All businesses in the hospitality sector, including pubs, bars, restaurants, cafés, hotels, campsites, wedding venues, museums, zoos and theme parks have been asked to assist with Test and Trace. The Government has confirmed that it applies to any establishment that provides an on-site service and to any events that take place on its premises.
It does not apply where services are taken off-site immediately (for example, a food or drink outlet which only provides takeaways, or someone collecting a pre-reserved item). If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are staying in.
This guidance does not apply to drop-off deliveries made by suppliers or contractors.
Businesses should note that it remains illegal to have a gathering of more than 30 people, as released by the Government on 23 June.
For customers and visitors:
Government guidance on isolation for those returning from abroad changes regularly. While there is no requirement to check whether people attending your venue have returned from abroad, it might be prudent to remind customers when they book whether they have recently returned from any countries on the relevant lists and to check with members of their party before arriving.
The guidance explains that the way you collect information should be manageable for your business. It should be collected at the beginning of the person’s or group’s visit. The Government would also ideally like it to be collected in a digital format, however this is not mandatory. If you already take booking details, there is no need to duplicate your system.
The government guidance has said that hospitality businesses do not have to verify a customer’s identity against the information they provide. That said, it is up to business owners and their staff to decide if you think a person providing false information might pose a risk to your staff and other customers, and to make a decision on whether you would like to offer your services to them.
You need to make a risk assessment as to whether you think it might have an impact on your business if there was a discovery of an infected person at your venue.
The government guidance says that if you receive a request for information from NHS Test and Trace, this does not mean that you must close your establishment. You will however have to undertake a further risk assessment and colleagues may need to isolate or take tests. This might have practical implications for running your venue but also it could have some negative impact on your reputation.
The Information Commissioner’s Office (ICO) has provided a five point checklist to assist organisations which re-iterates the GDPR principles:
Your visitors are entitled to be given a privacy notice explaining how you will use and protect their information, and their rights. You may wish to have a dedicated privacy notice for this processing, or would need to update your existing privacy notice to cover this. If you need assistance with your privacy notice, please contact our Information Law team.
The Government has not made it mandatory for customers to provide their data to a business in order to use their service. Customers and visitors can opt-out. If a customer does opt-out of providing information, then you should not share information that is collected with Test and Trace.
Test and Trace information should be securely deleted or destroyed after 21 days.
In brief, no. Test and Trace information should not be used for other purposes unless that has been clearly explained to the customer in advance (and for e-marketing in line with the Privacy and Electronic Communications Regulations (PECR)). The rules on digital marketing can be quite complicated so if you are not sure, check with a specialist data protection legal adviser.
The Government has said that there will never be a charge or purchase linked to providing the information and it will not require you to call a premium rate number, link through social media or download any software to a computer. If anyone asks you or a member of staff to do these things in connection with Test and Trace, it is probably a scam. You should report any suspected dealings to Action Fraud. The genuine Test and Trace number is: 0300 0135 000.
We suggest a staff briefing to ensure all staff are clear on your organisation’s protocol for sharing data to make sure only a suitably senior member of staff provides the information to Test and Trace to avoid any mishaps or a data breach.
Your business should already have a robust system for recording and reporting breaches (and near misses) in place, so that everyone in the business knows how to react when issues occur.
If you have lost personal data, or if someone else has gained access to it, for example, because you have shared it with another party by mistake or if you have been hacked, this could be a data breach. You might need to contact the people whose data has been shared and you might need to report it to the ICO.
As such, the threshold for notifying the ICO is lower than the threshold for reporting directly to those individuals who are affected, however, similar factors will be relevant to both.
In making the assessment, consider whether the effect of the breach might include emotional distress, risk to the person’s finances or identity fraud. If you don’t think you need to report the breach, you should record your decision in case you need to justify this at a later date. Heavy fines (2 per cent of global turnover) can be applied if you get it wrong, so if you are not sure, it is wise to take legal advice. Don’t forget to notify your insurers as well. You should also notify other organisations such as the police and banks, if relevant.
This article first appeared on Open Air Business.