The Scottish Government made the requirement to obtain information about visitors to hospitality premises law and not just guidance as of 14th August 2020. They have also published guidance to assist with this. This is a summary and explanation of the current position re collecting and holding data.
Sectors the guidance applies to
This guidance applies to any hospitality premises providing an on-site service including pubs, restaurants, hotels and cafes. It includes indoors and outdoors in an area such as a beer garden or street café. It does not apply where the food and drink are taken off-site immediately such as where a premises only offers take away or offers take away as an option, therefore if a premises offers sit-in and takeaway service, contact information only needs to be collected for customers who are sitting in.
Registration with the Information Commissioner’s Office
In order to gather and store customer information securely, businesses may need to be registered with the Information Commissioner’s Office (ICO). We can assist with this if you are not sure about whether you need to be registered or how to register.
It is important to ensure data is collected and handled in line with data protection laws. A privacy notice should be displayed on the premises explaining this
Information to collect
The following information should be collected by the venue, where possible:
Staff – the names of staff who work at the premises; a contact phone number; the dates and times staff are at work; where possible, keep a record of what areas staff work in.
Customers and visitors – the name of each customer. (When customers are attending as a small household group, only the contact details for one member of that group – a ‘lead member’ – are needed but then the a note of how many other people not separately recorded visited as part of that household); a contact phone number for each customer or for the ‘lead member’; date of visit and arrival; if possible departure time; where possible record table numbers or sections where customers were seated.
If a customer does not have a telephone number, businesses may give customers the option to provide a postal address or an email address.
How to collect data
Information should be recorded digitally if possible, but a paper record is acceptable too. Writing customer details in a book or register and destroying these when the retention period is over is acceptable so long as the register is kept out of public sight and stored securely. Similarly, digital records must be securely deleted at the end of the 21 day retention period. Staff need to be identified and appropriately trained for this.
To minimise the risk of virus transmission and any likelihood of other people seeing the personal data, any written information must be noted by a designated member of staff and not by each individual customer or group.
If someone does not wish to share their details
It is within the rights of individuals to request to access the data held on them, or to request that it is corrected. In those circumstances, businesses should comply with such requests.
There is no legal requirement that individuals must provide their data for NHS Test and Protect purposes. However, if the individual still does not want to share their details then premises should refuse to offer the service requested. Employers should make clear to their employees the approach that they wish them to take in these circumstances.
How to store data securely
Once the premises has the customer data, they are a data controller. The customer data cannot be shared except with public health officers or with customers if they want confirmation of what data is held on them by the premises. All customer data should be stored securely and in adhering to the requirements of the GDPR. .
Premises have to hold customer and staff data for at least 21 days from the date of each separate visit of a staff member or customer.
How to dispose of data
Paper information can be shredded or securely disposed of after the 21-day retention period is over Premises using an electronic system must ensure data is deleted and not retained beyond the 21 day period.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.