Raising the bar: UK hospitality sector braces for stricter Covid data collection obligations | Fieldfisher
Skip to main content

Raising the bar: UK hospitality sector braces for stricter Covid data collection and other obligations



United Kingdom

As ministers and health officials impose tougher rules on bars, restaurants and leisure businesses to help prevent transmission of Covid-19, Fieldfisher privacy, security and information law expert Dr Kuan Hon summarises the collection of contact details, data protection and other obligations facing the hospitality industry.

In light of increased Covid-19 risks, hospitality organisations are now legally required to obtain contact details of customers, when before (see previous blog) this collection was only encouraged by UK government guidance.

The UK government announced this move on 10 September 2020 and issued The Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020 (2020/1005) on 17 September.

These new rules apply in full from 24 September 2020, not only to restaurants, cafes/canteens, bars and public houses/pubs, but also to the leisure and tourism sector (e.g. clubs, hotels, museums, leisure centres), and close contact physical services like hairdressers and sports therapists.

The key changes from our previous blog are that:
  • From a data protection perspective, hospitality services' legal basis for requesting, storing and providing contact details is now a legal obligation, so their signage/privacy notice (see our previous example) must be updated accordingly.
  • Hospitality organisations must "in an appropriate place" display and make available a QR Code, which can be obtained via https://www.gov.uk/create-coronavirus-qr-poster, so that visitors with smartphones can scan the code to "check in" as, or immediately after, they enter – if they have downloaded the government's revised contact tracing app, which the Information Commissioner's Office advised on.
  • No contact details need to be obtained from someone who is just delivering or collecting/picking up, or from police or emergency responders, but they must be obtained from staff, customers and other visitors/guests.
  • The government has set out exactly what details must be requested. Except where the individual concerned has scanned the QR Code (or the organisation has reason to believe that they can't do that for disability/health reasons or that they're under 16), hospitality organisations must ask for name, contact telephone number (failing which contact e-mail address, failing which postal address – in that order), and date and time of entry.
    • With the same exceptions, if people seek to enter in a group, these details must be requested from everyone in the group (in sub-groups of no more than 6 where bigger groups are allowed), or else a single member in place of the others. The organisation must also record the number of people in the group or sub-group (including anyone who scanned the QR Code).
    • If the hospitality organisation considers that a particular customer, visitor or guest is likely to come into contact with only one of its staff members or volunteers, it must record "in one place" the name of that visitor and staff member/volunteer.
  • Hospitality organisations are legally obliged to refuse entry if the information requested has not been provided or it has reason to believe that the information is incomplete or inaccurate (this obligation applies only to the hospitality sector, not leisure/tourism etc).
  • They must, as a legal obligation, retain, securely, the above details for 21 days (the same period as before, but now enshrined in law), and destroy them as soon as reasonably practicable after that (unless there is another basis on which those details may lawfully be retained – see our previous blog). Meanwhile, they must provide the information to relevant authorities if so requested "as soon as reasonably practicable".
  • Failure to do any of the above without reasonable excuse, including displaying the QR Code poster and recording only one staff member's contact with a visitor, is a criminal offence punishable on summary conviction by a fine, and directors/officers could also be criminally liable if the failure was with their connivance/consent or due to their neglect.
  • Furthermore, police officers and certain other authorised persons are empowered to issue "fixed penalty notices" for these failures (in place of conviction), of £1,000 (£500 if paid early) for the first offence, but increasing in tiers of £1,000 up to £4,000 for the fourth or further offence.

The Regulations last for a year, but will be reviewed in six months to see if they are still necessary.

From a practical perspective:
  • As urged by the government, hospitality organisations must ensure they display the appropriate QR Codes, both because it is required (to avoid a criminal offence) but also because it would mean that most visitors' personal data will be recorded by the government, rather than by the organisation, reducing organisations' data protection exposure. Group and "one person only" information will still have to be recorded however.
  • Similar issues and warnings apply as in our previous blog, in particular regarding:
    • The display of an appropriate but updated privacy notice/sign (see above); and
    • The importance of secure storage and destruction of the recorded information, and purpose limitation – not using the information except for purposes permitted under data protection law (i.e. the GDPR and UK Data Protection Act 2018). While our previous Dos and Don'ts mentioned as an example the possible misuse of contact details by a bartender to get in touch with an attractive customer, this and worse has actually happened in real life, and obviously there are reputational consequences too. So hospitality organisations should not only ensure the physical/technical security of information recorded, but also issue strict instructions to staff (with sanctions) and roll out appropriate staff training.
  • Guidance by the UK Information Commissioner's Office, issued after our previous blog was published, is in similar vein. For example, the ICO's summary includes:
    • Organisations should not use open log books, and should ensure their customers’ personal information is kept private
    • Not use the personal information collected for contact tracing for other purposes, such as direct marketing, profiling or data analytics.

As announced by the government on 18 September, hospitality organisations are also now subject to further "rule of 6" legal obligations under The Health Protection (Coronavirus, Restrictions) (Obligations of Hospitality Undertakings) (England) Regulations 2020 (2020/1008) and The Health Protection (Coronavirus, Restrictions) (No. 2) (England) Regulations 2020 (2020/684 as amended), and not just in relation to contact tracing.

Pubs, cafes, restaurants, any other businesses that serve food/drink on their premises must take "all reasonable measures" to ensure, again on pain of committing criminal offences and with fixed penalty notices in tiers, that they:
  • Don't accept table bookings for a group of more than six (unless an exemption applies e.g. members of the same household);
  • Don't admit persons in a group of more than six, again unless an exemption applies;
  • Allow unpermitted "mingling" across groups; and
  • Keep at least two metres between tables occupied by different qualifying groups (or at least one metre if there are barriers or screens between tables or they are arranged with back to back seating or otherwise arranged to ensure that people sitting at one table don't face anyone sitting at another table at a distance of less than two metres, or take "other measures" to limit the risk of transmission of the coronavirus between people sitting at different tables).
Again, these Regulations last for a year, but will be reviewed in six months to see if they are still necessary then.

Much has been said in the media about "mingling" (not defined in the legislation), so we refrain from commenting on that, or on what "other measures" might be sufficient, as its meaning is equally unclear.

Further government legislation or other actions, particularly local action, are expected, and more may well follow if coronavirus cases continue to increase.

Also see UK government guidance:  
Dr Kuan Hon is a director in the privacy, security and information law team at Fieldfisher specialising in data protection/privacy/information law. I am qualified as an English solicitor and New York (USA) attorney. 

Areas of Expertise

Data and Privacy

Related Work Areas

Retail and Consumer