The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

It is now a legal requirement for certain organisations to collect customer, visitor and staff contact details for contact tracing purposes. This requirement applies to restaurants, pubs and other venues in the tourism and hospitality sector. It also applies to close contact businesses such as barbers, tailors or beauticians. You should check the government guidelines for where you operate to determine whether it is necessary for you to do this. Government guidance has been published and varies for England, Northern Ireland, Scotland and Wales.

This guidance applies to those who are required to maintain records of staff, customers and visitors at their premises for contact tracing purposes as set out in the Government guidance. Here you’ll find advice on collecting, storing, sharing and deleting the personal data you’ve been asked to obtain. This guidance is designed for those who have limited experience of collecting and retaining personal data for business purposes.

If your organisation is not legally required by government to collect customer information for contact tracing purposes, please see our case studies for guidance.

What do we need to tell visitors, customers and staff when we collect their data for the contact tracing scheme?

You must be clear, open and honest with people about why you are collecting their data when they visit your premises, including who you will be sharing it with and how long you will keep it. You must not collect and process personal data in a way that is misleading, detrimental or outside of what people would reasonably expect. In this case, the collection of customer data is for maintaining records of visitors, customers and staff for the contact tracing scheme established by each of the four government administrations in the UK, so you need to make this clear to people.

Collecting customer contact details may already be standard practice for your organisation, but the purpose of collecting this particular information is wider than managing bookings or similar tasks, and there are greater implications should an outbreak occur. You need to explain this to people.

You must consider appropriate methods of communicating this message (including to children and young people). For example, you could provide information over the phone, you could put signs up on site, direct people to further information online, or simply tell them when they arrive.

How do I make sure my collection and sharing of data is lawful when maintaining records for contact tracing?

Firstly, you should check government guidelines for information about whether your business is encouraged or required to collect customer contact information for these purposes. This varies for England, Scotland, Wales and Northern Ireland. There are gateways known as lawful bases that allow you to collect customer contact details under data protection law. The lawful basis which is applicable will depend on the type of organisation, and whether the government has made it a legal requirement to collect this information.

  • Legal obligation. You can rely on this lawful basis if you need to collect personal information to comply with the law.
  • Legitimate interests. This is most applicable if you are a private organisation and there is no legal requirement for you to collect this information. This basis recognises that collecting the data is likely to be in the interests of the individual, the organisation, and the public health efforts to tackle COVID-19, as long as individuals’ rights are protected and data protection principles are followed.
  • Public task. This is likely to be applicable if you are a public authority. It allows you to identify a task, function or power with a clear basis in law – such as your legal responsibilities around public health – which requires you to process this data.
  • Most organisations should not rely on consent. But there are some notable exceptions which are covered here. You should not use consent as your lawful basis unless it is truly voluntary to provide personal data, and individuals will not be denied access to your services if they do not want to provide their details.

There may be instances where you will be collecting more sensitive information about an individual. For example if you provide a service to small groups or on a one-to-one basis, (eg. tailoring or sports massage). This may make it more likely that you’d make assumptions about an individual’s health if you are contacted by a contact tracing service.

In law, this is special category data and it means the information requires extra protection. It includes health information, racial or ethnic origin, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership. You must always respect the confidentiality of any special category data that you collect.

Do I need to collect consent for contact tracing?

In most cases, private sector organisations and public authorities should not rely on consent. Relying on consent means you must give people genuine choice about whether they provide their data. You should not use consent as your lawful basis unless it is truly voluntary to provide personal data. Certain businesses are now required by law to ask for customer contact details which means that consent would be inappropriate.

However, consent is recommended when:

i) the information you are collecting could reveal something sensitive about the person involved, such as their health status, religious beliefs or political opinions;
ii) there is no legal requirement for you to collect this information; and
iii) you will not deny access to your service when an individual does not wish to provide their contact details.

In the context of contact tracing, we recommend using consent if you are logging details in places of worship, for example, and there is no legal obligation to collect customer or visitor information at these premises.

There are particular rules around consent and, if you need to rely on it, we recommend you follow our guidance. In practice, this might mean asking people to fill out a specific consent form, for example.

Under data protection law, it is especially important that consent is freely given, meaning that people should be able to refuse or withdraw their consent without facing negative consequences, such as being denied access to your service.

How much personal data should we collect for contact tracing?

You should only collect the personal information that is needed to help you to maintain records for contact tracing purposes. Government guidance on what information to collect has been published for England, Northern Ireland, Scotland and Wales. We recommend that you check the relevant guidance for your area, but it will usually be:

  • The name of the person (if a group of people attend together, the name of the ‘lead member’ is sufficient)
  • A contact telephone number (again, this can be just for the ‘lead member’)
  • The date and time they were there

How long can we keep personal data collected for contact tracing?

Only for as long as it’s needed.

Guidance on how long that will be is provided by the public health authorities in whichever part of the country you live in. It is usually recommended that you retain this information for 21 days. Once that period is up you must dispose of the information securely. That means shredding paper records or permanently deleting digital files, for example.

The only reason you should keep the data for longer is if you would usually do so in line with other sector specific guidelines.

How do we make sure that the personal data we collect is accurate?

In the context of maintaining records of staff, customers and visitors for contact tracing, all you need to do is record the information the customer or visitor provides to you in an accurate way. In isolated incidences, if you reasonably believe that the information is wrong or out of date, you can ask the customer or visitor for clarification.

