Collecting customer contact details
- Test and Protect
- maintaining customer records
- sectors that guidance applies to
- registration with the Information Commissioner's Office
- lawful basis for data collection
- secure collection, storage and disposal of data
- how the data will be used
This guidance is for hospitality businesses in Scotland, and sets out key actions and information around the collection of customer data as restrictions relating to the COVID-19 pandemic are eased. For outdoor hospitality, it will come into effect from 6 July and for indoor hospitality it will come into effect from 15 July. From these dates, hospitality businesses serving customers who remain on the premises while engaging with the business, should gather minimal contact details from customers to support NHS Scotland’s Test and Protect service.
This measure will form part of the national effort to suppress COVID-19, and support the country to return to a more normal way of life.
Resources including posters have been produced to help businesses make their customers aware of this. You can find these under supporting files.
Test and Protect was launched across Scotland on 28 May and aims to prevent the spread of coronavirus in the community by:
- identifying cases of coronavirus through testing
- tracing the people who may have become infected by spending time in close contact with them
- supporting those close contacts to self-isolate, so that if they have the disease they are less likely transmit it to others
The gathering of contact information from customers by hospitality businesses, in a secure and safe manner, will assist NHS Scotland’s Test and Protect service to identify any clusters of cases, contact those who may have been exposed to the virus, and request them to take appropriate steps to prevent the potential onward spread of the virus. This could involve asking individuals to self-isolate for 14 days.
Containing outbreaks early is crucial to reduce the spread of COVID-19, protect the NHS and save lives, and avoid the reintroduction of social and economic lockdown. This will support the country to return to, and maintain, a more normal way of life.
As progress is made in suppressing the virus, restrictions on hospitality businesses are set to be eased. However, this can only take place with appropriate measures in place to prevent the number of cases rising again. In order to support NHS Scotland’s Test and Protect service, once hospitality businesses return to serving customers in outdoor and indoor areas, it will be necessary for all businesses – such as pubs, restaurants and cafes – to gather contact information from non-takeaway customers and staff. Where customers are attending as a small household group, the contact details for one member – a ‘lead member’ – will be sufficient. If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are dining in.
You can play a significant role in helping your staff and customers to understand the value of NHS Scotland’s Test and Protect service, and the importance of playing their part to identify people who may have been in contact with the virus. Please do this by explaining why you are asking for contact information and encouraging them to provide it. You should also display a notice on your premises or on your website. We have provided a template to help you to do this, though please be aware that some people may need additional support in accessing or understanding this information.
In addition to maintaining and sharing records where requested, you must also continue to follow other government guidance to minimise the transmission of COVID-19. This includes maintaining a safe working environment and following physical distancing guidelines. More information on this can be found in our tourism and hospitality sector guidance.
Collecting customer contact details will be voluntary, but it is important that both businesses and individuals cooperate, as it will be crucial to national efforts to suppress the virus. This measure forms part of enabling hospitality businesses to open safely, minimising the risk of the number of infections increasing, and will reduce the risk of requiring future restrictions.
Easing of restrictions are set out in the Scottish Government’s route map. At present, the following changes are planned for the hospitality sector:
- outdoor hospitality activities (subject to physical distancing rules and public health advice) to be allowed from Monday 6 July
- indoor hospitality activities (subject to physical distancing rules and public health advice) to be allowed from Wednesday 15 July
The following guidance sets out the contact information that businesses will have to gather, and how they should go about this, in order to make it possible to reopen hospitality businesses while continuing to suppress the virus.
This guidance applies to any hospitality establishment that provides an on-site service such as pubs, restaurants and cafes. It includes where a service is provided indoors, or outdoors in a designated service area such as a beer garden. It does not, however, apply where services are taken off-site immediately, for example, a food outlet which only provides takeaways. If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are sitting in.
In order to gather and store customer information securely, businesses may need to be registered with the Information Commissioner’s Office (ICO). This will be the case if you are using an electronic system to gather and store data. Please check with the ICO for further information and how to register with the ICO.
It will be important to ensure that data is collected and handled in line with data protection laws. As part of this, we have published a privacy notice, setting out the terms of how data should be gathered, stored, used and disposed of. The privacy notice is how your business will demonstrate compliance with Article 13 of the General Data Protection Regulation (GDPR) that sets out what information needs to be provided when data are collected from the data subject (customers).
The privacy notice sets out the purpose for which the data is being collected, what data is being collected, the lawful basis for doing so, how long the data will be retained, what rights customers have over this data and how to complain to the establishment and the ICO if there is a concern.
As a controller, each business will be using the GDPR lawful basis of ‘Legitimate Interest’. This is a balanced lawful basis that has minimal impact on the customer and they have the right to object and to have their data erased. Establishments should respect that choice if it is made. Where an individual is not willing to provide their data, it is a decision for the business whether to make services available to that individual or to refuse entry or a booking.
Read the privacy notice.
Hospitality businesses that are serving customers on their premises – either indoors or in outdoor spaces such as beer gardens – will need to gather minimum contact details for all customers to support Test and Protect. This only applies to those being served on the premises, and not to activities such as take-away.
Information to collect
The following information should be collected by the venue, where possible:
- the names of staff who work at the premises
- a contact phone number for each member of staff
- the dates and times that staff are at work
For larger establishments, and where possible, it is also helpful to keep a record of what areas staff work in, e.g. what tables/sections they serve.
