Contact tracing and data protection: What the hospitality industry needs to know
In June, the Government launched their contact tracing scheme which, equipped with 25,000 NHS contact tracers, aimed to track 10,000 new cases of COVID-19 a day. This works by speaking to those infected by the virus and obtaining information of anyone they have been close to for sustained periods while allowing the person to remain anonymous. The contact tracers will then contact those at high risk and request they self-isolate for 14 days – if they do not develop symptoms during this time, they will be given the ‘all-clear’.
At this time, it was expected that a track and trace app would shortly follow, but this has since been delayed when the Government admitted the app was “flawed” and switched to a model being developed by Apple and Google.
Reopening of pubs and restaurants
On 4 July, pubs, cafes and restaurants were given the all-clear to allow customers within their premises within the Government guidelines. As part of this, these businesses have been asked to take their customers’ details to assist the current track and trace scheme. This should include their name, contact number, date and time of visit and departure and the staff member they interacted with if applicable.
This measure is currently voluntary, and customers can choose to opt-out of giving their information if they wish. If they request that you don’t share their details with the Test and Trace scheme, you are obliged to adhere to this request but should make it clear that they are encouraged to do so.
Maintaining Test and Trace records
All records that a business obtains should be held for a minimum of 21 days to align with the incubation period of the virus. After this time, the information no longer needs to be stored. The data collected should comply with General Data Protection Regulation (GDPR). Although you are not required to seek consent from every person as to whether the information can be shared with the Test and Trace scheme, you do need to make it clear what the information will be used for. This can be displayed on your website and/or at your premises.
You cannot use the information collected for any other purposes than sending it across to the Test and Trace scheme. So, if you use the information for marketing or analysis purposes at a later date, you will be in breach of GDPR.
Securing physical and online data
You are responsible for the data that you collect and will be held accountable in the event of a data breach. To avoid this from occurring, you need to take the necessary steps to ensure that the information you store is secure. To help you get this right, The Information Commissioners Office (ICO) has posted five simple steps you can take to better protect your customer and visitor details over this period as well as what you should consider when collecting these.
What happens in the event of a breach?
In the event of a data breach, your business could be at risk of fines and potential lawsuits if the breach is found to be caused by negligence. You have a duty to keep records physically and electronically safe and should ensure you have adequate cybersecurity measures, including staff training, in place.
Despite the best intentions, mistakes can and will be made and it’s worth preparing your defence now against the possibility of something going wrong. During the coronavirus pandemic, the risk of a cyber-attack has risen due to opportunist criminals targeting businesses as they’re vulnerable and adapting to new technologies and processes. With Cyber Insurance, you can better protect your business against cybercrime, covering you in the event that sensitive information is accidentally shared.
What does Cyber Insurance include?
Cyber Insurance helps aid your recovery after a cyberattack, including restoring systems, mitigating reputational damage, cyber extortion and loss of data. To learn more about the full extent of features you can benefit from with the tailored Cyber Insurance policy, just get in touch on 01244 345076.