As has been the case in almost every aspect of our response to COVID-19, as the science has evolved and our experience has developed, so the government requirements and guidance have changed. This has resulted in recent changes in Scotland (and Wales) in relation to the requirements being imposed on certain businesses to collect contact information about visitors to their premises.
The need to support the track and trace programme was recognised at a four-nations level as soon as lockdown was eased and guidance was issued on the type of information that should be collected, how it should be held, what use should be made of it (and what not) and how long it should be held. It was clear in all four nations that setting up a data collection mechanism was voluntary, not mandatory. This guidance was also supported by further guidance issued by the Information Commissioner’s Office (ICO), the body responsible for overseeing compliance with data protection laws.
However, in light of the lessons learned from the recent Aberdeen cluster, the Scottish Government decided it needed to go further in its requirements. Since 14 August, it has no longer been a voluntary measure but rather a legal requirement for hospitality businesses – essentially pubs, restaurants, cafes and hotels that sell for food or drink – to “gather, record and retain minimal contact information from non-takeaway customers, visitors and staff”.
Anecdotal evidence suggests that most premises had put in place a contact collection scheme and therefore the 14 August changes would not have seen a rush to do so. However, a further significant change that took effect from 14 August was the type of information that now has to be collected. It seems that businesses are not yet getting to grips with this requirement.
It is no longer enough for businesses to obtain the contact information for one contact from each party that visits its premises. Instead, relevant businesses are now required to take contact information for every household that visits its premises. Businesses must have a system in place to collect “visitor information”, including: the name and telephone number of one member of each household visiting the premises, the date of their visit and arrival time, and a note of the number of any members of that person’s household visiting the premises at the same time. The guidance also recommends that a note of the departure time be taken, if this is possible.
What that means is that a booking for a table of four could be made by taking the contact information of one member of the party, however, on arrival, contact information must also be taken for each member of the party or one member of each household group. Where businesses offer both on-site and takeaway services it is only necessary to take the contact information for on-site services.
The businesses must also be able to demonstrate that they are recording “visitor information in a filing system suitable for recording, storing and retrieving such information” and that it is retained for 21 days from the date of the visit. Indeed, the information should not be kept any longer.
Helpfully, the Scottish Government has provided some template documents for premises, in particular a style privacy notice that can be displayed on the premises and/or website giving details as to why information will be collected and how it will be used. It also provides advice to visitors on their rights in relation to that data and how to complain to the ICO, if appropriate. It may also be necessary for the business to register with the ICO as a data controller if it has not already done so.
It may be that businesses are already in the habit of collecting customer data and using it for marketing purposes. If this is the case, then it is important that the collection of this new information is kept separate and only used for contact tracing purposes. The business will need to make sure its privacy notice explains both uses of the data and how they are kept separate. The guidance also recommends the data should be collected by a designated individual on the premises to avoid customers seeing the contact information of others and, on a practical level, to avoid many people handling the system/paperwork/sharing a pen.
The purpose of collecting this information is to support the track and trace efforts and the new regulations make it clear that the “visitor information” held by a premises may be requested by a public health officer and must be provided when requested as soon as reasonably practicable (within 24 hours at the most, if not sooner). If there is a need to make use of the visitor information, then it will be NHS Scotland officials from NHS Test and Protect who will make the contact. The guidance also supports concerns that businesses may have about calls from people falsely purporting to be official contact tracers by giving examples of the sorts of things that official contact tracers would not ask a business to do. It also offers the security of a call back system and other mechanisms to reassure businesses that they are dealing with legitimate contact tracers.
Although the primary focus is on visitors to the business, certain information needs to be kept about staff – names and contact information and details of who was working when. In addition, the guidance suggests that in bigger premises businesses keep details of the area in which staff were working, for example, which tables they served.
As noted in the guidance published by the Scottish Government there is no basis on which an individual can be required to provide their contact information but you should explain to them why you are asking for the information and how it will be used. This may be in addition to any notices you have put up around the premises. The guidance goes on, however, to say that “if the individual still does not want to share their details then premises should refuse to offer the service requested. Employers should make clear to their employees the approach that they wish them to take in these circumstances.”
While it may be simple to say that in these circumstances services should be refused, in practice this will be a more difficult measure for staff to enforce. A lot may depend on the nature of the premises. For example, customers in a café are less likely to be under the influence of alcohol than those in pub, who may respond aggressively to being told they will not be served.
Most importantly, failure to comply with the new regulations carries criminal consequences, which means that the company, officers and staff operating the premises could be open to potential criminal proceedings. This may have a further impact on licensed premises, which could also potentially have their licence reviewed (and revoked) by the Licensing Board at a review hearing in due course. It is therefore very important that proper measures are put in place.
Wales has also implemented similar changes. Indeed, the requirements apply to a wider range of business. The collection of customer data remains voluntary in Northern Ireland and England, though the position may change in future.