Customers and visitors
- the name of each customer, or when customers are attending as a small household group, the contact details for one member of that group – a ‘lead member’
- a contact phone number for each customer, or for the ‘lead member’ of a small household group
- date of visit and arrival and, where possible, departure time
For larger establishments, and where possible, it is also helpful to record table numbers or sections where customers were seated.
If a customer does not have a telephone number, businesses may give customers the option to provide:
- a postal address
- an email address
How to collect data
Contact data will need to be collected by a business for each customer, or for the ‘lead member’ of a small household group, upon their arrival, or prior to their arrival where booking in advance allows.
Many businesses that take bookings already have systems for recording their customers – including restaurants and hotels – which can serve as the source of the information above. This could include taking bookings online or over the phone.
If not collected in advance, this information should be collected at the point that customers enter the premises. Customers will need to be informed of the need to provide information upon their arrival. The resources below include a poster that can be put up in an establishment to alert customers to this need, and copies of the privacy notice should be displayed to inform customers of how their information will be used and protected.
Information should be recorded digitally if possible, but a paper record is acceptable too. Writing customer details in a book or register and destroying these when the retention period is over is acceptable so long as the register is kept out of public sight and stored securely. Similarly, digital records must be securely deleted at the end of the 21 day retention period. Staff need to be identified and appropriately trained for this. To minimise the risk of virus transmission during this process, any written information should be noted by a designated member of staff and not by each individual customer/group.
The ability to record departure times where possible, as well as arrival time (including staff shift times) is important to reduce the number of customers or staff needing to be contacted (and potentially asked to self-isolate) by NHS Scotland’s Test and Protect service, although it is acknowledged that in certain circumstances this may be more difficult.
If someone does not wish to share their details
When individuals share their contact details for this purpose, it will support NHS Scotland’s Test and Protect service to control the spread of the virus and therefore we are asking that people continue to play their part. You should encourage the individual to share their details in order to support NHS Test and Protect and advise them that this will only be used in the event of an outbreak or if a number of new cases are tracked back to the premises. Their information will then be used to inform them if they may have been exposed to a positive case or cases.
If the individual still does not want to share their details but wishes to proceed with a booking and/or use your service, you should make a note not to share this if you still need to collect their details for booking purposes. If you do not need their details for booking purposes, then simply do not collect their details. It is also within the rights of individuals to request to access the data held on them, or to request that it is deleted or corrected. In those circumstances, businesses should comply with such requests.
There is no legal requirement that individuals provide their data for NHS Test and Protect purposes, so if you want to continue to offer your services to customers or visitors that do not choose to provide their information, then you can do so. Employers should make clear to their employees the approach that they wish them to take in these circumstances.
How to store data securely
Once customer details have been gathered, the business will be the data controller, and the data must not be shared with individuals or organisations other than NHS Scotland. All customer data should be stored somewhere secure.
You should hold records for 21 days from the date of each separate visit of a staff member or customer. This will ensure full cover of the typical incubation period and additional time during which people may be infectious whether after symptom onset or not to allow for testing and contact tracing.
Following this, data will no longer be required to be held by the business and must be disposed of securely.
If data is shared with NHS Scotland on the basis of individuals being identified as at risk of being close contacts by the Test and Protect service, NHS Scotland may need to retain the data for longer than the 21 day period and will hold the data in line with NHS information governance processes. Read more information about the NHS Scotland information governance arrangements.
How to dispose of data
After 21 days, data must be disposed of.
If you are using a paper register then pages can be removed daily after the retention period is over and destroyed through secure shredding or other destructive process. Where IT systems are used, establishments will need to ensure that data provided for Test and Protect and other epidemiological purposes are not retained beyond the stated period and do not become part of a wider marketing or other resource.
Information will only be shared with NHS Scotland to carry out contact tracing as part of the Test and Protect service and for epidemiological purposes, and will not be available to the Scottish Government or any other third party.
The contact tracing service would use the information provided by a business, relevant to a positive case’s whereabouts during the infectious period, to inform the process of identifying close contacts where this is a risk of infection. Health protection teams will decide on a case-by-case basis on what follow-up action to take. Depending on the circumstances and the length of time that has elapsed, this could include arranging for people to be tested, asking them to take extra care with social distancing and/or – in some circumstances – asking them to self-isolate. In doing so, the intention is that the risk of onward spread of the virus will be greatly reduced, enabling as many people and businesses as possible to continue operating safely. However, the option to close the premises temporarily remains for the Health Protection Team to determine, depending on the risk assessment of the situation.
When information should be shared
If cases of COVID-19 are detected that have a link to a business, NHS Scotland may contact the business by phone to request staff and customers’ details to allow contact tracing to take place. The NHS Test and Protect service has a number of mechanisms in place to reassure people contact tracers are legitimate, including call back options, visible numbers, and specific location and date information.
Establishments should share the information of staff and customers with NHS Scotland as soon as possible, if asked to do so. NHS Scotland will ask for these records only where it is necessary, either because someone who has tested positive for COVID-19 has listed a premises as a place they visited during the infectious period of the illness, or because a premises has been identified as the location of a potential local outbreak of COVID-19. Establishments should not share this information with anyone else.
Central Enquiry Unit
Phone: 0300 244 4000
The Scottish Government
St Andrews House