The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

It is now a legal requirement for certain organisations to collect customer, visitor and staff contact details for contact tracing purposes. You should check the government guidelines for where you operate to determine whether it is necessary for you to do this. Government guidance has been published and varies for England, Northern Ireland, Scotland and Wales.

Here you’ll find advice on collecting, storing, sharing and deleting the personal data you’ve been asked to obtain.

This guidance is designed for those who have limited experience of collecting and retaining personal data for business purposes.

What should we consider under data protection law if we collect personal data from our customers as part of a contact tracing scheme?

Data protection law does not prevent you from collecting personal data that people provide as long as it is lawful, fair and that you tell your customers and visitors what you are doing. We have more information on what we mean by lawful here.

You must consider the principles of data protection law. That means you must make sure the information you collect is adequate, relevant and limited to what you need. It must be accurate and should not be used for anything else. You should also keep it secure and out of public sight so you minimise the risk of accidentally losing or destroying it.

For example, do not leave sign in sheets or books containing the personal data of customers or visitors out in the open. This is to reduce the risk of individuals obtaining personal data that should not be made available to them.

What do we need to tell people when we collect their data for the contact tracing scheme?

You must be clear, open and honest with people about why you are collecting their data, who you will be sharing it with and how long you will keep it. You must not collect and process personal data in a way that is misleading, detrimental or outside of what people would reasonably expect. In this case, the collection of customer data is for the contact tracing scheme established by each of the four government administrations in the UK, so you need to make this clear to people.

Collecting customer contact details may already be standard practice for your organisation, but the purpose of collecting this particular information is wider than managing bookings or similar tasks, and there are greater implications should an outbreak occur. You need to explain this to people.

You must consider appropriate methods of communicating this message (including to children and young people). For example, you could provide information over the phone, you could put signs up on site, direct people to further information online, or simply tell them when they arrive.

How do I make sure my collection and sharing of data is lawful?

Firstly, you should check government guidelines for information about whether your business is encouraged or required to collect customer contact information for these purposes. This varies for England, Scotland, Wales and Northern Ireland. In some industries it is still voluntary and encouraged by government, rather than a legal requirement.

There are gateways known as lawful bases that allow you to collect customer contact details under data protection law. The lawful basis which is applicable will depend on the type of organisation, and whether the government has made it a legal requirement to collect this information.

  • Legal obligation. You can rely on this lawful basis if you need to collect personal information to comply with the law.
  • Legitimate interests. This is most applicable if you are a private organisation and there is no legal requirement for you to collect this information. This basis recognises that collecting the data is likely to be in the interests of the individual, the organisation, and the public health efforts to tackle COVID-19, as long as individuals’ rights are protected and data protection principles are followed.
  • Public task. This is likely to be applicable if you are a public authority. It allows you to identify a task, function or power with a clear basis in law – such as your legal responsibilities around public health – which requires you to process this data.
  • Most organisations should not rely on consent. But there are some notable exceptions which are covered here. You should not use consent as your lawful basis unless it is truly voluntary to provide personal data, and individuals will not be denied access to your services if they do not want to provide their details.

There may be instances where you will be collecting more sensitive information about an individual. For example if you provide a service to small groups or on a one-to-one basis, (eg. tailoring or sports massage). This may make it more likely that you’d make assumptions about an individual’s health if you are contacted by a contact tracing service.

In law, this is special category data and it means the information requires extra protection. It includes health information, racial or ethnic origin, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership. You must always respect the confidentiality of any special category data that you collect.

Should I use consent as my lawful basis?

Most private sector organisations and public authorities should not rely on consent. Relying on consent means you must give people genuine choice about whether they provide their data. You should not use consent as your lawful basis unless it is truly voluntary to provide personal data. Certain businesses are now required by law to ask for customer contact details which means that consent would be inappropriate.

However, consent is recommended when i) the information you are collecting could reveal something sensitive about the person involved, such as their health status, religious beliefs or political opinions; ii) there is no legal requirement for you to collect this information; and iii) you will not deny access to your service when an individual does not wish to provide their contact details.

In the context of contact tracing, we recommend using consent if you are logging details in places of worship, for example, and there is no legal obligation to collect customer or visitor information at these premises.

There are particular rules around consent and, if you need to rely on it, we recommend you follow our guidance. In practice, this might be asking people to fill out a specific consent form, for example.

Under data protection law, it is especially important that consent is freely given, meaning that people should be able to refuse or withdraw their consent without facing negative consequences, such as being denied access to your service.

How much personal data should we collect for a contact tracing scheme?

