Last reviewed 6 August 2020

As the economy opens up, the Government requires businesses to support the NHS Test and Trace service by keeping a temporary record of customers and visitors for 21 days. Paul Clarke reviews what this means in terms of data collection.

Name, address and phone number please

A year ago, the request for your contact details when you ordered a drink in the pub would have been met with a bemused stare; now it is almost routine. But exactly what information can businesses request as they gradually reopen and what are their responsibilities when they have collected these personal details?

The Information Commissioner's Office (ICO) has made it clear that many of the rules it set out when people were getting to grips with the General Data Protection Regulation (GDPR) apply in these changed times. They can be summarised as follows.

  1. Be specific

    Only ask customers to supply the basic information that the Government has highlighted in its instructions with regard to Track and Trace; name and contact details together with the date and time they were on your premises should be sufficient.

    The ICO has advised against asking for proof of identity unless that is standard practice (as with checking ages in a pub).

  2. Be transparent

    There should be no mystery about the process and businesses simply need to explain why they need the information and what they will do with it. This could be by way of a notice, a note on their website or word of mouth (probably all three).

    Businesses taking bookings such as restaurants or gyms should make it clear that this information will also be kept and may be used for contact tracing.

  3. Be careful

    When leading politicians are losing data and huge organisations such as Twitter are being hacked, the need to protect data should be obvious to everyone. As the ICO advises, lock it away either physically or digitally and make sure staff are aware of their responsibilities for data security.

    And don't use 123456 as a password (or “password” come to that).

  4. Be single-minded

    The data has been collected for a reason. It is not material for any marketing campaign you may have in mind or for analysing customer habits and demands. It is to be used if there is a rise in infection rates in your locality — no other reason.

  5. Be restrictive

    Only share the information when it is requested by a legitimate public health authority. Ensure that any person/organisation requesting access to the information is genuine and not a scammer.

  6. Be gone

    As with all data, it should be kept for as long as it is needed and then disposed of carefully and properly. That means shredding if records are kept on paper and permanently deleted if stored digitally. Don't forget the cloud if you use back-up storage.

These few simple points should answer most questions about collecting contact details but if you need to go into it in more detail, the ICO has provided further help at ico.org.uk.