After the government’s decision to restrict social gatherings to limit the spread of Covid-19, venues across England must, by law, have a system in place that records and stores their customers, visitors and staff’s contact details.
Harpreet Sandhu, partner and expert data protection solicitor in Nelsons’ commerce and technology team, discusses what this means for businesses.
What are the new rules?
“Organisations have previously been advised by the government to collect and store their customers, visitors and staff’s contact details, and many businesses have done so. However, from Friday, 18 September, it will be formally mandated, and non-compliance with the rules will result in fixed penalties for organisations.”
Where do the rules apply?
“Further details regarding the new measure are expected to be released on the government’s website soon, which should specify the settings where the laws will apply. However, in the main, they will apply to hospitality premises and businesses, close contact services, and other tourism and leisure venues.
“The government has also confirmed these organisations could face penalties if they don’t ensure their premises are ‘Covid-secure’, which includes taking group bookings of six or more people.”
What contact details need to be obtained?
“The businesses that these rules apply to will be legally obligated to collect and hold the contact details of every customer, visitor and staff member on their premises. The contact details that need to be taken include the person’s full name; telephone number; date of visit; time of arrival; and, if possible, time of departure.”
How should these details be stored?
“The data collected and held by organisations must be in compliance with the General Data Protection Regulations (GDPR) and Data Protection Act 2018. How the information is collected and stored will be very much dependent on the industry sector of the business, but it should be done as straightforwardly as possible, using either an existing system for processing personal data or a new solution.”
How long will businesses need to keep the information for?
“The details will need to be stored for 21 days and shared with the NHS test and trace scheme, if requested. If the NHS test and trace system requires the details, this will be due to the fact that a business’ premises have been identified as a potential location of a local outbreak of Covid-19. NHS test and trace will then contact anyone who may have been exposed to the coronavirus at the organisation’s venue and provide them with appropriate public health advice.”