The Government's announcement on 23 June of the easing of lockdown restrictions confirmed that, from 4 July, pubs, restaurants and hairdressers in England will be able to reopen, providing they adhere to COVID Secure guidelines.
However, Boris Johnson's speech the same day in the House of Commons suggested that new guidelines will require businesses, including those in the hospitality sector, "to help NHS Test and Trace respond to any local outbreaks by collecting contact details from customers".
The guidance issued on the same day says "We will work with industry and relevant bodies to design this system in line with data protection legislation, and set out details shortly". This, however, leaves very little time – little more than a week – for businesses to receive these details and make preparations.
This is potentially a tremendous challenge, both practically, and legally, for a sector which relies, in very large part, on "passing trade". Although Johnson's speech went on to say that the Government "will work with the sector to make this manageable", we anticipate that many business will be unused to, and unprepared for, collecting personal data (and this will potentially be very sensitive data) in this way. Although we also anticipate a degree of regulatory forbearance (as we have previously noted, the Information Commissioner has generally been taking a lenient approach to companies' data protection compliance during the pandemic) businesses emerging from drastic shutdown measures will keen to be exposed to as little legal, regulatory or reputational risk as possible. Already, some civil society groups are warning of a "privacy minefield", and it is quite likely that complaints and claims against non-compliant businesses could follow.
In order to encourage their customers to provide accurate information, businesses will need to make sure they do their best to build up a level of trust. Ensuring that customers are told clearly and in simple terms why their data is being collected, what the business plans to do with it, and then only doing that, is key to good data protection practice.