Profile information Account settings
Help Contact us
Sign up Log in
Help Contact us

Data protection for Test and Trace

The NHS Test and Trace contact tracing service has now closed in England, however equivalent services are still operating in the rest of the UK. Some organisations may continue to collect customers’ and visitors’ personal data for NHS Test and Trace purposes, especially in certain sectors such as hospitality and tourism. For information on such sectors in Scotland and Wales, see the Scottish government website, the Northern Ireland government website and the Welsh government website

Where such personal data is collected, organisations need to make sure they comply with data protection laws. Read this guide to find out more.

Personal data is information that relates to individuals who can be personally identified from that data. It includes, amongst other things, names, addresses (including email addresses) and telephone numbers.

There is a further 'special category' of 'sensitive personal data', which, amongst other things, includes information about physical and mental health or condition and genetics. Sensitive personal data requires extra protection. For more information on personal data and sensitive personal data, read Data protection.

Data processing is any use of personal data (other than for personal reasons) and includes obtaining, recording and storing personal data. For more information, read Processing personal data.

Organisations should only collect personal data which is necessary to maintain records for contact tracing purposes. Usually, this data is:

  • the name of the person

  • the person’s contact telephone number (if this is not available, ask for an email address and, if this is not available, ask for a postal address)

  • the date of the visit, the time of arrival and, where possible, the departure time

Organisations should also keep a record of all staff working on the premises on any given day, the time of their shift, and their contact details. 

For more information, see the government’s guidance. For information on the data you should collect in Scotland and Wales, see the Scottish government website and the Welsh government website.

Personal data collected for Test and Trace purposes should only be kept for as long as it’s needed. Specific guidance on how long data should be kept is provided by the relevant public health authority (ie England, Wales and Scotland). However, it is generally recommended that the data is retained for 21 days before being disposed of or deleted securely. Care needs to be taken that any such deletion or disposal does not risk unintended access (eg by shredding paper documents and ensuring permanent deletion of electronic files).

If you are collecting customer data for Test and Trace purposes you need to make this clear and inform individuals about the information being collected. 

Organisations should be open, honest and clear about the data they collect and who they will be sharing that data with. You can do this by displaying signs - such as a privacy notice - on-premises, online, or over the phone. 

Organisations should not collect personal data that is misleading, detrimental or outside of what a person would reasonably expect. For example, you should make clear to customers that you are collecting their personal data to have a record of customers visiting your establishment. 

You must not share information that you collected for Test and Trace purposes for advertising or marketing

For more information, read the guidance published by the Information Commissioner's Office (ICO). 

The lawful basis for the collection of customer, visitor and staff personal data will depend on the type of organisation and whether you are required by the government to collect this information. Under data protection law, there are certain lawful grounds for collecting personal data, which include:

  • legal obligation - it is lawful to collect the personal data to comply with the law

  • legitimate interests - collecting data is likely to be in the interests of the individual, the organisation, and the interest of the public health to tackle COVID-19. This applies to most private organisations 

  • public task - it is lawful to process personal data where it is necessary for you to perform a task in the public interest (eg to tackle COVID-19), where the task has a clear basis in the law

For more information, read Processing personal data and the ICO’s guidance.

Consent is a lawful basis for the processing of personal data. Relying on consent means that the people whose personal data is being processed are given a genuine reason about whether they provide their data. In other words, the provision of personal data should truly be voluntary. 

Where organisations are required by law to ask customers, visitors and staff, to provide personal data for Test and Trace purposes, they should not rely on consent. This is because the provision of personal data is not truly voluntary.

Organisations should collect consent where:

  • the information being collected is sensitive personal data or could reveal something sensitive about the person involved

  • there is no legal requirement for the organisation to collect personal data

  • the organisation will not deny access to its services if an individual does not want to provide their details

The ICO recommends that for Test and Trace purposes, consent is given when collecting contact details in, for example, places of worship where there is no legal obligation to collect visitor details at the premises. For more information, read the ICO’s guidance.

Special rules apply around collecting consent. For more information on this, read Consent for GDPR.

Organisations should generally only share this data if it is requested by a legitimate public health authority. If you are contacted by a tracing scheme, you should take steps to ensure that the caller is genuine. If you are unsure if the telephone number is genuine, check with your local council. Once you are satisfied that the caller is legitimate, you should make sure that you can share this information securely. 

Again note that you must not share information that you have collected for contact tracing for advertising or marketing

Where customers’ or visitors’ personal data is collected for contact tracing, businesses need to ensure that they have procedures in place that cover the secure and safe handling of the data. Staff members need to be aware of what they should and shouldn’t do with the data, and businesses must ensure that this is followed. For example, customer logs should only be available to those who need them, and staff should be trained to keep such lists and logbooks out of public sight. Consider creating a Data protection and data security policy to achieve this.

Failure to handle personal data properly places the business and staff at risk of breaching data protection laws with severe consequences for both.

For more information, read Data protection.

We use cookies to provide the best experience