Contact tracing poses a data problem for hotel groups

At the start of the Covid pandemic, many countries made it mandatory for hotel companies to record the personal data of guests, visitors and employees, to help their contact tracing programs. But it also made these companies liable for the collection, processing and safe storage of sensitive personal data – and liable to fines if mishandled.

For employees without a comprehensive understanding of data protection, this was a “very big ask”, says Jake Moore, adviser to internet and anti-virus company ESET.

“Data breaches happen all the time, and many businesses struggle to stay on top of how to protect their data,” Moore says.

He points out that in Britain – despite the threat of fines of up to £18 million from the Information Commissioner’s Office (ICO) – “many organizations still don’t know how to protect data from malicious hackers, as well as against non-malicious employees. Error.”

Smaller hospitality venues, in particular, have felt pressure to provide contact tracing details while protecting privacy. Bharat Mistry, CTO of cybersecurity software maker Trend Micro, said many such sites “probably have flouted responsibility” for storing data securely, prioritizing “survivability over good digital hygiene. He blames financial constraints, low awareness and skills gaps.

Contact tracing was particularly challenging for smaller merchants because they likely had “little or no experience” handling and securing sensitive data, says Chris Weston, director of CIO Advisory at market analytics firm IDC. .

“We’ve seen multiple instances of employees using contact tracing data to contact people inappropriately,” he says. Another problem was that “people who felt uncomfortable filling in data on a form used fake ‘Mickey Mouse’ or ‘Donald Duck’ style names, which would rarely be challenged”.

Restaurant Glyn Clydach & Loft, an independent hotel and restaurant based in South Wales, was one of many small hospitality businesses that had to adapt to contact tracing regulations. It made significant changes to its operations, creating new data collection policies and training staff to implement them.

© Jeff J Mitchell/Getty Images

“We had to put in place a policy for collecting, storing and destroying information,” explains Claire Harris, HR manager. Shift supervisors were trained on how to request the information, which was stored in a secure location and then destroyed after 21 days. “The costs associated with this would include staff time for training and administration,” says Harris.

Government funding has helped many hotel companies cover the costs of implementing these systems. Steve Gardner-Collins, Sales Director of The Hatton Collection Hotel Group, says: “We have used our grants not only for physical changes required during Covid, but for system upgrades to adopt government mandatory requirements. for the sector.

Larger hospitality organizations — with more staff and existing data handling procedures — were better equipped for the privacy requirements of contact tracing, says Peter Gooch, cyber risk partner at professional services consultants Deloitte.

“It could go through. . . ensuring that where people scan in a location, the data is either validated and then not held, or held securely, with appropriate controls in place,” says Gooch. These companies were also more likely to encrypt and control access to data, to ensure it didn’t fall into the wrong hands.

RBH, a hospitality company that runs 48 hotels across the UK, has also trained its staff to identify phishing emails that try to trick people into giving out personal information.

“Our focus on security awareness means that bulletins and letters are sent to employees across the hotel portfolio to impart knowledge about phishing and common fraud and give examples of more subtle attempts to watch out for” , explains Vibhu Gaind, chief information officer of RBH.

The company has also spent money – investing in antivirus software to identify cyber breaches, multi-factor authentication systems to validate user identities, and ways to reduce data storage. This “reduced the risks associated with the amount of customer data recorded,” adds Gaind.

As part of its contact tracing efforts, the UK government has provided online advice, meetings, webinars and newsletters to help hospitality businesses understand their obligations.

However, some security experts say it hasn’t gone far enough to support companies that have never collected or stored personal information before.

top shot of restaurant tables being cleaned by male staff
© Dan Kitwood/Getty Images

“Advice from regulators for these people was definitely lacking,” says Weston. “The ICO hadn’t produced a lot of advice at the time it [Test & Trace] was being rolled out, and it was unclear for sites how to access it.

Now, with much less focus on contact tracing, some hospitality companies don’t know what to do with all the data they’ve collected for this purpose.

Alexandre Santamaria, founder of bar and restaurant development company Aware Hospitality, says: “For small operators, the focus was on survival and not on long-term strategies around data management. It would make sense for the government to now give all of us support on how to manage this data. »

£18 million

Maximum fine that can be imposed by the UK Information Commissioner’s Office for breach of data regulations

Under the General Data Protection Regulation, companies must only collect accurate and necessary data and must ensure that it is processed and stored securely. Lilian Tsang, data protection specialist at Harper James Lawyers, says hospitality companies should remember these principles even when contact tracing ends.

“Now, collecting data for contact tracing is less relevant, so customers might legitimately wonder why their data is being stored,” she says.

And when the data is no longer needed, companies should “securely delete” it, advises Tang. They “may find it a good idea to set retention periods for contact tracing data and deletion reminders,” she adds.

If hotel companies fail to remove this data from their systems and suffer cyber breaches in the future, they risk reputational damage and lawsuits, as well as hefty fines.

“The moral of the pandemic in terms of data collection policies should be safety first,” Tsang concludes.

Comments are closed.