Remember Me
mobile nav search mobile nav menu mobile nav tel
purple triangle svg

Coronavirus track and trace: Data handling tips for reopening hospitality businesses

With the easing of lockdown restrictions set to take place on Saturday 4 July for most parts of England, many hospitality businesses will be required to keep temporary records of customers to help with the government’s ‘Track and Trace’ programme.

Below we have provided advice on how businesses such as restaurants, pubs, bars and cafés can limit the risk of contravening data protection laws when handling customers’ data.

Waitress wearing face mask COVID

Prime Minister Boris Johnson announced on 23 June that COVID-19 restrictions are to be eased further on 4 July, with certain hospitality businesses such as pubs and restaurants being allowed to reopen.

Businesses will be expected to adopt measures to limit the spread of the virus, such as limiting the number of customers on the premises at any one time and ensuring social distancing is maintained – see our COVID-19 Business Reopening Risk Assessments for help with this.

As well as this, businesses will also be asked to assist the government’s ‘track and trace’ efforts by collecting personal data from their customers. This requirement will apply not just to the hospitality sector, but to the retail, leisure, education and manufacturing sectors as well.

For many small businesses who are not familiar with data protection responsibilities, this requirement will be yet another challenge to add to the lengthy list of additional regulations and procedures they must put in place to operate during the pandemic.

This additional collection of customers’ personal data will need to comply with the current requirements of UK data protection law – so businesses will need to take it seriously. The Information Commissioner’s Office (ICO) has said that it will take a ‘pragmatic approach’ to enforcing data protection laws during the pandemic, but also confirmed that it will take firm action against businesses and organisations found to be exploiting the health crisis by misusing personal information.

While the obligation of collecting and handling personal data may feel overwhelming for some businesses, there are some simple procedures to follow that will limit the risk of you falling foul of the ICO.


Only collect the minimum amount of information required

To help with the contact tracing effort the only information needed is the customer’s name, contact details (such as phone number and/or email address), and the date and time of their booking/visit. Don’t over complicate matters by requesting more details than are required for the contact tracing process.


Keep your customers informed

It is important to tell your customers why you are collecting their details, as well as what you will do with the information.

You don’t need to go into too much legal detail, just ensure they know that the details will only be used for potential contact tracing purposes and tell them how long you will be storing their data (see below).


Don’t hold on to the data for too long

Although the COVID-19 incubation period is believed to be around 14 days, it is advisable to keep the data for a bit longer to assist with track and trace.

The UK government have asked that businesses should keep a temporary record of customers and visitors for 21 days – so put a procedure in place to ensure all records are deleted or destroyed after 21 days.


Keep the personal data safe and secure

If you are asking people to fill in a form, make sure they are able to do so in privacy. Likewise, if your staff will be asking customers for details verbally, then they should do so somewhere they are unlikely to be overheard.

If you plan to input the data onto a spreadsheet, make sure you use a password-protected computer and limit the number of people who have access to it. When you have finished with the paperwork, dispose of it securely – screwing up a paper record and throwing it into the bin is not sufficient to avoid a potential data breach.


Don’t use the data for anything else

When it has been collected for the purpose of contact tracing, the personal data cannot be used for anything else – such as a general marketing database. If you want to use the data for marketing purposes in the future, then you should make that clear to your customers and they must give their consent before you obtain their personal information.

If you use personal details intended only for contact tracing for marketing purposes, you would be in breach of data protection laws in the UK – and it could cause considerable reputational harm with your customers.


BHIB’s Cyber Risk Specialist, Andy Hall, said:

“We have seen that Cyber incidents can often disrupt businesses of all sizes through data theft, reputational damage, operational downtime, financial loss, and legal action with losses often running into the £000s.  Collecting additional personal data during the coronavirus ‘track and trace’ exercise could certainly increase the cyber risk for businesses, who should make sure the information is stored in a secure way and the requirements of GDPR (the general data protection regulation) are followed to avoid any unpleasant surprises. 

“Cyber insurance is a highly cost-effective way to gain access to the support you need in order to both prevent and respond to cyber events.”

If you would like more information on cyber insurance and risk management, contact Andy Hall on 0116 281 9152 or email on