If your business has been monitoring changes to Covid-19 related practices , you’ve probably come across the implementation  of record keeping. Businesses can  collect information from customers or anyone visiting their premises for COVID-19 contact tracing

So you might be wondering: how can I protect my customers’ personal information? What are my legal obligations? We’ve broken it all down for you.  

Privacy Obligations

Privacy obligations will generally only apply to businesses that are subject to the Data Protection Act (2018). This means any business that collects data from their customers is required to comply with the privacy obligations, such as disclosing how you will use information and who will have access to it.

This is important as lots of small businesses will now be dealing with personal information. The Information Commissioner’s Office (ICO) has published the Data Protection Principles for how businesses can protect these records, and it’s a good idea to consider these tips regardless of whether your business has formal privacy obligations.

There is no longer a formal requirement for businesses to use the QR code. However, if you have chosen to keep these measures in place regardless, privacy practices still apply. Whether you are collecting the information through a system that is unique to your business or using the NHS’s Covid-19 App, it’s always good to ensure you are up to date on your privacy commitments. 

Alternatively, your business may wish to provide a manual check in for those who don’t have access to the app when they enter the premises.  

What Information Do I Need To Collect From My Customers?

The information you collect should only be relevant for the purposes of tracing the virus’s outbreak, in case customers need to be alerted of potential exposure. For example, you cannot request your customers’ home addresses, and you cannot use them for marketing purposes. 

You are only collecting information for contact tracing, so you cannot use it for anything else (and you’ll need to disclose this to your customers, too). 

The kind of information you can collect includes: 

  • First name
  • Phone number
  • Date and time they visited the premises
  • If relevant, where they were seated

Who Do I Notify And How?

You need to notify your customers that you will be collecting their personal information before you do it. You can place a notice:

  • At the  venues entrance
  • At each table
  • Verbally before taking their order
  • Digitally (e.g. on your website)

When you notify your customers, make sure you tell them:

  • What information you’ll be collecting (e.g. their phone number)
  • Why you’re collecting it (contact tracing)
  • How it will be stored and handled (e.g. through a secure online system)
  • Who will have access to that information (e.g. staff and health authorities)

How Can I Collect Customers’ Information?

There are a few ways in which you can collect customers’ information, but you need to make sure that no one else can see it. Here are some options:

  • Place a piece of paper at each table for recording information before customers order food. You can collect this paper after they’ve finished and replace it with a new one for the next customer/s. 
  • Your employees can request the information verbally when taking customers’ orders, and write it down on the receipt. 
  • Customers can send a text message with their personal details to a specific number. 

The way you collect information is really up to you, as long as it’s not visible to other customers and it is handled safely. 

How Do I Store This Information?

Restricted Access

When storing the information, make sure that only people within your organisation have access to it. This also means you need to train both existing and new staff about how to handle this information safely. 

For example, if you’re using an electronic system to store customer information, you need to train your staff to use the system responsibly and safely.  

Some methods of storing information may give a third party access to that data. In this case, it’s important to have an agreement with that third party which sets out how they should handle the information, and that you always need to be notified of what they do with it. 

Notifiable Data Breach (NDB)

If you choose to store your information online, there may be a risk of a data breach. To avoid losing this personal information, it’s important to have:

This way, you can assure your customers that you’re committed to keeping their information secure. 

Who Can I Share This Information With?

You can only share this information with the relevant health authorities at their request. This information is being collected for contact tracing, so it can only be disclosed for that purpose. 

What Happens When I Don’t Need The Information Anymore?

Usually, the records will need to be disposed of after a certain period of time. When it’s established that you won’t need the information anymore, you need to destroy all copies of it (this is something you need to disclose to customers as well!). 

As a general guideline, the NHS app deletes the information of each check in after 21 days when they are certain the individual has not contracted the virus in that time from the venue they visited. In other words, the information is kept no longer than necessary. 

Your business should aim to do the same in its practices. 

There are a few ways you can destroy the information:

  • Shred documents before disposing 
  • Delete electronic copies of information
  • If a third party had access to it, tell them to destroy the information 

Put simply, you need to make sure there’s no way the information can be restored. 

What Else Do I Need To Know?

COVID-safe check-ins are best paired along with other existing recommendations. This means you should still practice social distancing and promote hand hygiene at your workplace. 

Some workplaces may choose to develop a COVID-19 Safety Plan. The NHS has provided guidelines for businesses on being as safe as possible during these times. You can access it here.   

Need Help? 

Dealing with personal information carries a lot of risk, so whether or not your business is required to comply with the Data Protection Act (2018), it’s important to protect your customers’ information.

If your business needs privacy advice or any help meeting your obligations under these new COVID-19 regulations, Sprintlaw has a team of experienced lawyers ready to assist.

You can contact us for a free consultation on 08081347754 or at [email protected].

Rowan Gardoce
Rowan is the Marketing Coordinator at Sprintlaw. She is studying law and psychology with a background in insurtech and brand experience, and now helps Sprintlaw help small businesses
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're an award-winning, online law firm for small businesses in the UK.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

Customer Contracts

Customer Contracts by expert lawyers.
Learn More
Related Articles
How To Update Company Director And Officeholder Details With Companies House
Posted 23rd April, 2024
How Do You Comply With Business Regulations?
Posted 17th April, 2024
What Are The Legal Requirements For Starting A Business?
Posted 29th March, 2024
What Standards Do All Businesses Have To Comply With?
Posted 29th March, 2024
Can I Run A Business From My Home In the UK?
Posted 29th March, 2024
What Laws Do Businesses Have To Follow?
Posted 29th March, 2024