Updated: How should your business collect customer details for NHS Test and Trace?

Blogs 9 Apr 2021

As businesses start to reopen in England, updated NHS Test and Trace guidance has been issued. Our guide covers which businesses needs to collect data, how to do it and how stay secure.


This content was last reviewed 09 April 2021

This guidance is for England only. Please visit the government websites for Scotland, Wales and Northern Ireland for more information.

As part of England’s response to COVID-19, the Government implemented NHS Test and Trace to help control the spread of the virus. As businesses look to reopen, it’s critical that organisations take a range of measures to keep everyone safe.

We answer your questions about which businesses are affected, what data you need to collect and how you can stay compliant with GDPR.

What is NHS Test and Trace and what do I need to do?

It’s a legal requirement that relevant businesses in England request, record and keep visitor/customer information needed for NHS Test and Trace. The Government has published a detailed overview of what NHS Test and Trace is and how it works, and the full guidance can be found on their website.

The NHS Test and Trace app

The NHS COVID-19 app is available to users in England and Wales. Alongside existing contact tracing measures the app can notify users if they have come into contact with someone who tests positive for coronavirus.

The app allows people to report symptoms, order a coronavirus test and check in to venues by scanning a QR code displayed on a poster at entrances or relevant areas within your premises.

The app is designed to be an enhancement to the current test and trace scheme and does not replace the requirement to collect customer data. It provides an alternative method for a guest to register the details of their visit.

  • In England, for people who do not have the app, another method of keeping a contact info log must be available.
  • In Wales, high-risk businesses must continue to collect all details of staff, customers and visitors, including those who check in with the app.
  • Businesses in Scotland and Northern Ireland should continue to use their current methods of collecting visitor data.

Does my business need to collect contact details?

Businesses of all sizes in the following sectors – both indoor and outdoor venues – should collect details, maintain records and display the official NHS QR poster:

  • hospitality, including pubs, bars, restaurants and cafés
  • tourism and leisure, including theme parks, museums and cinemas
  • close contact services
  • facilities provided by local authorities, such as libraries and leisure centres
  • places of worship

You can find a full list of businesses this applies to here. Guidance on collecting contact details applies to on-site services. So, for example, if you offer a mixture of dine-in and takeaway services, you only need to collect contact details for those eating in.

What do I need to do?

Venues in hospitality, the tourism and leisure industry, close contact services, community centres and village halls must:

  • ask every customer or visitor (over the age of 16) to provide their name and contact details
  • keep a record of all staff working on their premises and shift times on a given day and their contact details
  • keep these records of customers, visitors and staff for 21 days and provide data to NHS Test and Trace if requested
  • register for and display an official NHS QR code poster at every entrance to your venue, so that customers and visitors can ‘check in’ using the NHS COVID-19 app as an alternative to providing their contact details
  • adhere to General Data Protection Regulations (GDPR)

You must take reasonable steps to refuse entry to anyone who refuses to participate. Failure to take these steps could result in a £1000 penalty.

You should continue to follow other government requirements and guidance to minimise the transmission of COVID-19, such as maintaining a safe working environment and following social distancing guidelines.

What information do I have to collect?

You should collect the following:

Staff

  • Names
  • Contact phone number
  • Dates and times of shifts

Customers and visitors

  • Name
  • Contact phone number, email or postal address
  • Date of visit
  • Arrival and departure times
  • Name of assigned staff member (for example, a hairdresser)

Should I be asking for ID?

Whilst someone may provide false information, as long as you are accurately recording information, you are likely to meet your requirements. The accuracy of the information provided will be the responsibility of the individual who provides it.

Unless ID is normally checked, this would not be necessary in the vast majority of circumstances.

How long do I have to keep contact details?

You will be responsible for keeping a record of customers’ details for 21 days to enable NHS Test and Trace to contain local outbreaks if and when they happen.

After 21 days, you should dispose or delete information securely, for example by shredding papers instead of disposing in public bins, or ensuring permanent deletion.

What if someone doesn’t want to give their details?

Encourage them to share their details and advise that this information will only be used in the event of an outbreak or if a number of new cases are traced back to your premises.

In England, you do not have to request details from people who check in with the official NHS QR code poster.

How should I record this data?

Your business may already collect customer data – such as through online booking systems or table service apps. These systems are encouraged wherever possible. However, your business can use any logging system that works best for you, whether digitally or on paper, as long as you remain GDPR compliant.

If this information is not collected in advance, it should be collected upon arrival. Your business should collect the necessary information to reduce the risk to your staff, customers and visitors.

You could use:

  • Booking systems
  • Diaries
  • Calendars
  • Spreadsheets

How do I stay compliant with GDPR and data protection?

Personal data, such as contact details, must be handled in accordance with GDPR to protect the privacy of your staff, customers and visitors.

You don’t need to ask for consent, but you should:

  • Make it clear why the information is being collected
  • Bring attention to your customers when booking that information may also be shared with NHS Test and Trace
  • Explain what you intend to do with it

Personal data you collect only for NHS Test and Trace purposes must not be used for any other purposes, such as marketing, profiling, analysis or other purposes unrelated to contact tracing.

Your staff, customers and visitors must still be able to exercise their data protection rights. Read our guides on GDPR compliance and data protection for more information.

How can I keep data safe?

You should have appropriate safety measures in place to protect customer contact information, for example:

  • Ask customers to complete a form and put it into a locked box
  • Use secure measures to protect paper records, such as in a safe or in sight of CCTV
  • Make sure your staff know what they should and shouldn’t do
  • Limit staff access to only those who need access to logs
  • Check your approach to cyber security

What if a staff member, customer or visitor test positive?

They must follow the advice that will be provided by NHS Test and Trace. If there is more than once case associated with your workplace, you should contact your local health protection team to report the suspected outbreak.

They will:

  • Undertake a risk assessment
  • Provide public health advice
  • Where necessary, a multi-agency incident management team will be established

Your staff will be included in the risk assessment and the local public health experts will advise what they should do. You should support workers who need to self-isolate and must not ask them to attend the workplace.

How do I know I am being contacted by NHS Test and Trace and not fraudsters?

Contact tracers will:

  • Call you from 0300 013 5000
  • Send you text messages from ‘NHStracing’
  • Ask you to sign into the NHS Test and Trace contact-tracing website

They will never:

  • ask you to dial premium rate numbers
  • ask you to make payments
  • provide any details such as bank accounts, passwords, PINs, social media logins, medical information or protected characteristics
  • ask you to download software
  • hand control of your device to someone else
  • ask you to access websites that don’t belong to the government or NHS

For the latest news, advice and guidance, visit our coronavirus hub.