Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Account
Profile information Account settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Get guidance About us
Account
Sign up Log in
Help
Help Contact us
Make documents
Easily make legal documents
See all documents
Popular business documents
Popular employment documents
Popular property documents
Popular family documents
Terms and conditions Privacy policy Non disclosure agreement Shareholders' agreement
Employment contract Health and safety policy Settlement agreement Consultancy agreement
Tenancy agreement Lodger agreement Eviction notice Declaration of trust
Affidavit Prenuptial agreement Last will and testament Power of attorney
Ask a lawyer
Get quick legal advice from a lawyer
Ask your question
Popular legal topics
Bespoke legal drafting Start a business Startup legal help Run an online business
Hire employees Manage employees Discipline employees Dismiss employees
Rent residential property Rent commercial property Manage rented property Tenant eviction service
Get divorced Apply for probate IR35 status determination advice Settlement agreement advice
Get guidance
Get reliable legal guidance
Read legal guides
Popular business guides
Popular employment guides
Popular property guides
Popular family guides
Make terms and conditions Run a private limited company Types of shares Ending a contract
Overpayment of wages Notice periods Summary dismissal Implied employment terms
Declaration of trusts Legal interests in property Section 21 notices Security of tenure
Affidavits Executing a will Changing your name Getting married
About us
Learn more about Rocket Lawyer
Contact us
Get more information
Pricing
Help
About us
Careers
  1. /gb/en
  2. Legal guides
  3. Data protection for Test and Trace

Data protection for Test and Trace

With the government’s Coronavirus (COVID-19) restrictions lifted across  Britain from 19 July 2021, many organisations may continue to collect customers’ and visitors’ personal data for NHS Test and Trace purposes. Where such personal data is collected, organisations need to make sure they comply with data protection laws. Read this guide to find out more.

Personal data is information that relates to individuals who can be personally identified from that data. It includes, amongst other things, names, addresses (including email addresses) and telephone numbers.

There is a further 'special category' of 'sensitive personal data', which, amongst other things, includes information about physical and mental health or condition and genetics. Sensitive personal data requires extra protection. For more information on personal data and sensitive personal data, read Data protection.

Data processing is any use of personal data (other than for personal reasons) and includes obtaining, recording and storing personal data. For more information, read Processing personal data.

Although it is no longer a legal requirement to display an NHS QR code or request that customers, visitors and staff check-in in England, it is still highly encouraged. 

In order to maintain records of staff, customers and visitors the following sectors should encourage these specific sectors to follow the check-in:

  • hospitality (eg pubs, bars, restaurants and cafés)

  • tourism and leisure (eg hotels, cinemas and arcades)

  • close contact services (eg hairdressers and nail salons)

  • places of worship

  • facilities provided by local authorities (eg libraries and community centres)

For information on the sectors in Scotland and Wales, see the Scottish government website and the Welsh government website.

Organisations should only collect personal data which is necessary to maintain records for contact tracing purposes for those over 16 (in England). Usually, this data is:

  • the name of the person

  • the person’s contact telephone number (if this is not available, ask for an email address and, if this is not available, ask for a postal address)

  • the date of the visit, the time of arrival and, where possible, the departure time

Organisations should also keep a record of all staff working on the premises on any given day, the time of their shift, and their contact details. 

For more information, see the government’s guidance. For information on the data you should collect in Scotland and Wales, see the Scottish government website and the Welsh government website.

Personal data collected for Test and Trace purposes should only be kept for as long as it’s needed. Specific guidance on how long data should be kept is provided by the relevant public health authority (ie England, Wales and Scotland). However, it is generally recommended that the data is retained for 21 days before being disposed of or deleted securely. Care needs to be taken that any such deletion or disposal does not risk unintended access (eg by shredding paper documents and ensuring permanent deletion of electronic files).

If you are collecting customer data for Test and Trace purposes you need to make this clear and inform individuals about the information being collected. 

Organisations should be open, honest and clear about the data they collect and who they will be sharing that data with. You can do this by displaying signs - such as a privacy notice - on-premises, online, or over the phone. 

Organisations should not collect personal data that is misleading, detrimental or outside of what a person would reasonably expect. For example, you should make clear to customers that you are collecting their personal data to have a record of customers visiting your establishment. 

You must not share information that you collected for Test and Trace purposes for advertising or marketing

For more information, read the guidance published by the Information Commissioner's Office (ICO). 

The lawful basis for the collection of customer, visitor and staff personal data will depend on the type of organisation and whether you are required by the government to collect this information. Under data protection law, there are certain lawful grounds for collecting personal data, which include:

  • legal obligation - it is lawful to collect the personal data to comply with the law

  • legitimate interests - collecting data is likely to be in the interests of the individual, the organisation, and the interest of the public health to tackle COVID-19. This applies to most private organisations 

  • public task - it is lawful to process personal data where it is necessary for you to perform a task in the public interest (eg to tackle COVID-19), where the task has a clear basis in the law

For more information, read Processing personal data and the ICO’s guidance.

Consent is a lawful basis for the processing of personal data. Relying on consent means that the people whose personal data is being processed are given a genuine reason about whether they provide their data. In other words, the provision of personal data should truly be voluntary. 

Where organisations are required by law to ask customers, visitors and staff, to provide personal data for Test and Trace purposes, they should not rely on consent. This is because the provision of personal data is not truly voluntary.

Organisations should collect consent where:

  • the information being collected is sensitive personal data or could reveal something sensitive about the person involved

  • there is no legal requirement for the organisation to collect personal data

  • the organisation will not deny access to its services if an individual does not want to provide their details

The ICO recommends that for Test and Trace purposes, consent is given when collecting contact details in, for example, places of worship where there is no legal obligation to collect visitor details at the premises. For more information, read the ICO’s guidance.

Special rules apply around collecting consent. For more information on this, read Consent for GDPR.

Organisations should generally only share this data if it is requested by a legitimate public health authority. If you are contacted by a tracing scheme, you should take steps to ensure that the caller is genuine. If you are unsure if the telephone number is genuine, check with your local council. Once you are satisfied that the caller is legitimate, you should make sure that you can share this information securely. 

Again note that you must not share information that you have collected for contact tracing for advertising or marketing

Where customers’ or visitors’ personal data is collected for contact tracing, businesses need to ensure that they have procedures in place that cover the secure and safe handling of the data. Staff members need to be aware of what they should and shouldn’t do with the data, and businesses must ensure that this is followed. For example, customer logs should only be available to those who need them, and staff should be trained to keep such lists and logbooks out of public sight. Consider creating a Data protection and data security policy to achieve this.

Failure to handle personal data properly places the business and staff at risk of breaching data protection laws with severe consequences for both.

For more information, read Data protection.

Follow us

We use cookies to provide the best experience