Tips and taps: good practice for British pubs

Jeremy Phillips

The Information Commissioner’s Office has issued a Data Protection Good Practice Note on the Use of ID scanning devices in pubs and clubs.  The ICO’s guidance seeks to provide “a number of tips to help pubs and clubs use ID scanning equipment in a manner which respects customer privacy and meets the good practice recommendations in the Act”.  The tips are as follows

• You should design display signs and prominently place them close to the entrance of premises explaining simply and clearly why the ID system is in operation and if any sharing with other schemes (such as Pub Watch) is involved.
• You should also explain on the display signs any intended marketing use of customer names and addresses by the club. You should deal promptly with requests not to receive promotional material. You will need clear consent for disclosures of customer details to others for their marketing purposes.
• Handy credit card sized notices can be distributed at the door to reinforce the above messages.
• We understand that scanning equipment is designed not to capture excessive amounts of information. However, scanning operators should make sure they only take relevant information from the documents presented at the door.
• You should restrict access to scanning system records to those whose duties require it. So, door staff will only need to see photograph and name records to perform their duties whereas a manager or supervisor is likely to need access to all record fields, including address.
• You should carefully consider the location and physical security of the scanning equipment, as it is likely to be in close view of customers.
• You should only keep records for as long as there is a reasonable business need to do so. You should regularly delete details relating to those who have not visited the premises for a certain period and you can programme your system to delete records automatically. Over time the age of potential under-age drinkers will no longer be in doubt and you should remove their details. Furthermore, the larger the database the longer it takes to search and retrieve records, so for business efficiency you should carefully manage its size.
• Once verified, you should apply without delay any requests for correction of records (such as change of address).
• You should have procedures in place to handle requests from individuals for copies of their personal information – see our separate guidance checklist for handling requests for personal information (subject access requests).
• ID scanning equipment should have a transactional logging and audit capability to allow regular security reviews to counter any possible system abuse.

Leave a Reply

Your email address will not be published. Required fields are marked *