Collecting contact details for NHS Test and Trace

The Government requires businesses in designated sectors to support the NHS Test and Trace service by keeping a temporary record of all staff working, customers and visitors for 21 days. Paul Clarke reviews what this means in terms of data collection.

All organisations must support the test and trace service by keeping a temporary record of staff shift patterns for 21 days and assisting NHS Test and Trace with requests for that data if needed. This includes volunteers.

The following sectors, whether indoor or outdoor must also request contact details from staff, customers and visitors, and display the official NHS QR code poster:

  • hospitality, including pubs, bars, restaurants and cafés

  • tourism and leisure, including hotels, museums, cinemas and amusement arcades

  • close contact services, including hairdressers, barbers and tailors

  • local authority facilities, including community centres, libraries and village halls.

Note that you do not have to request details if the customer or visitor has “checked in” using the NHS Covid-19 app. Nor for those making deliveries or collections, those under the age of 16 or for individuals who do not have the mental capacity to provide their contact details.

Hospitality venues must take reasonable steps to refuse entry to anyone who does not provide their name and contact details or who has not scanned the NHS QR code.

This does not apply where services are taken off site immediately, eg a food outlet does not need these details for those having takeaways, only customers dining in. Nor does it apply to places of worship.

Name, address and phone number please

A year ago, the request for your contact details when you ordered a drink in the pub would have been met with a bemused stare; now it is almost routine. But exactly what information can businesses request as part of NHS Test and Trace and what are their responsibilities when they have collected these personal details?

The Information Commissioner's Office (ICO) has made it clear that many of the rules it set out when people were getting to grips with the General Data Protection Regulation (GDPR) apply in these changed times. They can be summarised as follows.

  1. Be specific

    Only ask customers to supply the basic information that the Government has highlighted in its instructions with regard to Track and Trace; name and contact details of every customer or visitor (not just the lead member of the group), together with the date and time they were on your premises should be sufficient. Contact details would be a phone number or, if that is not available, an email address, or otherwise a postal address. On duty police officers or emergency workers are exempt.

    The ICO has advised against asking for proof of identity unless that is standard practice (as with checking ages in a pub).

  2. Be transparent

    There should be no mystery about the process and businesses simply need to explain why they need the information and what they will do with it. This could be by way of a notice, a note on their website or word of mouth (probably all three).

    Businesses taking bookings such as restaurants or gyms should make it clear that this information will also be kept and may be used for contact tracing.

  3. Be careful

    The need to protect data should be obvious to everyone. As the ICO advises, lock it away either physically or digitally and make sure staff are aware of their responsibilities for data security.

    And don't use 123456 as a password (or “password” come to that).

  4. Be single-minded

    The data has been collected for a reason. It is not material for any marketing campaign you may have in mind or for analysing customer habits and demands. It is to be used if there is a rise in infection rates in your locality — no other reason.

  5. Be restrictive

    Only share the information when it is requested by a legitimate public health authority. Ensure that any person/organisation requesting access to the information is genuine and not a scammer.

  6. Be gone

    As with all data, it should be kept for as long as it is needed (21 days) and then disposed of carefully and properly. That means shredding if records are kept on paper and permanently deleted if stored digitally. Don't forget the cloud if you use back-up storage.

These few simple points should answer most questions about collecting contact details but if you need to go into it in more detail, the ICO has provided further help at ico.org.uk.

Finally, be aware that a failure to comply with the legal requirements in terms of collecting details and maintaining records for NHS Test and Trace is punishable by a fine, starting at £1000.