Privacy, COVID-19 and the opening of the hospitality sector

Time Please Gentleman

Today (July 4th) the hospitality sector (most likely including your local pub) has started to re-open after the three-month lockdown, closed doors and no business. Government guidelines are asking businesses where there is a ‘higher risk’ of COVID-19 transmission (like Pubs, Bars Cafes, Restaurants etc) to collect information on their patrons (customers) to be used as part of the Governments ‘Track and Trace’ system. The idea is if anyone in the Pub (for example) becomes infected then the Pub would then release the contact information of anyone who visited the Pub on the same day (or the same time) to the NHS Track and Trace to allow them to contact the other patrons and ask them to enter isolation (as well as find out who else they may have come into contact with). To many this provides a large concern around privacy, they’ve never had to give out this level of information to these types of businesses before, and some have tried to minimise their privacy profile – even with the Government. The exact information collected on customers is likely to be the following;

What information are they/should they be collecting?

For staff:
  • The names of staff on duty that day (including their shift times) – This would include any third-party company that works in the organisation as part of any shift – Such as daily cleaning companies, repair works etc).
  • A Contact telephone number for that staff member (or at least one method of directly contacting them such as an address, email etc).
For Customers
  • The Name of the customer (ideally individually but at worse  if in a group then the name of the lead customer and the size of the group)
  • A contact telephone number for that customer (or again the contact name for the lead customer in the group) Date of visit, Time of visit and if possible the time they left.
  • If the customer/party had a long interaction with a particular staff member (such as if the organisation visited was a hairdresser, escape room etc) then the name of that staff member.

How are they going to collect this information?

It’s likely that anywhere that requires a booking such as Hairdressers, Restaurants, Hotels etc will collect this information when you reserve. Many already do so as part of the process of reservation pre-COVID-19. The exception here is that a restaurant would have only previously asked for your name. This information could be collected over the phone or if the system to book is online then done so through this. Pubs, on the other hand, are far less likely to have this information in advance.

How will Pubs (and other ‘pop-in’ highstreet businesses) collect this information?

My thoughts are that this will be done paper-based and with card/pen – Most Pubs will be set up for social distancing, reduced seating and following the Government guidance for ‘At table service only’.
  1. Patrons sit at Pub table with cards already present asking for their name, telephone number and the ‘check-in time’
  2. A staff member comes over, Checks that the card has been filled in and takes the order.
  3. When the Patrons leave, they fill in the checkout time.
  4. A staff member comes over – cleans the table (including the Pen/Pencil if provided) preparing it for the next customer including taking away the used cards and providing new ones.
  5. The card is then stored in that day’s log (still paper-based) and destroyed 3 weeks after the date captured.
This route and a paper-based system – while it makes it a harder job in the future if there is an infection to quickly report it to the NHS this information is likely to be at less risk when stored properly. The larger risk here is that cards may not be collected properly and that staff member may not correctly store the cards securely. The alternative more digital route for a Bar such as Wetherspoons etc (Where App-based ordering is already in effect).
  1. Patrons sit at Pub table with an info sheet to download the companies app
  2. Patrons enter their table number, their name & contact details inside the app (or as part of the apps registration)
  3. The customer makes their order on the app and the drinks/food are delivered to the table.
Now, this route certainly makes it easier for staff – It’s all securely held and only authorised people would have digital access to the stored records. The downside here is that we know that digital app adoption for ordering in bars (such as the Weatherspoons app) isn’t taken up by everyone. Theirs reminds those that choose not to have smartphones or don’t have the ability to use a phone or app requiring assistance from staff.

 What are the downsides of collecting this information?

The Downsides to both and any option (in my opinion) to collect this information are:
  1. These bars are collecting personal information and under the GDPR they need a clear privacy/data policy on how that data will be used.
  2. There is no way to actually validate the information provided is even remotely correct or true. Given many peoples view on privacy I imagine a vast amount of the information collected will be made up.
  3. Three weeks worth of data has to be kept – Which for a busy bar or pub is a large set of personal data to be responsible for. Size of data to organise that the average bar is unlikely to have had to be responsible for before (They should, of course, be familiar with storing the personal information of their own staff under GDPR of course!).
  4. It’s likely that staff will have to assist a large proportion of customers to enter this detail where they are unable to themselves.
  5. Staff are likely to get a lot of confrontational customers who simply refuse to enter any information – leading to an awkward scenario of not serving them, poor reviews etc and potentially even dropping the collection of such information for ease (as this is just government guidance and not Law).
  6. Drunk people are probably going to struggle to provide this information.

Do I think this will work or be useful?

Honestly, it all depends on how it’s implement and the type of customers that come into contact with. Locations with pre-booking – Hotels, Restaurants, Hairdressers etc – Very likely to be easy implementation and high accuracy of data kept. Pubs/Bars etc – I don’t think it’ll work – Inaccurate information supplied and difficulty collecting it.

Do I think we’re going to see a lot of data breaches surrounding this?

For sure – This is adding a lot more personal data into the mix of companies that are only now having to drum up procedures that have to be organised and kept for three weeks. If we don’t see a few cases of this information not be deleted/destroyed after three weeks, or accidentally emailed to someone, found in a dumpster etc I’d be surprised. A lot of UK companies, especially small such as non-chain Pubs I don’t believe ever really adopted GDPR (Or rather the UKs Data Protection Act 2018) – They won’t have someone trained in it, very unlikely to have a named staff member responsible. Very unlikely to have procedures already in place to keep data secure (outside hopefully of their staff members) and this will just lead to an increase in accidents around personal data (or more likely in my opinion they won’t bother to collect it in the first place).

Do I think the ICO is going to issue any fines or investigate/check how companies are doing it?

Unlikely again in my opinion. This is a ‘Wartime effort’ to protect people – I imagine the first we’ll hear from the ICO will be in 5-10 years when a large corporation has kept all of this data for 5-10 years and has been using it for marketing purposes and it ‘accidentally’ gets leaked or hacked. You can read the Governments exact guidance and more detail here