As many pubs, restaurants and bars prepare to reopen their doors on 4th July, the focus in the leisure sector turns, not only to social distancing, but also to the data that these businesses may now need to hold.
In what will undoubtedly be a change to normal habits, businesses are being asked to support the NHS Test and Trace system and record their customers’ details. Many of these businesses will not have had to store such data before so what might you need to record and what measures do you need to put into place to manage the data you hold?
Businesses being asked to support the NHS Test and Trace system will ask customers to provide certain pieces of information to assist the tracing should someone who tests positive for COVID-19 be identified as having visited their premises. The exact information they will need to provide is still to be confirmed however it is likely that they will need to retain a temporary record of visitors for a period of three weeks – something which businesses such as pubs will never have had to do previously. Any data collected will need to be:
- clearly explained to customers with a privacy notice available to all
- processed in a lawful way
- kept safe and accessed only by people who need to
- only used for the purpose it was intended – you will not be able to use contact data gathered for the NHS Test and Trace system for instance to then market to customers unless this has been clearly set out when the information was collected
- only retained for as long as necessary
All businesses will currently hold basic personal data about their employees such as contact details, bank details etc in order to pay them. Some businesses are considering (or have already implemented) temperature testing as employees enter the workplace to establish if anyone has a raised temperature and whether they may need to be tested for COVID-19.
Under GDPR, health and medical data is classified as ‘special category data’ which means additional safeguarding is required to ensure you are compliant. To hold ‘special category data’ you must be able to satisfy two legal grounds from a prescribed list. For employers intending to collect employee’s health data, the most relevant two are that the processing is:
- Necessary for the purpose of the legitimate interest of the controller
- e. it is in your interest to protect your employees, customers and suppliers, and to prevent the spread of coronavirus
- Necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- Under the Health and Safety at Work Act 1974, you have a general 'duty of care' for staff, customers and anyone else who visits the workplace. This means you must do all you reasonably can to support their health, safety and wellbeing.
The general rule is that you should not keep personal data longer than is necessary. This isn’t defined within the GDPR and it is up to you to decide (and justify that decision) as to how long it is necessary to keep the data. For temperature results, these should not need to be kept for a particularly long time given that temperatures are likely to be taken regularly to make a decision as to whether the employee is safe to work. A few weeks is likely to be enough and keeping the information for longer is likely to raise questions. For customer information, you will need to keep the data for as long as required for the Test and Trace scheme. Whatever period you decide will need to be documented somewhere.
Practical steps to take now
- Carry out a data protection impact assessment (DPIA)
The DPIA will need to record the nature and purpose of the processing, assess proportionality, identify risks and measures to mitigate those risks. This will not be required in all circumstances, only where the risk to data subjects is high. You should consider carrying one out if you are collecting employee health data, but it may not be required if you are simply collecting customer’s names.
- Carry out a legitimate interest impact assessment (LIA)
There is no requirement to carry out an LIA however it is best practice to do so and will make it easier to demonstrate compliance with your accountability obligations under data protection legislation. The LIA should detail your legitimate interest and whether that interest is proportionate, taking into account the data subject’s interests, rights and freedoms.
- Update your external and internal (employee) privacy policies
Your customer and staff privacy policies should be updated to detail the new processing activities and the fact that the subject’s data may be shared with the NHS Test and Trace operators.
- Implement an appropriate policy document
If you are an employer planning to carry out employee temperature testing, you are required to put in place an appropriate policy document for the processing of special category data in order to rely on the employment, social security and social protection condition as your lawful basis for processing.
For help and advice for your business in relation to the issues raised above, contact firstname.lastname@example.org.
For more information on the guidance available for restaurants, pubs, bars and takeaways, please click here.
For details on the NHS Test and Trace system, please click here.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.