How should your business collect customer details for NHS Test and Trace?

Blogs 3 Jul 2020

Our guide covers who needs to collect data, how to do it and how to keep it secure.

As part of England’s response to COVID-19, the government is implementing NHS Test and Trace to control the spread of the virus. With effective contact tracing and guidance, it aims to help hospitality, leisure and close contact businesses safely reopen from 4 July.

The government has published a detailed overview of what NHS Test and Trace is and how it works, and the full guidance can be found on their website.

This guidance is for England only. Please visit the government websites for Scotland, Wales and Northern Ireland for more information.

We answer your questions about which businesses are affected, what data you need to collect and how you can stay compliant with GDPR.

Does my business need to collect contact details?

Businesses of all sizes in the following sectors – both indoor and outdoor venues – should collect details and maintain records:

  • hospitality, including pubs, bars, restaurants and cafés
  • tourism and leisure, including theme parks, museums and cinemas
  • close contact services
  • facilities provided by local authorities, such as libraries and leisure centres
  • places of worship

Guidance on collecting contact details applies to on-site services. So, for example, if you offer a mixture of dine-in and takeaway services, you only need to collect contact details for those eating in.

What information do I have to collect?

You should collect the following:


  • Names
  • Contact phone number
  • Dates and times of shifts

Customers and visitors

  • Names, or a ‘lead member’ in the case of a group
  • Contact phone number of customer or ‘lead member’
  • Date of visit
  • Arrival and departure times

Should I be asking for ID?

Whilst someone may provide false information, as long as you are accurately recording information, you are likely to meet your requirements under data protection law.

Unless ID is normally checked, this would not be necessary in the vast majority of circumstances.

How long do I have to keep contact details?

You will be responsible for keeping a record of customers’ details for 21 days to enable NHS Test and Trace to contain local outbreaks if and when they happen.

After 21 days, you should dispose or delete information securely, for example by shredding papers instead of disposing in public bins, or ensuring permanent deletion.

What if someone doesn’t want to give their details?

  • Encourage them to share their details
  • Advise that this information will only be used in the even of an outbreak or if a number of new cases are traced back to your premises

If they don’t want to share their details, but still want to book or use your service, you should make a note not to share details you may need for booking purposes. If you don’t need their details for booking purposes, then don’t collect their details, as there is no legal requirement that individuals provide their data for NHS Test and Trace purposes.

However, you may feel it’s important to collect this information for the safety of your staff and other customers. It’s your decision whether to make services or bookings available to that person in these circumstances.

How should I record this data?

Your business may already collect customer data – such as through online booking systems or table service apps. These systems are encouraged wherever possible. However, your business can use any logging system that works best for you, whether digitally or on paper, as long as you remain GDPR compliant.

If this information is not collected in advance, it should be collected upon arrival. Your business should collect the necessary information to reduce the risk to your staff, customers and visitors, but it’s not a legal requirement.

You could use:

  • Booking systems
  • Diaries
  • Calendars
  • Spreadsheets

How do I stay compliant with GDPR and data protection?

Personal data, such as contact details, must be handled in accordance with GDPR to protect the privacy of your staff, customers and visitors.

You don’t need to ask for consent, but you should:

  • Make it clear why the information is being collected
  • Bring attention to your customers when booking that information may also be shared with NHS Test and Trace
  • Explain what you intend to do with it

Personal data you collect only for NHS Test and Trace purposes must not be used for any other purposes, such as marketing, profiling, analysis or other purposes unrelated to contact tracing.

Your staff, customers and visitors must still be able to exercise their data protection rights.

Read our guides on GDPR compliance and data protection for more information.

How can I keep data safe?

You should have appropriate safety measures in place to protect customer contact information, for example:

  • Ask customers to complete a form and put it into a locked box
  • Use secure measures to protect paper records, such as in a safe or in sight of CCTV
  • Make sure your staff know what they should and shouldn’t do
  • Limit staff access to only those who need access to logs
  • Check your approach to cyber security

What if a staff member, customer or visitor test positive?

They must follow the advice that will be provided by NHS Test and Trace. If there is more than once case associated with your workplace, you should contact your local health protection team to report the suspected outbreak.

They will:

  • Undertake a risk assessment
  • Provide public health advice
  • Where necessary, a multi-agency incident management team will be established

Your staff will be included in the risk assessment and the local public health experts will advise what they should do. You should support workers who need to self-isolate and must not ask them to attend the workplace.

How do I know I am being contacted by NHS Test and Trace and not fraudsters?

Contact tracers will:

They will never:

  • ask you to dial premium rate numbers
  • ask you to make payments
  • provide any details such as bank accounts, passwords, PINs, social media logins, medical information or protected characteristics
  • ask you to download software
  • hand control of your device to someone else
  • ask you to access websites that don’t belong to the government or NHS
For the latest news, advice and guidance, visit our coronavirus hub.

If you’re in doubt about how to deal with customer data and how to store it safely online, our cyber security experts are here to support you.


FSB Cyber Protection

Providing access to both an advice line and a limited insurance designed to support and protect your business at no extra cost.

Find out more