Privacy, COVID-19 and the opening of the hospitality sector

Time Please Gentleman

What information are they/should they be collecting?

• The names of staff on duty that day (including their shift times) – This would include any third-party company that works in the organisation as part of any shift – Such as daily cleaning companies, repair works etc).
• A Contact telephone number for that staff member (or at least one method of directly contacting them such as an address, email etc).
• The Name of the customer (ideally individually but at worse  if in a group then the name of the lead customer and the size of the group)
• A contact telephone number for that customer (or again the contact name for the lead customer in the group)
  Date of visit, Time of visit and if possible the time they left.
• If the customer/party had a long interaction with a particular staff member (such as if the organisation visited was a hairdresser, escape room etc) then the name of that staff member.

How are they going to collect this information?

How will Pubs (and other ‘pop-in’ highstreet businesses) collect this information?

1. Patrons sit at Pub table with cards already present asking for their name, telephone number and the ‘check-in time’
2. A staff member comes over, Checks that the card has been filled in and takes the order.
3. When the Patrons leave, they fill in the checkout time.
4. A staff member comes over – cleans the table (including the Pen/Pencil if provided) preparing it for the next customer including taking away the used cards and providing new ones.
5. The card is then stored in that day’s log (still paper-based) and destroyed 3 weeks after the date captured.
6. Patrons sit at Pub table with an info sheet to download the companies app
7. Patrons enter their table number, their name & contact details inside the app (or as part of the apps registration)
8. The customer makes their order on the app and the drinks/food are delivered to the table.

What are the downsides of collecting this information?

1. These bars are collecting personal information and under the GDPR they need a clear privacy/data policy on how that data will be used.
2. There is no way to actually validate the information provided is even remotely correct or true. Given many peoples view on privacy I imagine a vast amount of the information collected will be made up.
3. Three weeks worth of data has to be kept – Which for a busy bar or pub is a large set of personal data to be responsible for. Size of data to organise that the average bar is unlikely to have had to be responsible for before (They should, of course, be familiar with storing the personal information of their own staff under GDPR of course!).
4. It’s likely that staff will have to assist a large proportion of customers to enter this detail where they are unable to themselves.
5. Staff are likely to get a lot of confrontational customers who simply refuse to enter any information – leading to an awkward scenario of not serving them, poor reviews etc and potentially even dropping the collection of such information for ease (as this is just government guidance and not Law).
6. Drunk people are probably going to struggle to provide this information.

Do I think this will work or be useful?

Do I think we’re going to see a lot of data breaches surrounding this?

Do I think the ICO is going to issue any fines or investigate/check how companies are doing it?