Local councils opening up their commercial services and venues: data protection in the new normal

From today, Monday 12th April, England goes into ‘step two’ of the UK Government “COVID-19 Response – Spring 2021 – Roadmap out of Lockdown”.  With more venues opening up to the public again there is a new data protection challenge for councils that run commercial services and venues.

To quote government guidance “Venues in hospitality, the tourism and leisure industry, close contact services, community centres and village halls must: ask every customer or visitor (over the age of 16) to provide their name and contact details keep a record of all staff working on their premises and shift times on a given day and their contact details keep these records of customers, visitors and staff for 21 days and provide data to NHS Test and Trace if requested display an official NHS QR code poster so that customers and visitors can ‘check in’ using the NHS COVID-19 app as an alternative to providing their contact details adhere to General Data Protection Regulations (GDPR).”

That could well include venues that your council runs.

Whilst using the NHS app would ensure that you don’t need to process additional amounts of personal data, as it’s all held within the app, you cannot enforce the use of it and you must provide an alternative method of collecting this vital tract and trace data.

As with any personal data you must process it in a lawful way and in a manner that will maintain its security, this is what will pose the biggest challenge and the biggest risk.

Let us take the example of a council run community space like a village hall, it is the council that must ensure that the track and trace data is collected, not the users who hire the venue, so the council will now be putting systems in place to do this.

So what happens, well obviously you put up the NHS QR code (https://www.gov.uk/create-coronavirus-qr-poster) and you ask people to use it.  

But as you cannot make that mandatory you also need to give another way for people to give track and trace data, so what’s the simplest solution to the problem?  You hang a clipboard on a nail by the door with a sign in sheet, 25 names to a sheet 10 sheets on the clipboard and job done, right?  WRONG!

In that scenario the 25th person to sign each sheet would be able to see the personal data of 24 other people, plus all the data on all the other sheets. That data could be lost or destroyed which is as bad a problem as the other risk, it could fall into the wrong hands.  

Furthermore, as you should only keep personal data for as long as you need it to do the job you identified when you collected it, you should only be keeping the data for 21 days, unless the NHS track and trace requests it.  

What is your mechanism to purge the no longer needed data on the 22nd day after its collection?  That sheet could have many different days worth of data and unless you are going to go at it every day with a pair of scissors, it will, like as not, cause you to keep data too long or destroy data too soon.

Far better to have a pile of blank sign in forms and a locked box that users of the venue can post them into.  Every day the box needs to be emptied and a system put in place to shred the paper forms on the 22nd day after they were filled in (unless it’s been requested obviously).

The locked box to post contact details into is a very a simple mechanism to solve a problem that is easy to overlook, but overlook it at your peril, someone will notice, I certainly did last year.  

During eat out to help out I lost count of the venues I went into that simply used a multi person sign in sheet on the front door, when I explained to the staff why they should not do that my protestations were met with blank faces or indifference, and why should the staff care, it was their bosses that hadn’t considered the data protection aspect, that there was a clipboard there with hundreds of names, telephone numbers and email addresses just waiting to be swiped and used for nefarious purposes.

Staff and volunteer helpers need to be trained to run your system properly, so that data is collected securely, is not accessible to anyone who wants to look at it or steal it and is destroyed promptly when it is no longer needed.

Don’t forget to be transparent about why you are collecting data, who you might give it too and how long you will keep it, a poster explaining all that hung on that pesky nail will do it.

It’s good to be opening up and I wish everyone the very best as they get going again but amongst all the hard work you will do to get venues ready don’t be let down by a simple clipboard hanging on a nail.

Breakthrough Blog Article by

Share this Breakthrough Blog post: