Five tips for handling Track and Trace data

The burden on the hospitality, leisure and tourism sectors increased dramatically last Friday (25 September) with the government making it mandatory to collect customer information for the NHS Test and Trace programme. Until Friday, patrons were not legally required to provide their details though businesses were encouraged to collect it.

Businesses collecting customer data - many of them small - have to register with the Information Commissioner’s Office (ICO), which will charge them fees ranging from £40 to £2,900. The new government demand opens all these businesses to scrutiny of how they handle customer data and to the threat of prosecution by the ICO, which has many powers including fines and even criminal action for non-compliance.

Many smaller businesses will struggle to meet contact tracing requirements starting this week. They are expected to act quickly to comply. But they need to be careful to protect the personal data that they are collecting. Here are five tips to help restaurants manage data. 

1. Only collect the data you need, nothing more​

Only the required information should be collected and stored for Test and Trace. This includes arrival time and, where appropriate, departure time. Knowing these times helps to help reduce the number of people who have to be contacted if it’s necessary to trace people later.

2. Let customers know what you are doing with their data​

Make sure you display a privacy notice, making it clear exactly what you are doing with customer data. When you re-use advance booking data to speed things up, you have to let customers know you are doing this. When you’re asking for their data, customers must be told why their data is being collected, how it will be protected and how long it will be kept. It should also be made clear that it will be shared with the NHS Test and Trace system when required.

3. Don’t forget to delete the data​ 

Data held for Test and Trace must be deleted after 21 days, so businesses need to put a process in place to remove older data regularly. They might consider whether to record that this exercise has taken place on a simple log so that someone else can monitor the process without access to the data.

4. Use appropriate ways to capture and store check-in data.​

Think about how the check-in will work at your premises and what will be practical for your customers, remembering that not all customers may have smartphones. An advance booking system might be desirable to control numbers and maintain distancing. Businesses must now register for and display an NHS Test and Trace QR code for their premises. This allows customers the option to check in by scanning the code, but not all customers will be able to use this. Having customers complete a form themselves, whether online or on a check-in card, can help to ensure that the information is accurately captured. Asking staff to write down details or enter them into a system is more prone to error. It seems easy for a small business to collect customer check-ins on a sign-in sheet, but that doesn’t protect the data from misuse and exposes the contact details collected to other customers. Simple check-in cards may be practical in some settings, they are a good way for customers without a smartphone to provide their details.

5. Set up staff protocols and train staff​

Businesses have to make sure customer data is kept secure so it can’t be accessed and abused. It also can’t be used for other purposes, such as marketing. This involves what privacy professionals call technical and policy controls. Technical controls include limiting access to the systems so that only appropriate staff have access to customer information. Policies should be published explaining how staff can prevent the abuse of the data. Make sure to arrange staff training so everyone understands what they need to do.