The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Information Commissioner’s Office (ICO) has published data protection guidance for organisations mandated to collect customer and visitor information.

From today, the UK Government has made it mandatory for all businesses in the hospitality sector, leisure and tourism sector and close contact businesses, such as barbers and beauticians, in England to collect customer information for the test and trace programme.

The Scottish and Welsh governments have also mandated certain organisations to ask for customer and visitor information.

This does not need to be complicated.

The ICO is advising organisations across the UK to follow five simple steps so they handle people’s information responsibly. Organisations must:

  1. Only ask people for the specific information that has been set out in government guidance;
  2. Be clear, open and honest with people about what is being done with their personal information;
  3. Keep people’s data secure. Organisations should not use open log books, and should ensure their customers’ personal information is kept private;
  4. Not use the personal information collected for contact tracing for other purposes, such as direct marketing, profiling or data analytics; and
  5. Erase or dispose of the personal information collected after 21 days.

Organisations do not have to ask people for their information if individuals are using a contact tracing app to check into venues.

Organisations should not make the use of contact tracing apps mandatory, and should give people options to give their details for contact tracing purposes.

The ICO has developed clear examples and case studies that organisations can use to ensure they are collecting customer information securely and complying with data protection law.

Ian Hulme, ICO’s Director of Assurance, said:

“We appreciate the challenge that many businesses face, particularly those that are handling personal data in this way for the first time. Our aim is to help the thousands of businesses that are doing their best to do the right thing. We want to support and guide them to handle people's data responsibly and keep it safe and secure.”

Kate Nicholls, CEO of UKHospitality, said:

“There is now an even greater need for hospitality businesses to focus on test and trace. It’s critical that data protection is at the heart of all of our efforts. We know organisations have a lot to think about during this time and we are keen that the ICO guidance is well publicised and well understood.”

The ICO is here to help – please visit our data protection and coronavirus information hub for advice. For more help, call us on 0303 123 1113.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to