Dr Sam Linton, GDPR Practitioner and experienced VCS manager, of Aeonian Projects, shares advice and guidance for collecting and storing customer data.

In the pub or leisure trade and dealing with track and trace? Government guidance says you should assist the NHS Test and Trace service by keeping a record of your customers and visitors.

Going to be keeping more information about people than usual? Here are some things to consider:

Privacy – If you don’t already, you need to tell people why you are collecting their information, what you are going to use it for, who you might share it with and how long you are going to keep it. You may need a privacy statement if you don’t have one or you may need to update your existing information. Remember you cannot use the information you gather for marketing, or any other reason unless you have collected specific consent to do so.

The following information should be collected by the venue, where possible:

  • staff
    • the names of staff who work at the premises
    • a contact phone number for each member of staff
    • the dates and times that staff are at work
  • customers and visitors
    • the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
    • a contact phone number for each customer or visitor, or for the lead member of a group of people
    • date of visit, arrival time and, where possible, departure time
    • if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer

No additional data should be collected for the Test and Trace service.

Security – How will you keep information secure? Who will see the information – do all your staff need to see everyone’s details? Make sure you have procedures for accessing the information and that you have secure passwords if you are using an app. How will you store paper-based information? If you intend people to sign in then you should consider infection risk as well as how you will prevent people from seeing each other’s information. Consider things such as using a small order pad to take individual details rather than a pad that list details of many people; the chits could be stored securely in envelopes by date.

Retention – How long do you need to keep the information? Current guidelines say you should keep the details for 21 days to provide to NHS Test and Trace if necessary. Make sure you have a procedure for securely deleting / destroying the information after this time. It may be a good time to invest in a shredder if you don’t already have one. If you’re using an app such as evePASS, check when the data will be deleted (for example evePASS says it’s 30 days which would be acceptable).

Scams – make sure you and your staff are on the lookout for scams appearing to be from NHS Test and Trace trying to get the customer data. Check email and website domain names to make sure they come from a legitimate source – if you’re not sure then DON’T send information or click on links. You can report suspicious emails via the National Cyber Security Centre (NCSC)

Contact tracers will:

Processing – If you are taking bookings though an app, check that information is not stored or otherwise processed outside of Europe or you may need to check you have special clauses to protect the information

Additional information – https://www.gov.uk/guidance/working-safely-during-coronavirus-covid-19/restaurants-offering-takeaway-or-delivery