Author Deborah Topping of DT Information Governance
Customer Contact Tracing Scheme – Small Businesses, Pubs, Clubs…
With the easing of many of the recent social distancing restrictions, the government has asked businesses to collect details of their customers. This information will be used to help the NHS Test and Trace process and reduce the spread of the Covid-19 Coronavirus.
They have asked businesses in:
- hospitality, including pubs, bars, restaurants and cafés
- tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
- close contact services including hairdressers, barbershops and tailors
- facilities provided by local authorities. This includes town halls and civic centres, community centres, libraries and children’s centres
- places of worship, including use for events and other community activities
to collect the following information where possible:
- the names of staff who work at the premises
- a contact phone number for each member of staff
- the dates and times that staff are at work
- customers and visitors
- the name of the customer or visitor. If there is more than one person, then the name of the ‘lead member’ of the group and the number of people in the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date of visit, arrival time and, where possible, departure time
- if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer
No additional data should be collected for the contact tracing purpose.
So folks, that’s it! Or is it….?
As Clear As Mud?
Whilst there is no disagreement from me that this needs to be done, it has led to some interesting interpretations of the government’s guidance.
Currently the UK Government says
The opening up of the economy following the COVID-19 outbreak is being supported by NHS Test and Trace. You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.
(extract from the Guidance for Restaurants, pubs, bars and takeaway services)
Open To Interpretation?
As I said, there have been some interesting interpretations. From one organisation saying “it’s a legal requirement” to those who see this as a useful collection of customers information for marketing. In one reported case, a staff member was caught taking copies of the information to arrange a date with a customer.
So, lets be clear, it is not currently a legal requirement to collect the information. Its voluntary. It’s in the wording as the Governments says “should” rather than “must” and they did not include this in the rapidly introduced legislation or its later amendments.
It’s not even a legal requirement for a customer to leave their details to be shared. You might find that they provide incorrect details. We’ve seen examples of famous (or infamous) names dining or drinking in locations that they have never visited.
If a customer or visitor informs you that they do not want their details shared for the purposes of NHS Test and Trace, they can choose to opt out, and if they do so you should not share their information used for booking purposes with NHS Test and Trace.
(extract from the Government’s Guidance on maintaining records to support NHS Test and Trace)
And you certainly cannot use this information for marketing… unless you ask the customer at the time you collect their details (that’s another story).
There is a legal aspect to this and that is ensuring the health and safety of your staff and customers on your premises, and from my perspective, data protection (or even GDPR if you prefer).
The Data Protection Act and GDPR are ‘watched over’ by the Information Commissioner’s Office (the ICO). They have also made it clear that any misuse or abdication of your responsibilities will result in action by them.
So what does this mean for you and your business?
For many businesses this may be the first time you have collected and stored your customers information. You are now a keeper of a record of where someone was, and this has implications if it is misused or not managed well.
If you have not registered with the Information Commissioner, you are likely to be required to. Either because you should be already be registered (and haven’t), or because it’s only £40 and will help with your demonstration of accountability. The ICO has an online self-assessment tool that you can fill in to determine if you are required to register with them.
Collecting your customers information fills two identified purposes; The first is that you are keeping a record of their visit, and the second is that you may have to share this information with the NHS Test and Trace process.
From data protection/GDPR stance, you need to have, what is called a lawful basis to do this. If you are not a public sector organisation you can do this as you have a legitimate interest.
The ICO has recently issued some guidelines on how processes required for the collecting customer information.
My advice is to “Keep it simple”.
Don’t unnecessarily intrude on your customers privacy and don’t risk a data breach by leaving customers information out for others to see. And certainly don’t use it for marketing or arranging a date!
- Only collect the minimum needed. For this purpose (keeping a record of visitors), name, email address and/or phone number as well as the date and time of their booking is all that you need.
Where you use a paper system, look at creating a record that other customers cannot read. Don’t have a list at the door for customers to fill in. Think about having separate slips of paper which you staple together at the end of the day or place in an envelope with the date on.
- Keep your customers informed. Tell them why you are collecting their data. You are collecting it for the contact Test and Trace, and you will keep it for 21 days. Tell your staff as well as you may need to record their names against the customers details if they only serve that.
- Keep the information secure. Make sure you have steps in place to ensure only those with a strict ‘need to know’ can access that data and that it is protected from theft etc.
- Keep the data for as short a period as possible. The Government states that organisations should keep the contact details for 21 days to allow for days either side of the 14 days incubation period. After those 21 days, the information should be promptly and securely destroyed and not used for your own business purposes. Hence why it’s a good idea to keep one day’s records together – much easier to identify the 21 days.
- Limit its use. It is unlawful to use your customers information for anything other than the purposes (the reasons) you have told them about. Don’t use it for marketing if you haven’t asked them. Social media platforms are full of users naming and shaming businesses. This will embarrass and damage your business. Just don’t do it!
- Have a process to verify requests to access the information. If you are asked by the NHS Test and Trace team to share information with them, verify this first. Your customers can also ask to have access to the information you now hold about them. So you need to ensure you and your staff are trained on suitable processes.
Remember, it is not your job to contact your customers if tracing is necessary – that’s the role of the NHS Test and Trace teams.
If you need any help, please get in touch. DT Information Governance can offer support, advice, training and even help you draft your customer notices.