As businesses in the hospitality and leisure industries are permitted to re-open in England, the Government is asking them to keep a temporary record of their customers and visitors, in order to support NHS Test and Trace.  This information will be requested by NHS Test and Trace in the event that someone who has tested positive for COVID-19 lists the business’s premises as a place that they visited recently, or because the premises has been identified as the location of a potential outbreak. This is viewed by the UK Government as a key part of their ongoing response to the virus, as the lockdown is lifted.

This article examines the Government guidance published for businesses located in England, in addition to guidance published by the Information Commissioner. Similar Government guidance has been published for businesses in Scotland, but at the time of writing, guidance for Northern Ireland and Wales is under development.

The Government guidance in England applies to businesses such as pubs, bars, restaurants, cafes, cinemas, zoos, theme parks, hairdressers, tailors, places of worship and local authority facilities, including community services, libraries and children’s services. It only applies to those businesses who provide on-site services or events, not where the services are taken off-site immediately, such as a food and drink outlet that only sells takeaway food. However, it does apply to both indoor and outdoor venues.

In its guidance, the ICO emphasises the importance of ensuring that people feel able to share their personal data with confidence, so that they can trust that their data will be kept safe and used properly. It provides 5 clear and simple steps that businesses should take as they start to collect customer and visitors’ details and a series of Q and A which aims to support Government guidance.

What data should we collect?

The ICO makes it clear that businesses should only collect the specific information requested by Government guidance. In England, this consists of the following details, where possible:

  • Staff – Name, contact phone number and the date and time they are at work;
  • Customers/Visitors – Name and contact phone number (where people visit as a group, details can be limited to the name and contact number for a lead member and the number of people in the group), date of visit, time of arrival and if possible, departure time;
  • If a customer only interacts with one member of staff (ie. a hairdresser) you should record their name alongside the customer’s details.

If these details cannot be collected in advance, they should be collected when the customer or visitor arrives at the premises, or if that will be difficult, at the point of service. You do not need to verify a customer/visitor’s identity, unless this is already standard practice for your business, i.e. ID checks in pubs.

What should we tell our customers or visitors?

Businesses must be clear and transparent about why they need this information and what they will do with it. This could be communicated via a notice at the premises or on a website and should include the privacy notice information that is required to be provided under the GDPR[1].

Where a business already has a booking system, it can be used to collect these details, as long as customers/visitors are informed that they will be used for NHS Test and Trace purposes.

Can our customers/visitors refuse to provide their contact details?

Provision of these details by a customer or visitor is voluntary, but the Government asks businesses to explain the reason for the collection of this information and to encourage people to provide it. However, if a customer refuses, they should be permitted to opt-out.

Do we need to collect consent?

Government guidance states that although businesses will not usually need to obtain the individual’s formal consent in order to collect and retain these details, consent should be sought in sensitive settings. These include a place of worship, a group meeting organised by a political party, trade union, campaign or rights groups or a health support group. This is because the collection of contact details in these contexts, could result in the processing of the more sensitive, ‘special category data’ (such as personal data relating to religion, trade union membership, political opinions or health) which is subject to additional restrictions under the GDPR.

Where consent is sought, it should comply with the GDPR’s strict standards for collecting valid consent. This requires consent to be specific, fully informed, freely given and unambiguous. Where explicit consent is required to process special category data, it should be collected by way of a clear statement from the individual confirming consent to the use of their personal data.

Can we use this data for other purposes?

It is important that businesses that are collecting this data just for NHS Test and Trace do not use it for any other purposes, including direct marketing, profiling or data analytics. All businesses must ensure that the data is not mis-used in a way that is misleading or which has an unjustified negative impact on the individuals.

Data Security

The data needs to be properly protected by appropriate security measures; where data is captured digitally (in line with the Government and ICO’s recommendations), it should be held securely on a device and where it is kept in paper format, it should be locked away. The ICO advises against using an open-access sign-in book to collect these details, where customer details are visible to everyone.

It is important to provide staff training to ensure that they know how to handle this data in accordance with data protection laws and to keep it secure.

How long should we keep this data?

Government guidance prescribes that the contact details should be retained for 21 days. This is based on the incubation period of the virus, which can be up to 14 days, with an additional 7 days for testing and tracing. After that point, they should be securely deleted or disposed of; paper records should be shredded and digital records permanently deleted from the recycle bin or back-up cloud storage. However, if a business already collects this information for other valid business purposes, it can be retained in line with its existing data retention schedule and in accordance with data protection laws.

Data subject rights

Data subjects must be able to exercise their rights under data protection laws in relation to this data, such as the right of access or rectification.

How do we know that a request for this information from NHS Test and Trace is genuine?

The Government has also provided guidance on how to recognise a valid request for these details from NHS Test and Trace. Contract tracers will either call from 0300 013 5000 or text from NHStracing. They will never ask you to call a premium-rate number to contact them or ask for any payment.

The ICO states that it appreciates the challenges faced by businesses who are not used to collecting this type of information and it aims to support them to ensure that personal data is handled correctly from the outset. Although the ICO will act where they find serious, systematic or negligent behaviour, their core aim is to help the vast majority of businesses who are doing their best to do the right thing.

For further advice on how to handle contact-tracing details, or any other aspects of data privacy, please contact Francesca Fellowes or another member of our global Data Privacy & Cybersecurity team.

[1] Under Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679