You should only collect the personal information that is needed to help with contact tracing. Government guidance on what information to collect has been published for England, Northern Ireland, Scotland and Wales. We recommend you check the relevant guidance for your area, but it will usually be:

  • The name of the person (if a group of people attend together, the name of the ‘lead member’ is sufficient)
  • A contact telephone number (again, this can be just for the ‘lead member’)
  • The date and time they were there

How long can we keep personal data collected in accordance with government guidance?

Only for as long as it’s needed.

Guidance on how long that will be is provided by the public health authorities in whichever part of the country you live in. It is usually recommended that you retain this information for 21 days. Once that period is up you must dispose of the information securely. That means shredding paper records or permanently deleting digital files, for example.

The only reason you should keep the data for longer is if you would usually do so in line with other sector specific guidelines.

How do we make sure that the personal data we collect is accurate?

In the context of contact tracing, all you need to do is record the information the customer or visitor provides to you in an accurate way. In isolated incidences, if you reasonably believe that the information is wrong or out of date, you can ask the customer or visitor for clarification.

We appreciate that some people may provide false information. However, as long as you accurately record the information provided, you are likely to meet your requirements in terms of accuracy under data protection law.

Any clarification of details in isolated incidences should not lead to any data (e.g. copy of an ID document) being retained.

What data protection rights do people have in relation to the data we collect about them for a contact tracing scheme?

When you hold their personal data, people have rights under data protection law. For contact tracing, these rights can include:

  • the right of access to the personal data you hold on them – for example their contact details, or details of their booking with you; and
  • the right to ask for any factually inaccurate data to be corrected

A full list of rights is here. These rights can be exercised verbally or in writing. You need to ensure that you have measures in place, such as staff training, so you can recognise any requests for the information to be amended, for example.

What do we need to do about security?

You are responsible for ensuring that the personal data you hold is kept securely. That includes making sure it’s physically safe, in the case of paper records, or digitally safe, in the case of electronic records. You may need both. You must also have rules and staff training in place to make sure information isn’t lost, stolen or destroyed.

If you collect this information electronically, you will need to ensure you have adequate cyber security measures in place. Again, you should involve some form of staff training so that employees understand their responsibilities when handling personal data. If you collect this information manually, it is important that contact details are kept out of public sight.

Basic measures include:

  • Make sure your staff understand what they should and shouldn’t do with customer information. You should ensure that your staff are aware that it is a criminal offence under the Data Protection Act to obtain or disclose customer information without your organisation’s consent.
  • Do not use an open access sign-in book where customer details are visible to everyone.
  • Keep any paper records out of public sight and in a safe place, with measures to prevent malicious access (eg locked doors, safes, CCTV).
  • Consider which members of staff need access to the logs and limit access to those staff.
  • Do not store customer logs in an accessible, unsecured file.
  • Check your approach to cyber security – the ICO has published online guidance and the National Cyber Security Centre’s Cyber Essentials scheme is a good place to start.
  • When deleting or disposing of logs, do so in a way that is not at risk of unintended access (eg shredding paper documents as opposed to disposing them in public refuse bins, and ensuring permanent deletion of electronic files).

Can we make visitors, customers or staff download a contact tracing app in order to check-in to our premises by scanning a QR Code?

The use of contact tracing apps is voluntary. Some government apps provide a QR code function allowing people to ‘check in’ on their own device without providing that information to government. Visitors, customers or staff can scan a QR code instead of providing their details to the venue, but you should not force anyone to download a contact tracing app. You must also have a secure alternative method in place for recording the contact details for those who prefer not to use an app, or do not have access to a smart phone.

Who can we share the customer data we collect with?

You should only share the information when it is requested by a legitimate public health authority.

If you are contacted by a contact tracing scheme, and you are asked to provide details of individuals, you should ensure that the caller is genuine. You should be cautious that fraudsters or scammers could seek to obtain information from you by pretending to be a contact tracing agency.

Government guidelines provide an explanation of what contact tracers will and won’t do. Once you are satisfied that you can share the customer data with the contact tracer, make sure that you are able to securely share this information.

In a very narrow range of circumstances, it may be appropriate to share this information with other parties. For example, the information may be required by the police if they need it for a criminal investigation. In this case, an appropriate exemption would need to be identified.

Can we use the personal data we have collected for a contact tracing scheme for marketing or other business purposes?

No. Data protection law states that personal data which has been collected for a specific purpose should not be used for other reasons which conflict with the original purpose. This includes direct marketing or advertising, profiling your customer base or analysing demographics. This would be considered as a misuse of the information.

