COVID-19 Secure Guidance for Hospitality Industry: data protection must be part of your risk assessment
Hospitality businesses across the UK are conducting risk assessments and implementing ongoing health and safety measures to re-open in a Covid-19 secure way. The government has confirmed that collecting and using personal data effectively is vital to re-open and then stay open.
In its guidance specific to restaurants, pubs, bars and takeaway services, the UK Government has expressly placed a responsibility on businesses to use personal information as part of the national recovery effort: “the opening up of the economy following the COVID-19 outbreak is being supported by NHS Test and Trace. You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed”.
When we must use personal data, we must also comply with data protection law, even during the pandemic (as confirmed by the ICO, the UK data protection regulator). The ICO will expect to see that hospitality businesses have thought about the data protection risks generated by return to work health and safety measures, and taken documented action to mitigate against those risks.
Hospitality businesses should think about the following key data privacy obligations and risks:
— Transparency: it is unlikely that customer and employee privacy notices contain enough detail about prospective use of personal data in relation to managing the risk of transmission. These should be updated and affected individuals notified.
— Collecting information: under the GDPR, you can only collect the minimum personal data required to achieve the underlying purpose of collection. You must, therefore, consider what information you genuinely need from customers and employees to satisfy the objectives set out in your risk assessment.
— Sharing information: information related to the virus is usually inherently private to those who have provided it to you. Internally, consider need-to-know access protocols for different situations. For example, while an infected individual does not need to be identified for you to warn colleagues, management/ HR will need to keep named records of those unable to come to work because they are self-isolating or clinically vulnerable. Consider also how you will share information about infections with NHS Test and Trace in a secure manner.
— Compliance documents: the ICO has confirmed that it expects most organisations to carry out legitimate interests assessments and data protection impact assessments before businesses re-open.
— Special category personal data (SCPD): information which you collect as part of health and safety monitoring will inevitably contain health and medical information, which is considered SCPD under the GDPR. Additional restrictions and obligations therefore apply – in particular, businesses will likely need to update their “appropriate policy document” to record which formal legal basis they rely on to use SCPD, update relevant retention periods and list applicable security measures.
We have advised numerous UK hospitality businesses on re-opening safely already and are here to help. Please speak to Kathryn Gilbertson or Lucas Atkin if you require assistance or want more information.Back to Our Thinking →