Guidelines from the ICO on collecting customers’ data

What must you collect, how to store it, what can you use it for and how long you can keep it – and how it must not be used for marketing purposes

Designated venues in certain sectors, including hospitality and tourism, must have a system in place to request and record contact details of their customers, visitors and staff to help break the chains of transmission of coronavirus.

They must:

  • ask at least one member of every party of customers or visitors (up to 6 people) to provide their name and contact details
  • keep a record of all staff working on their premises and shift times on a given day and their contact details
  • keep these records of customers, visitors and staff for 21 days and provide data to NHS Test and Trace if requested
  • display an official NHS QR code poster so that customers and visitors can ‘check in’ using this option as an alternative to providing their contact details
  • adhere to General Data Protection Regulations (GDPR).

Hospitality venues must also refuse entry to those who refuse to participate. Failure to do any of these requirements will result in fixed penalty fines.

The Information Commissioner’s Office (ICO) says it understands that organisations have lots of new measures to put in place so that they can re-open safely. It has published five simple steps to follow to help ensure that data protection is not a barrier to your business’s recovery.

A: Ask for only what’s needed you should only ask people for the specific information that has been set out in government guidance. This may include things like their name, contact details and time of arrival for example.

B: Be transparent with customers you should be clear, open and honest with people about what you are doing with their personal information.

C: Carefully store the data you must look after the personal data you collect. That means keeping it secure on a device if you’re collecting the records digitally or, for paper records, keeping the information locked away and out of public sight.

D: Don’t use it for other purposes you cannot use the personal information that you collect for contact tracing for other purposes, such as direct marketing, profiling or data analytics.

E: Erase it in line with government guidance – don’t keep the personal data for longer than the government guidelines specify.

More information

There is more detailed guidance on this topic at: www.ico.org.uk  

The NCC Training Academy has a course on GDPR (the overarching regulations on data protection).

Government guidance varies for EnglandNorthern IrelandScotland and Wales.

Article details

Likes:
0
Date:
8th October 20208th October 2020
Categories:
Guidance For Parks

Like this article?