There are even more specific rules around electronic marketing.

If we become aware of someone who has tested positive for COVID-19, should we report them to a contact tracing scheme?

No. Contact tracing personnel have the responsibility for following up cases of COVID-19 following a positive test result. They will make the appropriate assessments and contact the people affected themselves.

If you are aware of a case of COVID-19, you should not seek to contact the people who have visited your premises yourself. You should only share the details you have collected with the contact tracing scheme in a secure way and only if requested. Contact tracing personnel will undertake an individual assessment and, if necessary, contact you to provide public health support and guidance, but this will be dependent on the specific circumstances.

You can advise staff of any precautions they may need to take. If there is more than one case of COVID-19 on your premises, you should contact your local health protection team to report the suspected outbreak.

How should my staff handle personal data that we collect for the purposes of contact tracing?

If you are collecting customers’ personal data for contact tracing, you need to make sure you have procedures in place to handle it securely and safely. You must make sure your staff understand what they should and shouldn’t do with customer information and you must make sure they put it into practice. For example, customer logs should only be available to those who need them and staff should be trained to keep manual lists and log books out of public sight. They must not be used to make personal contact with customers or for direct marketing or anything else other than contact tracing.

Not handling personal data properly means businesses and staff risk breaching the Data Protection Act with severe consequences for both.

Be clear, open and honest with people about why you are collecting their data, who you will be sharing it with and how long you will keep it. 

What do I need to tell my employees about collecting their personal data for contact tracing?

You should follow government guidance about the specific information you need to collect from your staff.

Government guidance has been published and varies for England, Northern Ireland, Scotland and Wales.

Wherever you are, transparency is very important. As an employer, you should be honest with employees from the start about how and why you wish to use their personal data.

You should have clear and accessible privacy information in place before any processing begins. No additional data should be collected beyond the purpose of contact tracing, and you should respect the information rights that staff have in the same way as you would respect the rights of your customers or visitors.

While you can encourage its use, you should not force staff to download a contact tracing app to scan a QR Code. You will need to have alternative ways to collect this information from those who do not wish to download an app.

Can we disclose personal data to a contact tracing scheme if we have a duty of confidence to those we meet in a professional capacity? 

Where a duty of confidence applies to the information to be disclosed, you may wish to rely on the consent or explicit consent of your close contacts first. You would need to meet the high threshold of consent, to ensure that it is freely given and fully informed. Our guidance has more detail. 

There may be circumstances where it is not appropriate to seek consent, or you can’t obtain consent. 

In these circumstances the duty of confidence may be overridden, for instance, where disclosure is genuinely necessary to serve the public interest or where it outweighs the interests of the individual in maintaining confidentiality.  

It could be argued that in the case of disclosing personal data to a contact tracing scheme, the public interest is served because information is shared with contact tracers with a view to advising or treating someone who may be infected with COVID-19. But you should think about this carefully, taking into account the nature of your relationship with the individual, and whether any disclosure would cause them any damage or distress.

We would encourage you to be open and transparent with those you meet in a professional capacity by making them aware that disclosure of personal data is likely to happen if you are contacted by the contact tracing scheme. This could be achieved by providing written information or clearly explaining it to the individual verbally.

Staff should also be able to discuss the collection and disclosure of their personal information with their employer, and if they have any concerns about their information being passed on to a contact tracing scheme.  

Can we collect children’s contact details for contact tracing purposes?

In many cases, a child is likely to be visiting your premises as part of a family group. Much of the guidance referenced suggests that if there is more than one person visiting your premises, you can record the name of the ‘lead member’ of the group and the number of people in the group. In this situation it will probably be sensible to collect an adult’s contact details. We advise that you check your own government guidance pages to ensure you are following the correct procedures.

But there may be times when a young person is unaccompanied – a group of teenagers visiting a cafe, for example. You should follow government guidelines regarding the age limit for those whose contact details you should collect and you need to make sure that you clearly explain why you want to collect this data. It is important that you do this in a way that the child or young person can understand. If there are no government guidelines setting out the age limit for where you live, we advise that if you don’t think that a child or young person has the competency to understand what will happen with their information, then you shouldn’t collect their contact details. A child should be able to make an informed decision when providing their contact details.

You should not conduct intrusive verification checks to determine a child’s age, asking whether a visitor is over a certain age would be sufficient.

In all cases, you should consider the potential risks to children’s data to be greater than to adults so you must make sure that you handle it particularly carefully. Further information on processing children’s data is available here.