As part of England’s response to COVID-19, the government is implementing NHS Test and Trace to control the spread of the virus. With effective contact tracing and guidance, it aims to help hospitality, leisure and close contact businesses safely reopen from 4 July.
We answer your questions about which businesses are affected, what data you need to collect and how you can stay compliant with GDPR.
Does my business need to collect contact details?
Businesses of all sizes in the following sectors – both indoor and outdoor venues – should collect details and maintain records:
- hospitality, including pubs, bars, restaurants and cafés
- tourism and leisure, including theme parks, museums and cinemas
- close contact services
- facilities provided by local authorities, such as libraries and leisure centres
- places of worship
Guidance on collecting contact details applies to on-site services. So, for example, if you offer a mixture of dine-in and takeaway services, you only need to collect contact details for those eating in.
What information do I have to collect?
You should collect the following:
- Contact phone number
- Dates and times of shifts
Customers and visitors
- Names, or a ‘lead member’ in the case of a group
- Contact phone number of customer or ‘lead member’
- Date of visit
- Arrival and departure times
Should I be asking for ID?
Whilst someone may provide false information, as long as you are accurately recording information, you are likely to meet your requirements under data protection law.
Unless ID is normally checked, this would not be necessary in the vast majority of circumstances.
How long do I have to keep contact details?
You will be responsible for keeping a record of customers’ details for 21 days to enable NHS Test and Trace to contain local outbreaks if and when they happen.
After 21 days, you should dispose or delete information securely, for example by shredding papers instead of disposing in public bins, or ensuring permanent deletion.
What if someone doesn’t want to give their details?
- Encourage them to share their details
- Advise that this information will only be used in the even of an outbreak or if a number of new cases are traced back to your premises
If they don’t want to share their details, but still want to book or use your service, you should make a note not to share details you may need for booking purposes. If you don’t need their details for booking purposes, then don’t collect their details, as there is no legal requirement that individuals provide their data for NHS Test and Trace purposes.
However, you may feel it’s important to collect this information for the safety of your staff and other customers. It’s your decision whether to make services or bookings available to that person in these circumstances.
How should I record this data?
Your business may already collect customer data – such as through online booking systems or table service apps. These systems are encouraged wherever possible. However, your business can use any logging system that works best for you, whether digitally or on paper, as long as you remain GDPR compliant.
If this information is not collected in advance, it should be collected upon arrival. Your business should collect the necessary information to reduce the risk to your staff, customers and visitors, but it’s not a legal requirement.
You could use:
- Booking systems
How do I stay compliant with GDPR and data protection?
Personal data, such as contact details, must be handled in accordance with GDPR to protect the privacy of your staff, customers and visitors.
You don’t need to ask for consent, but you should:
- Make it clear why the information is being collected
- Bring attention to your customers when booking that information may also be shared with NHS Test and Trace
- Explain what you intend to do with it
Personal data you collect only for NHS Test and Trace purposes must not be used for any other purposes, such as marketing, profiling, analysis or other purposes unrelated to contact tracing.
Your staff, customers and visitors must still be able to exercise their data protection rights.
How can I keep data safe?
You should have appropriate safety measures in place to protect customer contact information, for example:
- Ask customers to complete a form and put it into a locked box
- Use secure measures to protect paper records, such as in a safe or in sight of CCTV
- Make sure your staff know what they should and shouldn’t do
- Limit staff access to only those who need access to logs
- Check your approach to cyber security
What if a staff member, customer or visitor test positive?
They must follow the advice that will be provided by NHS Test and Trace. If there is more than once case associated with your workplace, you should contact your local health protection team to report the suspected outbreak.
- Undertake a risk assessment
- Provide public health advice
- Where necessary, a multi-agency incident management team will be established
Your staff will be included in the risk assessment and the local public health experts will advise what they should do. You should support workers who need to self-isolate and must not ask them to attend the workplace.
How do I know I am being contacted by NHS Test and Trace and not fraudsters?
Contact tracers will:
- Call you from 0300 013 5000
- Send you text messages from ‘NHStracing’
- Ask you to sign into the NHS Test and Trace contact-tracing website
They will never:
- ask you to dial premium rate numbers
- ask you to make payments
- provide any details such as bank accounts, passwords, PINs, social media logins, medical information or protected characteristics
- ask you to download software
- hand control of your device to someone else
- ask you to access websites that don’t belong to the government or NHS
For the latest news, advice and guidance, visit our coronavirus hub.
If you’re in doubt about how to deal with customer data and how to store it safely online, our cyber security experts are here to support you.