Restaurants, Pubs and Bars - Recording Names and Details for Contact Tracing – are you at risk of breaching GDPR?

 Restaurants, Pubs and Bars - Recording Names and Details for Contact Tracing – are you at risk of breaching GDPR?

As pubs, bars and restaurants re-open, it is great to feel that an element of normality is returning to life. However, to use the common phrase, it is very much a “new normal”. One thing which is new to many of us is a requirement to provide your name and contact details when going out for a meal or a drink. I have received quite a few telephone calls from owners of such businesses, who are worried about how they can comply with the instruction to collect this data without falling foul of GDPR rules. Accordingly, I thought it would be worth sharing some common questions, and my comments on them:

  • Do I need consent to take people’s name and details? Usually not. For most businesses, you will be able to rely on your “legitimate interests” as being the reason for collecting the personal data – “consent” is to be avoided where another legal basis is available. The ICO have provided guidance that there are specific circumstances where consent should be used though – for example where the inclusion of a person on a particular list may give an indication of a particular “special category” characteristic about the individuals. By way of example, if a person is included on the list of people who attended a religious place of worship, then this would seem to indicate the special category characteristic of their religious belief.
  • What data should I take, and how long should I keep it? Without wishing to make a political point, government Covid-19 guidance has been changing somewhat frequently lately – on that basis, the best thing to do is regularly check government guidance. The guidance in England at the time of writing is to take the lead party member’s name, telephone number and time/date of arrival, and to retain this for 21 days.
  • What information should I give people when I take their data? You need to tell people why you are taking the information, how and where you will be storing it, how and in what circumstances you will use it, and which third parties you will or may share it with. If you already have a Privacy Policy, you should update it to cover Contact Tracing. If you don’t have one, this would be a sensible time to consider putting one in place.
  • Should I check if people have given correct details? There is no obligation to do so. You may consider that if someone is being deliberately awkward about providing their details (e.g. describing themselves as “Mickey Mouse”), then this does not bode well for the likelihood of them complying with things like social distancing – however, that is a risk-based decision for you to make as you see fit.
  • Can we add the details we have taken to our marketing or mailing list? No. GDPR states that, where you have obtained personal data for one purpose, you should not then use it for a different and unrelated purpose. If you are caught misusing personal data in this fashion, you can expect the ICO to impose sanctions against you.

Hopefully this gives some initial guidance about how to approach this matter. For more detailed guidance, and for help in preparing the necessary paperwork, please contact me on 07818 253008 or 01522 542211 or emclaughlin@sillslegal.co.uk

 0800 542 4245