Boris Johnson announced on 23 June 2020 that lockdown restrictions will be eased from Saturday 4 July 2020 (dubbed “Super Saturday”), allowing certain businesses, including bars, restaurants and hairdressers to re-open in the UK.
The opening up of the economy has in part been made possible by the NHS Test and Trace service, which aims to help contain clusters or outbreaks of the virus by contacting those who have come into close contact with an individual who has test positive for it. The UK Government’s guidance, Keeping workers and customers safe during Covid-19 in restaurants, pubs and takeaway services, asks businesses to assist the NHS Test and Trace service by keeping a temporary record of customers and visitors for 21 days and to respond to requests for that data if needed. Although this is not mandatory, there is a responsibility that comes with this recovery phase and it is very clear businesses play a vital role.
Assisting the NHS Test and Trace service will mean that all businesses, many of whom have no or little experience of dealing with personal data, will be data controllers for the purposes of data protection and will have to comply with the requirements of data protection law, even under the current circumstances. Compliance is likely to be much easier for larger businesses whose existing infrastructures are set up to support data collection. Smaller businesses will undoubtedly have a harder task to ensure they do not inadvertently breach existing data protection laws.
So what do businesses need to know?
We’ve set out our top 6 data protection tips and recommendations businesses should consider ahead of re-opening this Super Saturday:
- Keep it to a minimum. You must only collect the minimum amount of data that you need to achieve the purpose. For purposes of NHS Track and Trace, this is likely to mean you will need to keep the customer’s name, contact details (such as a telephone number or email address), and the date and time of their booking.
- Limit the amount of data you keep. The UK government has advised businesses to keep a temporary record of customers and visitors for a period of 21 days. Unless you have another reason to hold on to the data, you should delete it after this period has ended.
- Do not use the data you collect for any other purpose. If you have collected data for purposes of contact tracing, you cannot use that same data to achieve an unrelated or unexpected activity, such as for marketing purposes. Ensure that you collect any marketing consent separately to the data you collect for contact tracing.
- Keep the data secure. You must ensure that the data you collect is kept secure; both against external threats (e.g., malicious hackers) and internal threats (e.g. poorly trained employees). You must also ensure that you dispose of the data in a secure way, such as shredding paper records before throwing them away.
- Do not hide a data breach. Any data breach must be dealt with quickly and efficiently to minimise the harm to affected individuals. If you suspect that a data breach has occurred (or is occurring), then you must report it to the ICO within 72 hours. Failing to notify a breach when required to do so can result in a heavy fine of up to €10 million or 2% of your global turnover.
For an update on all the legal implications relating to Coronavirus please see here.
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.