Data Protection – considerations for reopening your business

NFU Mutual have supplied this helpful article from legal firm RPC around data protection and temporary record keeping.

In its latest guidance on keeping workers and customers safe during COVID-19, the Government has recommended that businesses operating in the hospitality sector keep a temporary record of customers and visitors for 21 days. This will assist NHS Test and Trace with requests for that data if needed.

However, there are measures that hospitality businesses will need to take to ensure that they collect, use, and dispose of personal data for these purposes in compliance with GDPR legislation.

In the following article, legal firm, RPC, who are experts on handling data breaches, have outlined some practical steps to help your business comply with its obligations under data protection legislation when implementing Test and Trace measures.


You should only collect the minimum amount of data that you need in order to comply with the Government guidance. Such as:

• Customer names

• Contact email addresses and/or telephone numbers

• Date of attending your venue (and estimated timings at your venue)

The Government Guidance does not currently recommend asking customers whether or not they’ve had COVID-19 symptoms or any other health-related questions before attending venues. If you do decide to do this, you must be aware that such information is considered special category data and additional legal considerations will apply. If you feel that it is important for your business to record this information, we suggest that you identify the appropriate legal basis, and if you are not sure then you should seek legal advice before proceeding.


Under GDPR guidance you’re required to be able to demonstrate that you have a reason for collecting personal data and that this reason complies with one of the GDPR rules.

The most likely reason in this case would be ‘legitimate interest’. However, in order to rely on this, you must be able to clearly demonstrate that you have:

• Identified a legitimate interest: In this case, facilitating contact tracing for COVID-19.

• Shown that the processing is necessary to achieve it: This is likely to be met given that the Government has recommended these measures; and

• Balanced these against the individual’s interests, rights and freedoms: This analysis should be carried out in the context of your specific organisation, but again should be fairly easy to demonstrate.


You’ll need to make sure that your customers understand:

•            Why you’re collecting their data: This should be limited to contact tracing.

•            Who you’ll be sharing it with: You’ll need to tell your customers that you may pass data collected to the NHS Test and Trace service, which is operated by The Department of Health and Social Care. For most hospitality businesses, there is unlikely to be any other organisations that

you’ll need to share this data with. However, if you do need to share it with another third party you’ll also need to inform your customers that you’ll be doing so.

•            How long you’ll keep the data: See section on ‘retention time periods’ below.

This should all be communicated to your customers at the time of collecting their data (e.g. when they make a reservation or before they enter your venue). You should also consider updating your general customer privacy policy.

There is other information that you’re required to provide to individuals when you collect their personal data (e.g. the identity of the controller, details of data subject’s rights,

right to complain to Information Commissioner). However, depending on the method you’re using to collect the data, it may be easier to include a statement at the end of a data collection form, such as : “For further information about how we process your personal data, please see our Privacy Notice at [insert URL, possibly with QR code for ease of consultation]”.


You should make sure that the information collected is kept secure. Consider implementing measures such as requiring passwords to access the data and encryption (if stored electronically) and limiting access to staff that strictly need to access the data to perform their role.

Your systems as a whole should have appropriate security measures, such as up to date versions of software, patching and antivirus.


This data should only be used to assist with contact tracing and not for any other purpose. Please do not automatically add this customer data to your marketing lists or combine this data with any other customer databases that you may have.

If you want to also collect data for marketing purposes at the same time (e.g. if this collection step for contact tracing will be incorporated into an online booking process), then this will need to be clear in the collection process and you’ll need to obtain separate consent to use this data for marketing. Customers should be given the option to opt in to marketing.


The Government guidance recommends retaining the data for 21 days. If you retain the data for longer than this then it is unlikely to be acceptable. You must also ensure that you tell customers how long you’ll be retaining their data for.

Once the retention period has finished, you should securely delete the data. This means shredding and/ or otherwise securely disposing of all hard copy records plus securely deleting any electronic copies.


The guidance also recommends keeping a temporary record of your staff shift patterns for 21 days to assist NHS Test and Trace in the context of your staff.

This article does not cover any testing or other measures in relation to staff, but businesses should also be mindful that additional guidance has been published by the Information Commissioner’s Office (ICO)

setting out other considerations for employers in a COVID-19 world (see other useful resources).


You may already have booking or reservations systems in place with third party booking platforms. Some of these service providers already facilitate the safe collection and storage of personal data in order to make bookings for your restaurant. They’ll no doubt also be keeping an eye on Government recommended measures so consider contacting them to see to what extent they can help you implement some of the other steps outlined in this article.

Other useful resources



Please contact your local Agent if you wish to discuss cyber risks or cyber insurance options further, which we can provide through a panel of carefully chosen third party providers.