Search
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Comment from Guardum: Data collection at pubs - a potential nightmare?

July 2020 by Darren Wray, CTO at UK-based data privacy firm Guardum

Following the news that pubs can ask customers to provide their contact details for contact tracing purposes - Darren Wray, CTO at data privacy experts Guardum offers the following comment:

“2 pints, a packet of crisps and a DSAR please, could this be what people start to order when they visit their local?

We all understand that COVID-19 has and is changing the world and that the hospitality industry has a responsibility to help NHS track and trace staff contact people should a customer develop symptoms shortly after visiting their local, the danger is that there has been little or no guidance issues from the Government or the ICO about how these new processes should be performed and in many cases those collecting this personal information have had little prior experience of data privacy requirements and have in the best cases only received very limited training.

All of this has the potential to place the hospitality under a further burden if they don’t get their processes in place quickly. It will only take a naive member of staff to copy down a phone number or email address and make contact with a customer to cause a heap of work for the venue. The question also has to be asked about how and when the data is going to be deleted once the retention period has passed, just throwing paper records in a dumpster could easily lead to an unwitting data breach.

There are several things that the hospitality industry should be doing right now to ensure that they don’t face future data privacy issues, this includes having a privacy policy that clearly states what personal data they are collecting and how it will be used and who else the data will be sent to (such as NHS track and trace). The policy should also clearly state how long the data should be kept for, under current guidance, this is likely to be no more than a month. Any venue should also ensure that they have an appropriate way of destroying or anonymizing the data when it reaches the end of its retention period.

Any processor of personal information must also be able to demonstrate that the data subject was informed (ideally achieved by the privacy policy) and where consent is the legal basis for processing, that they can evidence that consent was given.

Pubs, in particular, have faced many pressures and a decline in numbers over the last 20 years, data privacy requirements is another thing that they are going to have to adapt to and embrace to survive.”




See previous articles

    

See next articles