Contact tracing poses data challenge for hospitality groups
We’ll send you a myFT Daily Digest email rounding up the latest Data protection news every morning.
At the start of the Covid pandemic, many countries made it mandatory for hospitality businesses to record the personal details of customers, visitors and employees, to assist their contact tracing programmes. But that also made these companies accountable for securely collecting, processing and storing sensitive personal data — and liable to fines if it was mishandled.
For employees without a comprehensive understanding of data protection, that was a “very big request”, argues Jake Moore, an adviser at internet and antivirus company ESET.
“Data leaks are constantly occurring and many companies are struggling to keep up to date with how to keep their data safe,” Moore says.
He points out that, in Britain — despite the imposition of multi-million-pound fines from the Information Commissioner’s Office (ICO) — “many organisations do not yet know how to keep data protected from malicious hackers, as well as from non-malicious employee error.”
Smaller hospitality venues, in particular, felt the pressure of providing contact tracing details while protecting privacy. Bharat Mistry, technical director at cyber security software maker Trend Micro, reckons many such venues “likely flouted responsibility” for secure data storage, prioritising “survivability rather than good digital hygiene”. He blames financial constraints, poor awareness and skills gaps.
Contact tracing was particularly challenging for smaller traders as they probably had “little or no experience” in handling and securing sensitive data, says Chris Weston, principal of CIO Advisory at market analysis firm IDC.
“We saw several instances of employees using contact tracing data to contact people in inappropriate ways,” he says. A further problem was that “people who felt uneasy filling in data on a form would use fake ‘Mickey Mouse’ or ‘Donald Duck’ style names, which would rarely be challenged”.
The Glyn Clydach & Loft Restaurant, an independent hotel and restaurant based in South Wales, was one of many smaller hospitality businesses that had to adapt to contact tracing regulations. It made significant changes to its operations, creating new data collection policies and training staff in implementing them.
“We had to put together an information gathering, storage and destruction policy,” explains Claire Harris, HR manager. Shift supervisors were trained in how to ask for the information, which was stored in a secure location and then destroyed after 21 days. “The costs associated with this would include staff time for training and administration,” Harris says.
Government funding helped lots of hospitality businesses cover the costs of implementing these systems. Steve Gardner-Collins, sales director at hotel group The Hatton Collection, says: “We have used our grants not only for physical changes required during Covid but for system upgrades to adopt government mandatory requirements for the sector.”
Larger hospitality organisations — with more staff and existing data handling procedures — were better equipped for the privacy demands of contact tracing, says Peter Gooch, cyber risk partner at professional services consultants Deloitte.
“This could be through . . . making sure that where people scan into a venue, the data is either validated and then not held, or held securely, with appropriate controls in place,” Gooch says. These businesses were also more likely to be encrypting and controlling access to data — to ensure it cannot get into the wrong hands.
RBH, a hospitality company that manages 48 hotels across the UK, also trained its staff to identify phishing emails that try to trick people into disclosing personal information.
“Our focus on security awareness means bulletins and mailers are sent to employees throughout the hotel portfolio imparting knowledge on phishing and common fraud and giving examples of more subtle attempts to look out for,” says Vibhu Gaind, RBH’s chief information officer.
The company spent money, too — investing in antivirus software to identify cyber breaches, multi-factor authentication systems to validate users’ identity, and ways of decreasing data storage. This “reduced the risks associated with the amount of customer data on file”, Gaind adds.
As part of its contact tracing efforts, the UK government provided online guidance, meetings, webinars and newsletters to help hospitality businesses understand their obligations.
However, some security experts say it did not go far enough in supporting those businesses that had never before collected or stored personal information.
“The guidance from the regulators for these people was undoubtedly lacking,” argues Weston. “The ICO hadn’t produced much in the way of guidance at the time it [Test & Trace] was being rolled out, and it wasn’t clear to venues how to access it.”
Now, with much less emphasis being put on contact tracing, some hospitality businesses are in a quandary about what to do with all the data they collected for the purpose.
Alexandre Santamaria, founder of bar and restaurant development company Aware Hospitality, says: “For small operators, the focus was on survival and not on long-term strategies around data management. It would make sense for the government to now give us all support on how to handle this data.”
Under the General Data Protection Regulation, businesses should only collect accurate and necessary data and must ensure its safe processing and storage. Lillian Tsang, data protection specialist at lawyers Harper James, says hospitality businesses must remember these principles even as contact tracing ends.
“Now data collection for contact tracing is less relevant, customers might therefore legitimately question why their data is being stored,” she says.
And when data is no longer needed, businesses should be “safely deleting it”, Tsang advises. They “may find it a good idea to set retention periods for contact tracing data and reminders for deletion”, she adds.
If hospitality businesses fail to remove such data from their systems and experience cyber breaches in the future, they risk reputational damage and lawsuits, as well as those weighty fines.
“The moral of the pandemic in terms of data collection policies should be safety first,” Tsang concludes.
This article has been amended since original publication to remove a reference to maximum fines from the Information Commissioner’s Office.