Guidance on collecting customer details and maintaining records of staff, customers and visitors is now available from the ICO.
Businesses that will be required to collect data from their customers include:
- hospitality, including pubs, bars and restaurants (it does not apply to businesses operating a takeaway/delivery only basis).
- tourism and leisure, including hotels, museums, cinemas, zoos, theme parks and close contact services.
- facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres.
- places of worship, including use for events and other community activities.
This guidance applies to any establishment that provides an on-site service and to any events that take place on its premises. It does not apply where services are taken off-site immediately, for example a food or drink outlet which only provides takeaways.
If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are dining in. It does not apply to drop-off deliveries made by suppliers.
The data that needs to be collected is:
Staff
- The names of staff who work at the premises.
- A contact phone number for each member of staff.
- The dates and times that staff are at work.
Customers and visitors
- The name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group.
- A contact phone number for each customer or visitor, or for the lead member of a group of people.
- Date of visit and arrival and, where possible, departure time.
- If a customer interacts with only one member of staff, the name of the assigned staff member should be recorded alongside the name of the customer.
- If you have a large booking, for example, at a restaurant, you only need to collect the name and contact phone number of the lead member of the party. This data needs to be kept for 21 days.
The ICO has also published a statement and a short data protection A,B,C checklist on customer logs: