Last updated: 6 July 2020

Track and Trace to support re-opening

The Government permitted pubs, bars and restaurants to re-open from 4 July 2020 as part of its easing of COVID-19 restrictions and unlocking of the UK economy.

The Government’s NHS Track and Trace scheme is supporting this re-opening of the economy. As part of this scheme, the Government is asking pubs, bars and restaurants to keep temporary records of their customers and visitors. It might also ask hospitality businesses to share that data with the NHS Track and Trace scheme, if needed. The aim is to contain further clusters or outbreaks of COVID-19.

GDPR Compliance

This initiative poses a challenge to many businesses in the hospitality sector, who will have to beef up their GDPR compliance in a short space of time.

Get ahead ………..

The Government has said it will work with the sector to make this challenge more manageable.  Here are some quick tips from the Freeths Data Team to help clients get ahead of the game:

1.  Put a booking system in place and make it secure

Pubs, bars and restaurants that do not have a bookings system should put one in place, so they can record their customers and visitors.

Make sure your bookings system is secure, so you do not suffer a potentially embarrassing (or costly) data breach. Online bookings systems providers should offer appropriate security features; avoid them if they do not.

2. Don’t keep the Data too long

The Government says that pubs, bars and restaurants should not keep their customer records for longer than 21 days. Make sure you have a system in place for deleting (or at least anonymising) the data you collect once this time period lapses. Keep a record of the 21 day retention period, to show how you comply with GDPR.

3. Be open and honest with your Customers

Tell your customers what you are doing with their data. You can do this by providing them with a privacy notice before you collect their information. This is sometimes easier said than done, but be creative with solutions. Can you put a notice near the entrance to your premises? Can you provide them with an online notice/on a terminal? Maybe you can give them a “short and sweet” notice telling them the basics, but referring to a longer notice with more detail to access elsewhere, if they want to?

4. Don’t misuse your Customer information

If you collect customer records for track and trace, you should not then use it for quite different purposes, unless you tell your customers first and have a lawful basis for the different use.

5. Train your Staff

Train your staff about GDPR risks and responsibilities around handling customer data.  There have been cases in other countries using similar track and trace schemes where staff have mishandled customer data, with unwanted results for all parties.

And finally…

You need to have a lawful basis for collecting and using the customer information.  Consider this carefully, and document which lawful basis (or bases) you rely on. Your customers and visitors also have rights over the records that you collect – have policies and procedures in place for dealing with data requests and data breaches.

Guidance Published

The ICO has now published guidance on collecting customer and visitor details which covers the issues raised above.  The guidance can be found here.

For more information contact Luke Dixon


The content of this page is a summary of the law in force at the present time and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.