Data protection warning for Lancashire businesses reopening on July 4
Lancashire hospitality businesses are being warned to not forget Data Protection under reopening rules on customer records
Information being gathered from customers at restaurants and pubs under the easing of lockdown must follow the strict laws, warns a legal expert.
Under the reopening, Government guidance says businesses must collect a ‘temporary record’ of all customers and visitors, to be stored for 21 days in order to assist the NHS Track and Trace programme.
Jon Esner, partner and head of the Commercial team at regional law firm Napthens, said the government guidance is still unclear on the exact information venues need to collect, but expects it to at least include names and contact details including email and telephone number of each customer.
urther specific guidance is promised, but Jon highlights that information must be collected in accordance with data protection laws.
He said: “Data protection rules are very strict, and businesses must be aware of their responsibilities before they begin collecting information from customers and visitors.
"Everything from legal notices on websites and in venues themselves, to staff training, and having a system in place to properly destroy the data afterwards must all be taken into account.
“As with so much relating to the pandemic, the situation is likely to change as more guidance is released by the Government so it is important to seek up-to-date advice and make sure these changes are dealt with as soon as possible.”
He suggested businesses update online privacy notices to include data collected for Track and Trace and prepare a short explanation explaining why it is being collected to display or share at the time of collection.
Staff should get some training to ensure the information is collected and stored securely and confidentially.
He warns that data should only to be used for complying with Track and Trace unless customers have been told otherwise. It cannot be used for marketing purposes, for example, without permission.
And a system should be in place to destroy the information after 21 days.