Pubs and restaurants left guessing after being told to collect customer data as lockdown eases

A privacy pickle as the pandemic lockdown lifts in England.

Graham Cluley
@gcluley

The UK Government has announced that it will be easing the Coronavirus lockdown on July 4th.

Amongst other changes, restaurants, pubs, and cafes in England will be allowed to reopen provided that they follow guidelines to help prevent the spread of the Coronavirus.

According to the UK Government’s own advice, these include “keeping a temporary record of your customers and visitors for 21 days.”

The opening up of the economy following the COVID-19 outbreak is being supported by NHS Test and Trace. You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your business, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks. Many businesses that take bookings already have systems for recording their customers and visitors – including restaurants, hotels, and hair salons. If you do not already do this, you should do so to help fight the virus…

In other words, in just ten days thousands of restaurants, bars and pubs are expected to start collecting the details of their customers and visitors.

Wouldn’t it be nice to think that this information will be collected carefully, stored securely, and ultimately properly destroyed, in a way which doesn’t breach GDPR regulations?

And yet, for now at least, the UK Government isn’t telling businesses how on earth they should do this.

Sign up to our newsletter
Security news, advice, and tips.

And cafes and restaurants have probably got enough on their plate already, trying to reconfigure their premises and working methods to follow social distancing guidelines, without also having to get their head around data protection and privacy challenges.

Restaurants, pubs, and cafes are also not being told what information they should be collecting from their customers.

Let me say again, just ten days.

The UK Government’s advice acknowledges that firms might need some help:

We will work with industry and relevant bodies to design this system in line with data protection legislation, and set out details shortly.

I understand that there’s a global pandemic going on, and not everything is going to be perfect.

But it’s not as though it’s a surprise to anybody that at some point the lockdown would begin to be lifted – and that restaurants, pubs, and cafes would begin to reopen slowly. Was there no plan already being worked on?

Giving so little notice to the hospitality industry puts them in a privacy pickle, even if the UK Government does serve up advice for how this data should be collected and secured before July 4th, I doubt that many companies will be doing it properly.

Of course, security and privacy are not going to be the only challenges…

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.