Coronavirus (COVID-19): tourism and hospitality sector

Collecting customer contact details

• overview
• collecting contact details – introduction
• maintaining customer records
• sectors this guidance applies to
• registration with the Information Commissioner's Office
• lawful basis for data collection
• secure collection, storage and disposal of data
• how the data will be used
• when information should be shared

Overview - support the national effort

This guidance is for hospitality businesses in Scotland, covered by regulations, and is a tool to support visitor data gathering where the nature of the premises means there may be an increased risk of transmission of COVID-19 due to a higher degree of interaction between unknown individuals. It sets out how to collect visitor contact details in a safe, secure and legally compliant manner, to assist NHS Scotland’s Test and Protect in responding to outbreaks of COVID-19.

The regulations that create the mandatory requirements that this guidance covers were updated from 9 August 2021. From this date, a range of hospitality and entertainment settings must gather minimal contact details from customers and visitors to support NHS Scotland’s Test and Protect service, and share these details with public health officers for the purposes of contact tracing when requested.

This measure forms part of the national effort to suppress COVID-19, and support the country to return to a more normal way of life.

Collecting contact details – introduction

The gathering of contact information from visitors by hospitality and night time entertainment businesses, in a secure and safe manner, assists NHS Scotland’s Test and Protect service to identify outbreaks or clusters of cases, contact those who may have been exposed to the virus, and request them to take appropriate steps to prevent potential onward spread. This could involve asking people to self-isolate. To find out more on self-isolation advice for close contacts, please visit NHS Inform.

Maintaining customer records

As progress is made with the vaccination programme and in suppressing the virus, restrictions on hospitality businesses have been eased to allow them to reopen. However, this can only take place with appropriate measures in place to prevent the number of cases rising again. In order to support NHS Scotland’s Test and Protect service, it is mandatory for hospitality and night time entertainment businesses – such as pubs, restaurants, cafes and nightclubs – to gather, record and retain minimal contact information from non-takeaway customers, visitors and staff.

We strongly recommend that settings collect the details of all visitors to premises and not just the lead adult of a household. If premises offer a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are dining in.

You can play a significant role in helping your staff and customers to understand the value of NHS Scotland’s Test and Protect service, and the importance of playing their part to identify people who may have been in contact with the virus. Please do this by explaining why you are asking for contact information and encouraging them to provide it. You should also display a notice on your premises and on your website. We have provided a template to help you to do this, though please be aware that some people may need additional support in accessing or understanding this information.

In addition to maintaining and sharing records where requested, you must also continue to follow other government guidance to minimise the transmission of COVID-19 while they are on your premises. This includes maintaining a safe working environment in line with all relevant guidance. 

Collecting customer contact details is now a legal obligation for hospitality premises, and it is important that both premises and individuals cooperate with this requirement, as is crucial to national efforts to suppress the virus. This measure forms part of enabling hospitality businesses to open safely, minimising the risk of the number of infections increasing, and reduce the risk of requiring future restrictions.

The following guidance sets out the contact information that businesses have to gather, and how they should go about this, in order to make it possible to reopen hospitality businesses safely while continuing to suppress the virus.

Sectors this guidance applies to

This guidance applies to any hospitality establishment that provides an on-site service such as pubs, restaurants and cafes. It includes where a service is provided indoors, or outdoors in a designated service area such as a beer garden. As of 9 August 2021, it also applies to nightclubs, dance halls, discotheques and sexual entertainment venues.

It does not, however, apply where services are taken off-site immediately, for example, a food outlet which only provides takeaways. If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are sitting in.

Registration with the Information Commissioner's Office

In order to gather and store customer information securely, businesses may need to be registered with the Information Commissioner’s Office (ICO). This will be the case if you are using an electronic system to gather and store data.

If your business is already a data controller, you should already be registered with the ICO. A data controller can be any organisation or sole trader who processes personal information such as CCTV, staff or customer details.

However, if you are using an electronic system to store customer data and not already a data controller, or have not already registered as one, you may need to register with the ICO. If you are unsure whether you need to register, please contact the ICO via their helpline on 0303 123 1113, or visit www.ico.org.uk.

