With the gentle easing of lockdown restrictions, hospitality and retail businesses have been given the go-ahead to reopen. However, only on the basis that they keep temporary records of customer information to help track and trace the spread of coronavirus.
Whilst giving your name and email address to enjoy a pint in a pub might seem like a reasonable exchange, without a centralised system, is your data really safe?
Track and trace
Whilst the idea of the NHS track and trace scheme is simple, the execution is actually quite difficult. Hospitality businesses such as pubs, cafes and restaurants as well as museums, hotels, cinemas, hairdressers and zoos are expected to collect information about every single person that visits their site, in case of an outbreak.
Personal data such as phone numbers, email addresses and arrival and departure times will be collected and stored by businesses for 21 days. But the lack of clarity on where and how the information will be stored has prompted concerns about information ending up in the wrong hands.
With the dark web market for flogging names, addresses, passwords and bank accounts now worth £3 billion, it is clear that access to data is a lucrative underground business. Yet with no real warning, publicans are being forced into the uncomfortable position of becoming data controllers overnight.
The fines for data misuse aren’t cheap. In fact, according to Magnus Boyd, a Privacy Lawyer and Partner at Schillings, if companies are found to have breached General Data Protection Regulation (GDPR) laws, six-figure fines are likely. He commented,
“There’ll be a commercial advantage for those pubs that have the right systems. Breweries that run a series of pubs could have a dedicated server, but where they can’t, people are going to be relying on pen and paper or forms.”
What should businesses do?
With many pubs and restaurants having no existing infrastructure to support the collection of data on such a large scale, and limited time and money to implement suitable systems, the advice from experts is to keep it simple.
Rowenna Fielding, Head of Individual Rights and Ethics at Data Protection Consultancy Protecture, commented, “Based on my experience I suspect a lot of people will over-interpret and collect too much because they’re scared of not doing enough.”
If possible, opt for apps such as Guest Visit, which are accredited by the Data and Marketing Association (DMA) and offer a simple, secure and GDPR compliant solution. These kinds of apps work by the customer scanning a QR code and entering their name, email and phone number. The system doesn’t allow the business any access to the data for further marketing and it is only used in the event of an NHS test and trace request.
Advice to businesses:
- Don’t take more information than you need
The required data is the customer’s name, phone number or email and the date and time of their booking.
- Tell your customers why you have to collect their details
Full transparency is required by data protection law and will be appreciated by customers.
- Keep the information secure
Make sure it cannot be viewed by others. If possible, use an online system rather than pen and paper as this can easily be lost or stolen.
- Keep the data for the shortest time period possible
The UK government says that businesses should keep a temporary record of visitors for 21 days.
- Delete the data securely
Throwing paper into a bin is not sufficient as it could lead to a data breach. Deletion of data must be undertaken securely.
Are you an app developer looking for a secure hosting partner? Get in touch with our friendly sales team on 0800 612 2524 or email email@example.com