How should your business collect customer details for NHS Test and Trace?

Blogs 3 Jul 2020

Our guide covers who needs to collect data, how to do it and how to keep it secure.

This content was last reviewed 06 January 2021.

As part of England’s response to COVID-19, the Government implemented NHS Test and Trace to help control the spread of the virus. Because the UK is currently experiencing a public health emergency as a result of the coronavirus pandemic, it is critical that organisations take a range of measures to keep everyone safe.

As of 18 September 2020, it is a legal requirement that relevant businesses in England request, record and keep visitor/customer information needed for the Test and Trace system in England.

The NHS COVID-19 app launched on 24 September 2020 and is available to users in England and Wales. Alongside existing contact tracing measures the app can notify users if they have come into contact with someone who tests positive for coronavirus.

The app allows people to report symptoms, order a coronavirus test and check in to venues by scanning a QR code displayed on a poster at entrances or relevant areas within your premises. 

The app is designed to be an enhancement to the current test and trace scheme and does not replace the requirement to collect customer data. It provides an alternative method for a guest to register the details of their visit.

In England, for people who do not have the app, another method of keeping a contact info log must be available.

In Wales, high-risk businesses must continue to collect all details of staff, customers and visitors, including those who check in with the app.

Businesses in Scotland and Northern Ireland should continue to use their current methods of collecting visitor data.

The Government has published a detailed overview of what NHS Test and Trace is and how it works, and the full guidance can be found on their website.

This guidance is for England only. Please visit the government websites for ScotlandWales and Northern Ireland for more information.

We answer your questions about which businesses are affected, what data you need to collect and how you can stay compliant with GDPR.

Does my business need to collect contact details?

Businesses of all sizes in the following sectors – both indoor and outdoor venues – should collect details and maintain records:

  • hospitality, including pubs, bars, restaurants and cafés
  • tourism and leisure, including theme parks, museums and cinemas
  • close contact services
  • facilities provided by local authorities, such as libraries and leisure centres
  • places of worship

Guidance on collecting contact details applies to on-site services. So, for example, if you offer a mixture of dine-in and takeaway services, you only need to collect contact details for those eating in.

What information do I have to collect?

You should collect the following:


  • Names
  • Contact phone number
  • Dates and times of shifts

Customers and visitors

  • Names, or a ‘lead member’ in the case of a group of up to six
  • Contact phone number of customer or ‘lead member’
  • Date of visit
  • Arrival and departure times

Should I be asking for ID?

Whilst someone may provide false information, as long as you are accurately recording information, you are likely to meet your requirements under data protection law.

Unless ID is normally checked, this would not be necessary in the vast majority of circumstances.

How long do I have to keep contact details?

You will be responsible for keeping a record of customers’ details for 21 days to enable NHS Test and Trace to contain local outbreaks if and when they happen.

After 21 days, you should dispose or delete information securely, for example by shredding papers instead of disposing in public bins, or ensuring permanent deletion.

What if someone doesn’t want to give their details?

  • Encourage them to share their details
  • Advise that this information will only be used in the even of an outbreak or if a number of new cases are traced back to your premises

Hospitality venues must refuse entry to those who refuse to participate.

How should I record this data?

Your business may already collect customer data – such as through online booking systems or table service apps. These systems are encouraged wherever possible. However, your business can use any logging system that works best for you, whether digitally or on paper, as long as you remain GDPR compliant.

If this information is not collected in advance, it should be collected upon arrival. Your business should collect the necessary information to reduce the risk to your staff, customers and visitors.

You could use:

  • Booking systems
  • Diaries
  • Calendars
  • Spreadsheets

How do I stay compliant with GDPR and data protection?

Personal data, such as contact details, must be handled in accordance with GDPR to protect the privacy of your staff, customers and visitors.

You don’t need to ask for consent, but you should:

  • Make it clear why the information is being collected
  • Bring attention to your customers when booking that information may also be shared with NHS Test and Trace
  • Explain what you intend to do with it
Personal data you collect only for NHS Test and Trace purposes must not be used for any other purposes, such as marketing, profiling, analysis or other purposes unrelated to contact tracing.

Your staff, customers and visitors must still be able to exercise their data protection rights.

Read our guides on GDPR compliance and data protection for more information.

How can I keep data safe?

You should have appropriate safety measures in place to protect customer contact information, for example:

  • Ask customers to complete a form and put it into a locked box
  • Use secure measures to protect paper records, such as in a safe or in sight of CCTV
  • Make sure your staff know what they should and shouldn’t do
  • Limit staff access to only those who need access to logs
  • Check your approach to cyber security

What if a staff member, customer or visitor test positive?

They must follow the advice that will be provided by NHS Test and Trace. If there is more than once case associated with your workplace, you should contact your local health protection team to report the suspected outbreak.

They will:

  • Undertake a risk assessment
  • Provide public health advice
  • Where necessary, a multi-agency incident management team will be established

Your staff will be included in the risk assessment and the local public health experts will advise what they should do. You should support workers who need to self-isolate and must not ask them to attend the workplace.

How do I know I am being contacted by NHS Test and Trace and not fraudsters?

Contact tracers will:

They will never:

  • ask you to dial premium rate numbers
  • ask you to make payments
  • provide any details such as bank accounts, passwords, PINs, social media logins, medical information or protected characteristics
  • ask you to download software
  • hand control of your device to someone else
  • ask you to access websites that don’t belong to the government or NHS

For the latest news, advice and guidance, visit our coronavirus hub.

If you’re in doubt about how to deal with customer data and how to store it safely online, our cyber security experts are here to support you.


FSB Cyber Protection

Providing access to both an advice line and a limited insurance designed to support and protect your business at no extra cost.

Find out more