Connect with us

The Essential Guide to Contact Tracing and GDPR - Everything You Need to Know

14 December 2020

The COVID-19 pandemic has affected every aspect of our lives. Though the planned vaccine rollout offers a welcome light at the end of the tunnel in the coming months, it is likely that measures such as social distancing and tier restrictions will remain part of our daily reality until Spring 2021.

One of the key strategies for managing the virus is the “test and trace” system which, in the UK,  is managed by the NHS. In the event of a person testing positive for Covid-19, NHS Test and Trace will seek to contact all persons who may have been in close proximity to them.

In order for NHS Test and Trace to be at its most effective the government has made it mandatory for defined businesses and organisations to collect the names and contact details of persons visiting their premises.

This is highly personal information, the collection, retention and use of which is subject to strict regulation in terms of Data Protection Act, 2018 and General Data Protection Regulation (“GDPR”).

It is vital that business owners and managers are fully apprised of their legal obligations in respect of this type of data.

What types of businesses are affected by these regulations?

The types of businesses covered by the regulations include restaurants, pubs, cinemas and beauty salons. Effectively, all hospitality and leisure businesses are required by law to collect contact details.


Under the GDPR a business has to have a lawful basis for collecting personal data. It must further be transparent with its customers as to:

  • Why it is collecting the data;
  • How that data will be used;
  • How long the data will be retained;
  • How customers can obtain copies of their data held by your business.

Given the Covid-19 pandemic the lawful basis for collecting data will be part of a legitimate interest to assist the UK government to manage and control the spread of Covid-19.

Whose data must I collect

You are required to collect the data of customers (apart from those under the age of 16 or who are unable to do so for health reasons), staff and volunteers.

You do not need to collect information from police officers, emergency responders on duty or persons delivering to, or collecting from, the premises.

What information must I collect?

You are required by law to display an NHS QR code poster at all entry points of your venue. If your business is using a different QR code system, you are required to move to the NHS Track and Trace QR code system.

The regulation request that you collect the following data from your customers:

  • Name;
  • Contact details (mobile number/email address if not available);
  • Date they visited your premises;
  • Time In/Out of your premises. This may be difficult to achieve in practice but it would assist NHS Test and Trace to narrow down the list of people they would need to contact.

In England the regulations provide that only the “lead person” of a group need give their details. Where a group, you must note the number of people.

How long must I retain this data?

The NHS Test and Trace guidelines request that you retain the data for 21 days. This is to reflect the up to 14 day incubation period for COVID-19 and an additional 7 days to allow time for testing and tracing.

What form must this data be stored in?

The regulations do not prescribe how the data is to be stored. A handwritten register completed at the door would be sufficient. If you’re a restaurant with an online booking system you will already be collecting this data but you should take care to make your customers aware that the data they provide to secure a booking will also be used for NHS Test and Trace purposes.

My business is not used to handling this type of personal data – how do I keep it secure?

It is vitally important that this information is kept secure. You can achieve this by:

  • Limiting the number of employees who have access to the data;
  • Ensuring that handwritten data is securely locked away;
  • Electronic files containing personal data are password protected;
  • Training your staff on how they handle this data and the consequences for misusing it. For example is not permissible to use the data collected for marketing purposes.

How do I safely dispose of data?

Once the 21 days have expired you no longer have a lawful basis to retain the data. If it is stored in a hardcopy format (ie a door register) you must ensure that it is properly disposed of. You cannot simply put it with your ordinary refuse it has to be sufficiently “destroyed” to prevent anyone else being able to “access” the data. The only reliable method of disposing of hard copy documents is to shred them.

Electronic files may be deleted in the normal fashion though care must be taken to ensure that your trash can is emptied and any duplicates in cloud based storage systems are also deleted.

Under what circumstances may I disclose this data to third parties?

If you have collected the data for use by NHS Test and Trace then that is the only organisation to which you can disclose the data. You will be contacted by a member of the tracing team. Unfortunately, and perhaps inevitably, scammers and fraudsters are seeking to exploit this system for criminal purposes. In the event of a call it is sensible to verify that you are in fact speaking to an NHS Test and Trace agent.

An NHS Test and Trace agent WILL:

  • call you from 0300 013 5000;
  • send you text messages from ‘NHStracing’;
  • ask you to sign into the NHS Test and Trace contact-tracing website.

An NHS Test and Trace agent WILL NOT:

  • request you dial a premium rate number eg 09 or 087;
  • insist that you download software on to your device;
  • ask you to access a website that does not belong the UK government or NHS;
  • attempt to sell you products or dispense health advice.

What happens if I find out that a customer has tested positive – should I contact NHS Test and Trace?

The guidance is that you should not contact NHS Test and Trace. You  should not seek to contact your customers who you believe may have been exposed. Contact tracing personnel have this responsibility and will make the appropriate assessments and contact the people affected themselves.

This customer has given me an obviously fake name and number

The government guidance is that you are not obliged to verify the information given. However, give the reason you are collecting this information you may want to consider your admissions policy where customers give obviously fake contact details or refuse to give any details.

This is a tricky area of law as GDPR provides that, as matter of general principle,  you should not deny a person services merely because they do not wish to disclose personal information or consent to its disclosure to third parties. If this is a concern for your business, it would be advisable to consult a GDPR expert who will be able to advise on whether exclusive door policies would be lawfully permissible.


The collection, retention and limited disclosure of personal data has imposed a number of responsibilities on business owners.  We hope this article has proved informative about the obligations and potential pitfalls for business owners who are undertaking this type of exercise for the first time.

This article is provided by Burlingtons for general information only. It is not intended to be and cannot be relied upon as legal advice or otherwise. If you would like to discuss any of the matters covered in this article, please contact Andrew Pike or write to us using the contact form below.

Practice areas
Key contacts
Andrew Pike
Managing Partner
Latest newsGet In Touch
Get in touch
How can we help?
Site-wide Form
Sign up to our monthly newsletter

Complete the form below to receive our latest news, articles and insights delivered straight to your inbox.

Newsletter Form (#2)
We care about the protection of your data. No spam. Unsubscribe anytime. Read our privacy policy for more.
A personal service, tailored to your needs, from an award-winning team
Burlingtons Legal
Conveyancing Quality
Legal 500
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram