Information Commissioner's Office
Data protection guidance for collecting customer information
The Information Commissioner’s Office (ICO) has published data protection guidance for organisations mandated to collect customer and visitor information.
As of Friday (18 September 2020), the UK Government has made it mandatory for all businesses in the hospitality sector, leisure and tourism sector and close contact businesses, such as barbers and beauticians, in England to collect customer information for the test and trace programme.
The Scottish and Welsh governments have also mandated certain organisations to ask for customer and visitor information.
This does not need to be complicated.
The ICO is advising organisations across the UK to follow five simple steps so they handle people’s information responsibly. Organisations must:
- Only ask people for the specific information that has been set out in government guidance;
- Be clear, open and honest with people about what is being done with their personal information;
- Keep people’s data secure. Organisations should not use open log books, and should ensure their customers’ personal information is kept private;
- Not use the personal information collected for contact tracing for other purposes, such as direct marketing, profiling or data analytics; and
- Erase or dispose of the personal information collected after 21 days.
Organisations do not have to ask people for their information if individuals are using a contact tracing app to check into venues.
Organisations should not make the use of contact tracing apps mandatory, and should give people options to give their details for contact tracing purposes.
The ICO has developed clear examples and case studies that organisations can use to ensure they are collecting customer information securely and complying with data protection law.
Ian Hulme, ICO’s Director of Assurance, recently said:
“We appreciate the challenge that many businesses face, particularly those that are handling personal data in this way for the first time. Our aim is to help the thousands of businesses that are doing their best to do the right thing. We want to support and guide them to handle people's data responsibly and keep it safe and secure.”
Kate Nicholls, CEO of UKHospitality, recently said:
“There is now an even greater need for hospitality businesses to focus on test and trace. It’s critical that data protection is at the heart of all of our efforts. We know organisations have a lot to think about during this time and we are keen that the ICO guidance is well publicised and well understood.”
The ICO is here to help – please visit our data protection and coronavirus information hub for advice. For more help, call us on 0303 123 1113.
Notes to Editors
- The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
ICO fines British Airways £20m for data breach affecting more than 400,000 customers19/10/2020 12:25:00
The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
Blog: Engagement key in protecting people’s privacy across the UK during the pandemic14/10/2020 12:25:00
Information Commissioner Elizabeth Denham highlights the positive results of the ICO’s engagement with the UK devolved administrations on the use of data in the fight against COVID-19.
ICO takes action against company for sending spam emails selling face masks during pandemic09/10/2020 12:25:00
A company that sent spam emails selling face masks during the pandemic has been fined £40,000 by the ICO and issued with an enforcement notice.
Statement on the outcome of the ICO’s compulsory audit of the Department for Education08/10/2020 09:10:00
The Information Commissioner’s Office (ICO) has published the outcome of a compulsory audit of the Department for Education DFE carried out in February 2020.
Blog: Elizabeth Denham on the conclusion of the ICO’s investigation into the use of personal data in political campaigning07/10/2020 09:10:00
There can be few cases that better illustrate how mainstream data protection has become than the ICO’s investigation into the use of personal data in political campaigning, including by the now defunct Cambridge Analytica.
ICO launches consultation on draft Statutory guidance02/10/2020 12:25:00
The Information Commissioner's Office (ICO) has launched a public consultation on its draft Statutory guidance, which details how it will regulate and enforce data protection legislation in the UK.
ICO fines company flouting the law in order to profiteer from the coronavirus pandemic25/09/2020 12:25:00
The Information Commissioner’s Office (ICO) has fined Digital Growth Experts Limited (DGEL) £60,000 for sending thousands of nuisance marketing texts at the height of the pandemic.
Open letter from UK Information Commissioner Elizabeth Denham to UK organisations24/09/2020 17:08:00
Open letter from UK Information Commissioner Elizabeth Denham to UK organisations.