I’ll have a side order of data security please!

How the hospitality industry can comply with data protection law as lockdown eases 

On June 23rd, Britons received the news that so many were eagerly anticipating; lockdown restrictions were finally to be eased.

As of July 4th, we are allowed to return to their pubs, bars, and restaurants. However, there are certain quid pro quos attached to the re-opening of these establishments, one being that proprietors are to shoulder part of the responsibility for carrying out the government’s contact tracing scheme.

Hospitality businesses will be expected to collect data from patrons which may then need to be shared with NHS Test and Trace if there is a suspected outbreak within their establishments. Large, chain businesses may be better equipped and experienced to collect and process such large datasets, but smaller, independent enterprises, already bogged down in regulations and procedures for operating within government COVID-19 guidelines, could be challenged.

As well as collecting the necessary information from patrons, all businesses operating within the hospitality sector will have to manage and protect this information in ways that are compliant with existing data protection law. The UK’s Information Commissioner’s Office (ICO) have hinted that are not expecting miracles, especially from businesses for whom this is all new, but they will come down hard on those that are negligent with personal data or who seek to misuse it.

In short, the hospitality sector needs to take its new responsibilities seriously. It might all feel overwhelming and not a little bit daunting, but there are sensible, practical steps businesses can take to stay on the right side of the law and avoid potentially damaging breaches.

  1. Collect the bare minimum

For NHS Test and Trace to get in touch with people who may have come into contact with a COVID+ individual, all they will need is a name and means of contacting them, for example a phone number or email address.

Consequently, this is all the information you should be taking.

  1. Be transparent

Most patrons will be aware that they’ll be expected to share some basic information before they can be served. However, in the interest of transparency, you should be advising each patron why you are collecting their details.

The notice you give can be verbal and doesn’t need to be long, but you are required to provide it according to data protection law. It’s also good practice from a customer service perspective.

  1. Keep data secure

This is an obvious point but worthy of reiteration. You can store data on physical copies i.e. sheets of paper or notepads, but these can only be seen by designated parties and must not be left unattended where someone could steal or take photos of them.

If your intention is to collect data on a tool such as Microsoft Excel, the document must be kept in a file that is password protected or otherwise encrypted.

Ultimately, you’ll be looking after people’s property, so keep it safe. There are consequences beyond a complaint to the manager if you don’t.

  1. Do not keep hold of data for longer than is necessary

Now there is some official guidance for this one. The government have said that businesses collecting personal information for the purpose of contact tracing should keep it for 21 days. The reasoning for this is that the COVID-19 incubation period is, on average, 14 days. However, in order that there is time for the contact tracing process to function, additional time will be needed, a full week being deemed sufficient.

Once this time has elapsed, eliminate any unnecessary risk of a breach, and delete it.

  1. Delete data securely

If you’ve made physical copies of personal information, these will need to be destroyed in their entirety. Scrunching them up and throwing them in the bin is not good enough and leaves you exposed to a breach. Burn them, shred them, lower them into molten lava, just make sure they’re unusable once you’re done.

For digital copies, be wary that deleting them might leave them still accessible in a trash file. Deletion does need to mean deletion.

  1. Use the data only for its intended purpose

Access to all this data is going to prove tempting to some. “After all, they’ve given me their email address, why can’t I drop them a note about next Saturday’s 2 for 1 pizza night?”

Resist this temptation at all costs. It would put you in breach of data protection laws and that’s not a place you want to be. You are, of course, able to ask for their consent to use their contact details for marketing purposes, but you have to acquire this consent explicitly.

  1. Keep it nice and simple

There’s no reason this process needs to be complicated. After all, all you are being asked to do is get a name and number/email, store each for 21 days, and then get rid, unless NHS Test and Trace requests access to them.

The process will be made easier still if you train your staff. The more knowledgeable they are, the more able they will be to reassure your customers, defuse potential flashpoints and allow you to concentrate on doing what you do best, keeping your patrons fed and watered.


iCaaS software does all the hard work of achieving compliance and ultimately minimises the risk of data breaches.

By securing your business, the iCaaS platform will save you time and money. More importantly it will secure your staff and help to build confidence and trust within your customer base. The solution is adaptable to any company’s needs.

iCaaS is the Trusted Standard in Data Protection and designed to make data protection easy.

Get in touch, speak to a specialist today. Call 0345 646 0066 and visit: www.myicaas.com

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top