The cost of the data protection fee depends on the size and turnover of the business, but for most businesses it will cost £40 or £60. The form will take around 15 minutes to complete. Access the data protection form. The ICO has published its own detailed guidance on collecting customer and visitor details for contact tracing.

Lawful basis for data collection

It will be important to ensure that data is collected and handled in line with data protection laws. As part of this, the Scottish Government has published a template privacy notice alongside this guidance, setting out the terms of how data should be gathered, stored, used and disposed of. The privacy notice is how your business will demonstrate compliance with Article 13 of the General Data Protection Regulation (GDPR) that sets out what information needs to be provided when data are collected from the data subject (visitors to the premises).

The privacy notice can be viewed online and should also be downloaded and made available in each establishment, and online if your premises has a website, so that customers providing details are informed as to what will happen with their data.

The privacy notice sets out the purpose for which the data is being collected, what data is being collected, the lawful basis for doing so, how long the data will be retained, what rights customers have over this data and how to complain to the establishment and the ICO if there is a concern. Customers or visitors phoning to make a booking in your premises must be made aware of the requirement to collect their contact details in support of Test and Protect.

As a controller, each business will be using the GDPR lawful basis under Article 6(1) (c) ‘Legal Obligation’. Where an individual is not willing to provide their data, premises are advised to refuse service, or a booking.

Read the privacy notice.

Read more information on GDPR and how to access GDPR training.

Secure collection, storage and disposal of data

Hospitality businesses that are serving people on their premises – either indoors or in outdoor spaces such as beer gardens – will need to gather minimum contact details from all visitors to support Test and Protect. This only applies to those being served on the premises, and not to activities such as take-away.

Information to collect

The following information should be collected by the venue, where possible:

Staff

• the names of staff who work at the premises
• a contact phone number for each member of staff
• the dates and times that staff are at work

For larger establishments, and where possible, it is also helpful to keep a record of what areas staff work in, e.g. what tables/sections they serve.

Customers and visitors

• the name of each customer, even if they are from the same household. a contact phone number for each customer
• date of visit and arrival and, where possible, departure time

For larger establishments, and where possible, it is also helpful to record table numbers or sections where customers were seated.

If a customer does not have a telephone number, businesses may give customers the option to provide:

• a postal address

• an email address

How to collect data

We urge all premises with the means to use the free ‘Check-in Scotland’ digital product. All guidance and a user toolkit can be found at: Check-in Scotland - mygov.scot

For those premises who are not able to use this facility then it is still a legal requirement that you record the contact details of those visiting your premises and the guidance here will help you do that.

Contact details are strongly recommended to be collected by premises for each customer or visitor, upon their arrival, or prior to their arrival where booking in advance allows. Many businesses that take bookings already have systems for recording their customers – including restaurants and hotels – which can serve as the source of the information above. This could include taking bookings online or over the phone.

If not collected in advance, this information should be collected at the point that customers enter the premises. Customers will need to be informed of the need to provide information upon their arrival and the purposes for which it will be used. The resources published alongside this guidance include a poster that can be put up in an establishment to alert customers to this need, and copies of the template privacy notice which should be displayed to inform customers of how their information will be used and protected. There may also be instances where it is necessary to also explain to visitors the content of the privacy notice, e.g. where bookings are taken over the phone.

Information should be recorded digitally if possible, but a paper record is acceptable too. Writing customer details in a book or register and destroying these when the retention period is over is acceptable so long as the register is kept out of public sight and stored securely. Similarly, digital records must be securely deleted at the end of the 21 day retention period. Staff need to be identified and appropriately trained for this.

To minimise the risk of virus transmission, and any likelihood of other individuals having access to personal data during this process, any written information must be noted/recorded by a designated member of staff and not by each individual customer/group.

The ability to record departure times where possible, as well as arrival time (including staff shift times) is important to reduce the potential number of customers or staff needing to be contacted (and potentially asked to self-isolate) by NHS Scotland’s Test and Protect service, although it is acknowledged that in certain circumstances this may be more difficult.

If someone does not wish to share their details

When individuals share their contact details for this purpose, it will support NHS Scotland’s Test and Protect service to control the spread of the virus and therefore we are asking that people continue to play their part. You must encourage the individual to share their details in order to support NHS Test and Protect and advise them that this will only be used in the event of an outbreak or if a number of new cases are tracked back to the premises. Their information will then be used to inform them if they may have been exposed to a positive case or cases.

