Information Commissioner's Office
Data protection guidance for collecting customer information
The Information Commissioner’s Office (ICO) has published data protection guidance for organisations mandated to collect customer and visitor information.
As of Friday (18 September 2020), the UK Government has made it mandatory for all businesses in the hospitality sector, leisure and tourism sector and close contact businesses, such as barbers and beauticians, in England to collect customer information for the test and trace programme.
The Scottish and Welsh governments have also mandated certain organisations to ask for customer and visitor information.
This does not need to be complicated.
The ICO is advising organisations across the UK to follow five simple steps so they handle people’s information responsibly. Organisations must:
- Only ask people for the specific information that has been set out in government guidance;
- Be clear, open and honest with people about what is being done with their personal information;
- Keep people’s data secure. Organisations should not use open log books, and should ensure their customers’ personal information is kept private;
- Not use the personal information collected for contact tracing for other purposes, such as direct marketing, profiling or data analytics; and
- Erase or dispose of the personal information collected after 21 days.
Organisations do not have to ask people for their information if individuals are using a contact tracing app to check into venues.
Organisations should not make the use of contact tracing apps mandatory, and should give people options to give their details for contact tracing purposes.
The ICO has developed clear examples and case studies that organisations can use to ensure they are collecting customer information securely and complying with data protection law.
Ian Hulme, ICO’s Director of Assurance, recently said:
“We appreciate the challenge that many businesses face, particularly those that are handling personal data in this way for the first time. Our aim is to help the thousands of businesses that are doing their best to do the right thing. We want to support and guide them to handle people's data responsibly and keep it safe and secure.”
Kate Nicholls, CEO of UKHospitality, recently said:
“There is now an even greater need for hospitality businesses to focus on test and trace. It’s critical that data protection is at the heart of all of our efforts. We know organisations have a lot to think about during this time and we are keen that the ICO guidance is well publicised and well understood.”
The ICO is here to help – please visit our data protection and coronavirus information hub for advice. For more help, call us on 0303 123 1113.
Notes to Editors
- The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Five things we learned from DPPC 202107/05/2021 15:20:00
The ICO’s Data Protection Practitioners’ Conference 2021 was held this week, bringing together more than 3,000 data protection professionals from across the country.
Data Protection Practitioners’ Conference 202105/05/2021 14:15:00
Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference on 5 May 2021
Digital Regulatory Cooperation Forum’s response to DCMS on the future of the digital regulatory landscape05/05/2021 12:05:00
The Digital Regulatory Cooperation Forum (DRCF) has submitted its response to the Department of Digital, Culture, Media and Sport (DCMS) on the future of the digital regulatory landscape and how to achieve coherence in regulatory approaches across digital services.
Blog: Free advisory check-ups help small businesses make the best use of their data30/04/2021 16:25:00
A blog from Syed Ali, Lead Engagement and Regulatory Assurance Officer
Data protection is an enabler for trust and confidence in the implementation of digital identity systems23/04/2021 12:25:00
Blog posted by: Steve Wood, Deputy Commissioner (Executive Director, Regulatory Strategy), 22 April 2021.
How the ICO Innovation Hub is enabling innovation and economic growth through cross-regulatory collaboration21/04/2021 14:20:00
The COVID-19 pandemic has changed work for so many of us around the world; forcing innovation and new ways of working. And that’s just as true for regulators – we’ve had to adapt to develop new ways to support organisations.
Tribute to His Royal Highness The Duke of Edinburgh12/04/2021 14:10:00
Statement from Elizabeth Denham, Information Commissioner.
Blog: Data Protection law can help create public trust and confidence around COVID-status certification schemes29/03/2021 12:25:00
Blog posted by: Elizabeth Denham, Information Commissioner, 26 March 2021.
Secretary of State for the Department for Digital, Culture Media & Sport and the Information Commissioner sign Memorandum of Understanding on data adequacy22/03/2021 14:33:00
Having left the EU, the Secretary of State for the Department for Digital, Culture, Media and Sport now holds powers to make independent UK data adequacy arrangements with new partners around the world, making it easier for organisations to send data internationally.