As the pubs open, a huge amount of fuss has been made about the requirement placed on pubs to collect personal data for the purposes of the track and trace system. Local papers and websites buzz with articles that are plainly just law firm press releases, and the LinkedIn Snake Oil Salesmen awoke from their slumber to offer advice to unwary publicans. Some even wondered aloud how pubs would cope with being data controllers for the first time, despite all of them having employees, and most taking bookings and doing marketing.
Guidance from the government sets out what is expected:
“You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.”
The data pubs and restaurants should collect is as follows:
“customers and visitors:
- the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date of visit, arrival time and, where possible, departure time
- if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer”
A few interesting questions do arise. The first, which doesn’t seem to have provoked much debate, is whether GDPR applies at all in this situation. if a pub or restaurant stores the data in a spreadsheet or other electronic system, GDPR applies because in the words of Article 2, it is processed by automated means. But what if the pub uses a notebook or index cards to store the data? There’s a strong argument to do that, because it would make it much easier to keep the data separate from other customer data that the pub might have. Moreover, it’s possible that a notebook structured solely in date order doesn’t meet the definition of a filing system, which is a “structured set of personal data which are accessible according to specific criteria“. Certainly, if the Data Protection Act 1998 was still in force, the answer would be no. A date-ordered notebook would fail the ICO’s famous ‘temp test’ (can a temporary member of staff find personal data without searching every page?), and there is out-of-date guidance on the ICO’s website that confirms that chronological storage isn’t a relevant filing system. However, this is the DPA 1998, although the definition of a filing system is very similar in the 1995 Directive and the GDPR. Would date order meet the requirement for “accessible according to specific criteria“? I can’t find the data about Tim Turner without searching every page, but I can see all the named individuals who were in the pub on July 4th, so is that enough?
Given that the ICO isn’t going to touch this with a bargepole, the only way that this might be tested is in the courts. The European Court of Justice has looked at filing systems before in the Finnish Jehovah’s Witnesses case. This was under the old Directive, but they found that the ‘specific criteria’ by which the data are accessed should relate to people. I can’t find the phrase anywhere, but the ICO shorthand used to be ‘structured by reference to individuals’. The Jehovah’s Witnesses’ manual records were structured to keep track of specific people and organise subsequent visits, and so were found to be a filing system. I’m probably unduly influenced by having worked with the DPA 1998 for so long, but my instinct is that if a handwritten record is kept in date order, and not structured to provide easy access to identifiable people, it’s not personal data in the first place, and so no GDPR obligations arise to the publican armed only with a pad and pen (my advice is a nice Lamy or Pilot pen; only barbarians use freebie biros).
But let’s assume that I’m wrong, and the data is personal data captured by the GDPR. I had a conversation with someone on Twitter yesterday who believed that the Data Controller was Public Health England, and that pubs, restaurants and other businesses are data processors on behalf of PHE. He made the point that if this was correct, then none of them would have a contract with PHE, and so there would automatically be a massive data protection infringement. I disagree. The pub owners are under no obligation to process the data – if they participate, they are choosing to do so. If you decide whether and how to gather the data, it strikes me that you have at least some involvement in determining the purposes for which the data is processed. PHE have issued no instructions about the means of the processing (hence pubs and restaurants being able to choose between automated and manual processing). If every venue was a processor, it’s true that PHE would be under an obligation to issue contracts to them all, and they would be liable for every infringement that occurred in an establishment who hadn’t signed up. I’m not saying that this is impossible (the NHS is no stranger to pretending that organisations who have zero choice or input into the purposes and means of processing are data controllers), but I’m more comfortable with the idea that hospitality venues are joint data controllers with PHE. If a pub does something daft with data they have chosen to process, it seems an odd interpretation of the law to hold PHE responsible.
Someone’s going to say vicarious liability, and I’m going to wait for the court case.
Depending on the context, the data collected might look like contact details, but it could easily lead to inferences and risks that the venue needs to take seriously. If I went to the Old Man Pub down the road from me, you wouldn’t infer much about my presence there other than a liking for darts and bright lighting. But if I went to G-A-Y in Manchester, you might reasonably draw conclusions about my sexuality. The venues ought to look after this information very carefully, assuming they didn’t already collect data about these customers. But those people determined to predict a datapocalypse as a result of these measures are leaping several steps ahead. Most venues will take sensible measures to keep this data safe because most people aren’t stupid, and venues that cater to vulnerable clients or those who have heightened concerns about privacy are almost certainly aware of these issues already. The chances that data will be lost or stolen are probably low (especially if they go for a simple spreadsheet or manual record that is stored somewhere safe).
But if something does go wrong, unless it involves significant risk to the customers, the chances of a big data protection enforcement case from the ICO are virtually nil, and despite the lip-smacking enthusiasm of some lawyers, the prospects of lucrative litigation are fairly dry. And with that, I am going to do my civic duty by walking through the rain to the Old Man Pub, getting blind drunk and catching Covid-19 like all patriotic Englishmen should*.
* SPOILER ALERT: I am going to wait for John Lewis to deliver my new Fridge Freezer.