecting the data poses to the individual. Then record it for safekeeping. 

6. You should already have a Privacy Policy. Don’t forget that you need to amend this to reflect the additional Data that you collect, retain and – potentially – share.

7. Make sure your Privacy Policy and Procedures covers what happens if and when the NHS Track and Trace Team come knocking to find out who was in your premises one evening.Do staff know how to access the data? Which Staff? How is access authorised? Who are they authorised to share it with and how?

All these questions should be clearly answered in your documentation so you can show that you’ve considered what data you hold and that you understand the implications that data has for the rights & freedoms of the individual.

8. Don’t forget to include secure deletion/destruction in your Policy and Procedures. How are you going to do it? What’s the trigger?

Remember, you shouldn’t retain data for longer than absolutely necessary and the Track and Trace data is for 21 days. The ICO probably wouldn’t be concerned about it being kept for say, 28 days, for documented operational reasons but would certainly take a dim view of anything much beyond that.

9. Does your establishment welcome Children? Be aware that GDPR places extra care around children’s data.

10. Don’t forget to display or provide privacy notices explaining to customers how and why their data is being processed. Explaining how long it’s being kept for and how awesome your security and practices are would be a great idea at this point. How can you turn this into a marketing positive?

It sounds scary but it really isn’t. The chances are that most of you have already got the bulk of your Covid procedures in place, certainly if you’re using Foursquare’s Covid-Safe pack, but this is one extra thing to make you’re considering correctly. And who’s going to notice yet another Privacy sign behind the sanitiser, splash screens and potted plants?

This may well be the face of our industry for some time to come but take each day with a smile and our nightlife will soon be bustling with that unique Mersey vibrancy once again!


Guest Author: Duncan Reid of the Duncan Reid Consultancy ( specialises in online Search & Privacy, assisting businesses achieve great visibility through the dark arts of Search Engine Optimisation. He also regularly inspires start-up businesses through Social Media Workshops and is also an accredited Auditor for the GCHQ-led Cyber Essentials PLUS & IASME Information Governance Standards.

He prefers to be powered by caffeine, real ale and pizza and is looking forward to being able to indulge again in many of the fabulous establishments Merseyside Hospitality has to offer.

Follow us on social media for more news, blogs and info.