Fáilte Ireland’s Guidelines for Re-Opening Pubs issued last month suggests that, “Businesses do not have to keep records of every person in a party, they will be required to have the name and contact details of one person in each party eg the person who books the table. That person should be advised to keep a record of who is in their party in case it is required for contact tracing in the future. Details must be securely retained for one month.”
But other than that hospitality providers have little by way of guidance on the GDPR implications of keeping this data – an extra bureaucratic headache to add to all the others at this time.
The Data Protection Commission has made the following recommendations to food service businesses in implementing the instructions of the Health Protection Surveillance Centre regarding customer contact tracing:
- Businesses should only ask for and retain the information required by the HPSC; there is no requirement to obtain any information beyond the name and contact details of the person making the booking and the time and date of their party’s attendance
- Contact details held for contact tracing purposes should be retained for as long as required by public health guidelines, currently one month. After one month, contact details should be deleted or securely destroyed
- In the interests of transparency, when making a booking, customers should be informed that their contact details will be retained for contact tracing purposes
- Contact details can be stored either manually or digitally, as long as it remains secure and confidential. It is recommended that Covid-19 contact tracing contact details should be stored separately to any other customer databases such as for direct marketing to avoid retaining details for longer than required or processing it for any other purposes.
- Customer contact details should not be used for any other purpose and should not be given out to anyone except public health officials in the course of their official enquiries into Covid-19.
“This data is only being collected in line with the HPSC’s instructions and the purpose for this is for Contact Tracing purposes,” explained the Deputy Commissioner for Corporate Affairs and Communications at the DPC Graham Doyle, “So building profiles, conducting marketing etc using this data would not fall into the category of the purpose for which the data was collected and should therefore be avoided.”
The Cybersecurity and Information Resilience team at the British Standards Institution – the UK’s national standards body – has called for organisations to take a balanced approach to managing data protection and safety concerns to ensure that public health measures can still be enforced while consumer’s rights are protected.
CIR manages and secures corporate information for BSI’s global clients and Conor Hogan, Global Privacy Practice Lead at BSI, is keen to impress on hospitality firms the importance of transparency and proportionality. Customers have a fundamental right to privacy and have data protection rights that businesses have an obligation to consider and protect, he says.
The right to privacy however is not absolute and legislation such as the General Data Protection Regulation have special provisions to address public health emergencies. He suggests that all firms should consider the following three tips:
- Be transparent – explain to your customers as clearly and succinctly as possible what information you’re collecting, why you’re collecting it and what you’ll be doing with it. Many firms already collect personal information for restaurant and stylist bookings so don’t over-engineer anything, keep things simple and adopt a similar approach
- Don’t over-collect and only collect the information you need – it’s important that a robust process is put in place to destroy or delete the information once it’s no longer needed. Firms mustn’t use information collected for contact tracing for advertising or marketing for example. And if you’re recording the information in your usual bookings software or physical books make sure you have a process in place to remove those entries when no longer required.
- Keep it secure – as mentioned, a simple bookings diary is likely sufficient but don’t leave it lying around. If you’re investing in a new piece of software then careful due-diligence is required to ensure that security and privacy-by-design measures should be engineered into the solution so that fundamental rights can be protected. Be alert to “quick fixes” or “magic technology solutions” because as controller you’re responsible for maintaining the confidentiality and integrity of the information and protecting the rights of your customers.
Conor contrasts the Irish approach to that of New Zealand, for example, where a simple decentralised app allows customers to check in with a QR code, freeing restaurants from the need to keep a record.