Reopened pubs and cafes to collect customers’ personal details

England’s coronavirus lockdown will all but end on 4 July, with the government allowing pubs, restaurants, cinemas, museums and hotels to reopen.

The decision comes after steady progress in mitigating the spread of COVID-19 and the partial reopening of other sectors over the previous six weeks.

But it doesn’t exactly signal a return to business as usual, as heavy restrictions will still be in place. This includes plans for organisations to collect customers’ names and contact details upon entry, and to store them for 21 days.

This information is intended to help these businesses track coronavirus cases and contact people who have come into contact with someone who has been infected. But just how feasible is this plan?

A rushed decision

Allowing the hospitality sector to reopen is a divisive issue, but you can certainly understand the thinking. The UK has been in lockdown for more than three months, and it has finally got the disease under control; as of June 24, there were only 652 new cases – the lowest it’s been in more than three months.

Reopening the likes of pubs and hotels gives people an extra incentive to go outside, spend money and give the economy a much-needed boost. And the fact that it’s the middle of summer, which epidemiologists believe will make it harder for the virus to spread, limits much of the risk.

Yet even if that is the case, you can’t help but feel that the decision was rushed.

The Government’s announcement gives organisations just ten days to prepare for the 4 July ‘Gindependence Day’, and although they might have had plans to make their premises functional while maintaining social distancing, the customer ‘check-in’ requirement will be a major challenge.

How can these businesses be sure that everyone who wanders in has provided their details? And that those details are accurate?

Besides, the Government hasn’t stated what information is required – so you could end up with organisations not collecting enough data to make the process worthwhile.

And how will these places process the information? Remember, with this practice, thousands of organisations will suddenly have much wider data processing requirements under the GDPR (General Data Protection Regulation).

Do you remember the panic organisations faced when the Regulation took effect in May 2018? Now consider that uncertainty bottled into ten days, where the organisation also has to deal with reopening after a three-month closure and handling the safety requirements of a global pandemic.

You could argue that these are exceptional circumstances and let the Regulation’s requirements slide, but that reasoning will look foolish as soon as the first pub suffers a cyber attack or data breach, and hundreds of customers’ personal data is exposed.

Will this actually happen?

Given the criticism this plan has received, we wouldn’t be surprised if the government issues clearer guidance or scraps the data collection plan altogether.

As it stands, it simply appears to be either unworkable or too dangerous. If the country’s track-and-trace app had been ready on time, there would be no issue.

Indeed, New Zealand is already using that technology, with people using scan codes as they go into hospitality outlets to build a ‘digital diary’.

Unfortunately, it doesn’t look as though the UK will have track-and-trace technology until the autumn. Until then, it will be nigh-on impossible to create an accurate picture of who we are interacting with and how the virus is spreading.

All the latest cyber security news and advice 

Do you want the latest advice on how to manage your cyber security risks? IT Governance regularly publishes webinars and green papers, providing free advice delivered by experts. 

You might also want to sign up for our Weekly Round-up, which contains the latest cyber security news, advice and resources, as well as some of the best stories from around the web.

Subscribe to our Weekly Round-up