From yesterday (19 July) hospitality venues can legally choose not to operate the NHS Covid-19 app or other check-in mechanisms.
While the NHS is responsible for managing the data collected by check-in via its Covid-19 app, any other Test and Trace data is the responsibility of the venue.
“For those customers without the app, whose details were taken with paper and pen, for example, venues must be sure their data is deleted after 21 days. It would be wise to have a deletion log recording the regular tidy up of data,” says Andrew Sharp, practice lead at data privacy consultancy Securys.
Using the NHS app where possible is recommended as it allows venues to avoid having to collect and manage sensitive health data, which is strictly regulated by the Data Protection Act.
Many restaurants and pubs were caught out after the first lockdown eased last year when some QR code-providing companies sold on sensitive customer data.
“This opened those businesses up to being fined as they have a duty to hold the data safely and to use it only to support Test and Trace,” continues Sharp. “One such example was Tested.me, fined by the ICO after it sent nearly 84,000 nuisance emails between September and November last year after collecting those email addresses via a QR code required for entry to premises.”
Sharp recommends that if venues want to start asking for proof of vaccination as a condition of entry, they should check that proof via the NHS app, which is different to the NHS Covid-19 app, and not record the details within their own systems.
"Many venues will want some kind of process that reassures customers safety measures are in place and enables customers to rearrange their booking when appropriate," Sharp says.
"When taking a booking, or confirming a booking the day before the customer arrives, venues can ask whether the customer or anyone they have been in contact with has any reason that it would be unsafe for them to attend. The answers to those questions, if framed carefully, are not sensitive medical data, so from a data protection point of view they are safe to ask as screening questions."