Last reviewed 24 September 2020

The Government requires businesses in designated sectors to support the NHS Test and Trace service by keeping a temporary record of all staff working, customers and visitors for 21 days. Paul Clarke reviews what this means in terms of data collection.

Sectors affected

The following sectors, whether indoor or outdoor must request contact details from staff, customers and visitors, and display the official NHS QR code poster:

  • hospitality, including pubs, bars, restaurants and cafés

  • tourism and leisure, including hotels, museums, cinemas and amusement arcades

  • close contact services, including hairdressers, barbers and tailors

  • local authority facilities, including community centres, libraries and village halls.

This does not apply where services are taken off site immediately, eg a food outlet does not need these details for those having takeaways, only customers dining in. Nor does it apply to places of worship.

Name, address and phone number please

A year ago, the request for your contact details when you ordered a drink in the pub would have been met with a bemused stare; now it is almost routine. But exactly what information can businesses request as part of NHS Test and Trace and what are their responsibilities when they have collected these personal details?

The Information Commissioner's Office (ICO) has made it clear that many of the rules it set out when people were getting to grips with the General Data Protection Regulation (GDPR) apply in these changed times. They can be summarised as follows.

  1. Be specific

    Only ask customers to supply the basic information that the Government has highlighted in its instructions with regard to Track and Trace; name and contact details of at least one member of every party of customers or visitors together with the date and time they were on your premises should be sufficient. Contact details would be a phone number or, if that is not available, an email address, or otherwise a postal address. On duty police officers or emergency workers are exempt.

    The ICO has advised against asking for proof of identity unless that is standard practice (as with checking ages in a pub).

  2. Be transparent

    There should be no mystery about the process and businesses simply need to explain why they need the information and what they will do with it. This could be by way of a notice, a note on their website or word of mouth (probably all three).

    Businesses taking bookings such as restaurants or gyms should make it clear that this information will also be kept and may be used for contact tracing.

  3. Be careful

    When leading politicians are losing data and huge organisations such as Twitter are being hacked, the need to protect data should be obvious to everyone. As the ICO advises, lock it away either physically or digitally and make sure staff are aware of their responsibilities for data security.

    And don't use 123456 as a password (or “password” come to that).

  4. Be single-minded

    The data has been collected for a reason. It is not material for any marketing campaign you may have in mind or for analysing customer habits and demands. It is to be used if there is a rise in infection rates in your locality — no other reason.

  5. Be restrictive

    Only share the information when it is requested by a legitimate public health authority. Ensure that any person/organisation requesting access to the information is genuine and not a scammer.

  6. Be gone

    As with all data, it should be kept for as long as it is needed (21 days) and then disposed of carefully and properly. That means shredding if records are kept on paper and permanently deleted if stored digitally. Don't forget the cloud if you use back-up storage.

These few simple points should answer most questions about collecting contact details but if you need to go into it in more detail, the ICO has provided further help at