07 August 2020

From next week, Scottish pubs and restaurants will be required to collect contact details of customers. The move comes in response to an increase in Covid infection rates seen in Scotland over the past weeks. Unlike collection of these details to date, which has been carried out on a voluntary basis, it will become a statutory requirement for businesses to collect contact details and, as such, personal data.

For some businesses, pubs in particular, the concept of collecting large volumes of personal data will be relatively new, with traditional business models simply never having involved collection of personal data on such a scale. However, legislation set to take effect next week will change the data protection landscape for many businesses.

The Scottish Government had previously issued a template privacy notice for businesses to use when collecting personal data in the context of Covid -19. That template provided that the data would be collected on the basis of legitimate interests, although the fact that data need only be collected on a voluntary basis did raise a question mark as to whether the collection was “necessary for the purposes of the legitimate interests pursued”. Now, businesses will instead be able to collect personal data on the grounds that it is “necessary for compliance with a legal obligation”.

However, hospitality businesses affected by these changes must remain live to the limits on use of the data collected and how that information must be processed. One of the underpinning principles of the General Data Protection Regulation and the Data Protection Act 2018 is that data is adequate, relevant and not excessive. Businesses must therefore only collect information which is necessary as part of the Government’s “test and protect” strategy. Only contact details should be collected and customers should not be asked for any other information which exceeds what is strictly required.

Businesses also must ensure that they use the personal data in accordance with the other data protection principles:

• Fair and lawful processing;
• Specific, explicit and legitimate processing;
• Accurate and up to date processing;
• Retention of personal data only for so long as is necessary; and
• Secure processing.

In particular, businesses must ensure that they do not use the personal data collected for any other purpose than to contact customers in relation to Covid-19 cases. The collection of customer contact details offers an ideal opportunity for businesses to grow their databases and mailing list, but the temptation must be resisted. While many businesses are particularly eager to stay in touch with existing customers and acquire new ones at a time when revenue is desperately needed, the consequences of using any personal data collecting in this way could be severe. The Information Commissioner has the power to issue substantial fines for such unlawful use of personal data and using contact details gathered under the test and protect initiative to actively market to customers, whether by phone or email, will compound the likelihood of fine.

Having said that, businesses should not feel prohibited to request the data they are now obliged to collect. Many businesses have risen to the new and very real challenges they have been presented with and, with careful consideration, there is no reason why any business should fall foul of GDPR requirements.

BTO’s Data Protection Team can assist with any queries you have.

Contact

Lynn Richmond, Partner, E: lyr@bto.co.uk / T: 0131 222 2934