Huddersfield business reveals how paper track and trace systems could be putting your data at risk

With many Brits reluctant to download the NHS Track and Trace app, many hospitality businesses were forced to offer paper forms to comply with the COVID-19 rules. To support the NHS track and trace system, these records should be held for 21 days before securely disposing of them (1). If data is not disposed of correctly, businesses are potentially breaking GDPR guidelines.

With this in mind, experts from confidential shredding and records management company Go Shred have delved into how paper track and trace data has been stored in hospitality venues, how the data could be used against customers, and offer tips for hospitality businesses to dispose of these records correctly.

From August 2020 to August 2021, there has been a 354% increase in Google searches for the term “GDPR Covid” in the UK. There has also been a staggering 194% increase in searches for “GDPR breaches” in the UK. This highlights the concerns people have about how their personal data is being handled when left in hospitality venues, such as restaurants.

Taking the voices of hospitality businesses into consideration, Go Shred spoke to employees that work in hospitality, asking questions on how they managed obtaining and storing their customer's information, whether they felt comfortable doing this and whether government guidance on taking, storing and disposing of the information was clear and easy to follow.

Nikolas Opacic, owner of restaurant Seven 54 in Manchester, said: “In order to make things easier for our guests, we logged everything on paper form. However we did encourage many of our guests to use the track and trace app as much as possible. We were more than happy to log down details for our older customers who were not as tech savvy. Our customers are like family, so we felt very comfortable asking for their details. Many guests offered before we even asked.

“We’ve always been used to data protection from taking on-line bookings, it comes with working in hospitality. So thankfully we were quick to adapt and ensure our customers data is and always is kept safe and secure.

“We were surprised how quickly customers adapted to being asked for their details, it just shows how excited people were/are to get back out and enjoying themselves. Two extra minutes to write down your details or use the app, means people can socialise again and come back to their favourite restaurants and bars. If track and trace has been an inconvenience, it’s an inconvenience we are happy to have in order to open our doors again.”

When asked about whether the government was clear for hospitality businesses, Nik added: “Let’s be honest the government hasn’t been clear a lot of the time during this pandemic and left a lot to the imagination but we’ve made sure to follow guidelines as best as we can. In terms of track and trace, the idea behind it has been simple, but what happens to that data and how it’s being used is a little unclear. We’ve done our part, ensured our customers details have been taken and everyone is safe. That’s all we can do!”

Go Shred also delved into how many personal records each hospitality business could have taken and kept on premises between 12th April 2021 and July 19th 2021 when restrictions were lifted. If each hospitality business had 50 customers a day completing a paper track and trace form, they would have a staggering 4,900 personal details on file.

For large food chains such as Nandos, where around 800,000 people eat every week (2), the figures would be over 11 million (11,200,000) personal track and trace details for the same time period.

Mike Cluskey, managing director at Go Shred said: “Hospitality businesses have been given a lot of responsibility to manage their customers' private data correctly, and it's extremely important these businesses continue to recognise the accountability they uphold.

“Hospitality managers need to ensure they handle private customer data with care and due diligence. The first step in doing this is making all employees aware of government guidance and GDPR guidelines, such as ensuring that customer records are kept in a locked safe or office that has restricted access, and keeping records away from a bar or till.

“In terms of record disposal, hospitality venues need to follow Government guidance and dispose of the records after 21 days. To do this securely, hospitality workers should use a confidential records and management company that will shred records correctly and then place them in a confidential waste bin. Working with a professional shredding company like this, businesses can be sure they are minimising any risks of data breaches which could lead to a potential fine.

“When the track and trace system came into action, with the option to use paper records, we were surprised with the lack of Government guidance given to hospitality businesses on how to handle and dispose of these paper records correctly. With hospitality businesses facing this responsibility for the first time, it would have been instrumental for them to have a clear guide on how to handle this data and what disposal methods they should be using.”

To find out more about staying GDPR compliant when handling customer track and trace records, please visit: https://www.goshred.co.uk/go-shred-blog.html