It is also within the rights of individuals to request to access the data held on them, or to request that it is corrected. In those circumstances, businesses should comply with such requests.

There is no legal requirement that individuals must provide their data for NHS Test and Protect purposes. However, if the individual still does not want to share their details then premises should refuse to offer the service requested. Employers should make clear to their employees the approach that they wish them to take in these circumstances.

How to store data securely

Once customer details have been gathered, the business will be the data controller, and the data must not be shared with individuals or organisations other than public health officers. All customer data should be stored securely and in accordance with the requirements of the GDPR. 

You should hold records for at least 21 days from the date of each separate visit of a staff member or customer. This will ensure full cover of the typical incubation period and additional time during which people may be infectious, whether after symptom onset or not, to allow for testing and contact tracing.

Following this, subject to any other lawful obligation to retain it, the data will normally no longer be required to be held by the business and must be disposed of securely.

If data is shared with public health officers on the basis of individuals being identified as at risk of being close contacts by the Test and Protect service, public health officers including NHS Scotland may need to retain the data for longer than the 21 day period and will hold the data in line with NHS information governance processes. NHS Scotland may also need to share information with other local and statutory delivery partners as part of responding and containing the virus, such as Local Authority Environmental Health Departments. In enforcing this regulation, it is also possible that Environmental Health Departments may request to see an establishment’s data, collected for these purposes, only to ensure compliance with the regulation, and not to process the data in any other way.

Read more information about the NHS Scotland information governance arrangements. 

How to dispose of data

Subject to the paragraphs above, after 21 days data should be disposed of securely.

If you are using a paper register then pages can be removed daily after the 21-day retention period is over and destroyed through secure shredding or other destructive process. Where IT systems are used, establishments will need to ensure that data provided for Test and Protect is deleted and not retained beyond the stated period. The data should not become part of a wider marketing or other resource otherwise used in contravention of the GDPR.

How the data will be used

Information will principally be shared with public health officers to carry out contact tracing as part of the Test and Protect service and for epidemiological purposes linked to infectious disease control, and will not be available to the Scottish Government. In certain circumstances, NHS Scotland may share the data with key delivery partners, under appropriate data sharing arrangements.

The contact tracing service would use the information provided by a business, relevant to a positive case’s whereabouts during the infectious period, to inform the process of identifying close contacts where this is a risk of infection. There is no circumstance in which establishments should use the data to directly contact visitors, customers or staff, even in the event of a known outbreak within premises. Health protection teams will decide on a case-by-case basis on what follow-up action to take. Depending on the circumstances and the length of time that has elapsed, this could include arranging for people to be tested, asking them to take extra care with social distancing and/or – in some circumstances – asking them to self-isolate. In doing so, the intention is that the risk of onward spread of the virus will be greatly reduced, enabling as many people and businesses as possible to continue operating safely. However, the option to close the premises temporarily remains for the Health Protection Team to determine, depending on the risk assessment of the situation.

When information should be shared

If cases of COVID-19 detected that have a link to a business, NHS Scotland may contact the business by phone to request staff and customers’ details to allow contact tracing to take place. The NHS Test and Protect service has a number of mechanisms in place to reassure people contact tracers are legitimate, including call back options, visible numbers, and specific location and date information.

Establishments must share the information of staff and customers with NHS Scotland as soon as possible, but in any event within 24 hours if asked to do so.

Contact tracers will NEVER:

• ask you to dial a premium rate number to speak to them
• ask you to make any form of payment, including a charitable donation
• ask for any details about your medical history that are unrelated to COVID-19
• ask for any details about your bank account
• ask for your social media identities or login details, or those of your contacts
• ask you for passwords or PINs, or ask you to set up any passwords or PINs on the phone
• ask you to purchase a product or attempt to sell you anything
• ask you to download any software to your device or ask you to hand over control of your PC, smartphone or tablet

NHS Scotland will ask for these records only where it is necessary, either because someone who has tested positive for COVID-19 has listed a premises as a place they visited during the infectious period of the illness, or because a premises has been identified as the location of a potential local outbreak of COVID-19. Establishments should not share this information with anyone else.