We appreciate that some people may provide false information. However, as long as you accurately record the information provided, you are likely to meet your requirements in terms of accuracy under data protection law.

Any clarification of details in isolated incidences should not lead to any data (e.g. copy of an ID document) being retained.

What data protection rights do people have in relation to the data we collect about them for a contact tracing scheme?

When you hold their personal data, people have rights under data protection law. For contact tracing, these rights can include:

  • the right of access to the personal data you hold on them – for example their contact details, or details of their booking with you; and
  • the right to ask for any factually inaccurate data to be corrected

A full list of rights is here. These rights can be exercised verbally or in writing. You need to ensure that you have measures in place, such as staff training, so you can recognise any requests for the information to be amended, for example.

What do we need to do about security when maintaining records for contact tracing?

You are responsible for ensuring that the personal data you hold is kept securely. In the case of maintaining records of staff, customers and visitors for contact tracing purposes that includes making sure it’s physically safe, in the case of paper records, or digitally safe, in the case of electronic records. You may need both. You must also have rules and staff training in place to make sure information isn’t lost, stolen or destroyed.

If you collect this information electronically, you will need to ensure you have adequate cyber security measures in place. Again, you should involve some form of staff training so that employees understand their responsibilities when handling personal data. If you collect this information manually, it is important that contact details are kept out of public sight.

Basic measures when maintaining records include:

  • Make sure your staff understand what they should and shouldn’t do with customer information. You should ensure that your staff are aware that it is a criminal offence under the Data Protection Act to obtain or disclose customer information without your organisation’s consent.
  • Do not use an open access sign-in register where customer details are visible to everyone. Instead consider a ballot box approach with individual contact tracing forms. We have examples of best practice in our case studies.
  • Keep any paper records out of public sight and in a safe place, with measures to prevent malicious access (eg locked doors, safes, CCTV).
  • Consider which members of staff need access to the logs and limit access to those staff.
  • Do not store customer logs in an accessible, unsecured file.
  • Check your approach to cyber security – the ICO has published online guidance and the National Cyber Security Centre’s Cyber Essentials scheme is a good place to start.
  • When deleting or disposing of logs, do so in a way that is not at risk of unintended access (eg shredding paper documents as opposed to disposing them in public refuse bins, and ensuring permanent deletion of electronic files).

Can we make visitors or customers download a contact tracing app in order to check-in to our premises by scanning a QR Code?

The use of contact tracing apps is voluntary. Some government apps provide a QR code function allowing people to ‘check in’ on their own device without providing that information to government. Visitors and customers can scan a QR code instead of providing their details to the venue, but you should not force anyone to download a contact tracing app. You must also have a secure alternative method in place for recording the contact details for those who prefer not to use an app, or do not have access to a smart phone.

You should refer to government guidance on how to use the QR code function of the app. If an app user chooses to use the QR code check-in feature, you should not ask for their contact details. To do so could be excessive and unnecessary.

Who can we share the customer data we collect with?

When maintaining records of staff, customers and visitors for contact tracing purposes, you should only share the information when it is requested by a legitimate public health authority.

If you are contacted by a contact tracing scheme, and you are asked to provide details of individuals who have visited your premises, you should ensure that the caller is genuine. You should be cautious that fraudsters or scammers could seek to obtain information from you by pretending to be a contact tracing agency.

Government guidelines provide an explanation of what contact tracers will and won’t do. Once you are satisfied that you can share the customer data with the contact tracer, make sure that you are able to securely share this information.

In a very narrow range of circumstances, it may be appropriate to share this information with other parties. For example, the information may be required by the police if they need it for a criminal investigation. In this case, an appropriate exemption would need to be identified.

Can we use the personal data we have collected for contact tracing for marketing or other business purposes?

No. Direct marketing or advertising, profiling your customer base or analysing demographics would conflict with the original purpose for collection and would be considered as a misuse of the information.

There are more specific rules around electronic marketing.

If we become aware of someone who has tested positive for COVID-19, should we report them to a contact tracing scheme?

No. Contact tracing personnel have the responsibility for following up cases of COVID-19 following a positive test result. They will make the appropriate assessments and contact the people affected themselves.

If you are aware of a case of COVID-19, you should not seek to contact the people who have visited your premises yourself. You should only share the details you have collected with the contact tracing scheme in a secure way and only if requested. Contact tracing personnel will undertake an individual assessment and, if necessary, contact you to provide public health support and guidance, but this will be dependent on the specific circumstances.

You can advise staff of any precautions they may need to take. If there is more than one case of COVID-19 on your premises, you should contact your local health protection team to report the suspected outbreak.

How should my staff handle personal data that we collect contact tracing?

If you are collecting customers’ or visitors’ personal data for contact tracing, you need to make sure you have procedures in place to handle it securely and safely. You must make sure your staff understand what they should and shouldn’t do with customer information and you must make sure they put this into practice. For example, customer logs should only be available to those who need them and staff should be trained to keep manual lists and log books out of public sight. They must not be used to make personal contact with customers or for direct marketing or anything else other than contact tracing.

You should be clear, open and honest with people about why you are collecting their data, who you will be sharing it with and how long you will keep it. Not handling personal data properly means businesses and staff risk breaching the Data Protection Act with severe consequences for both.

When maintaining records of staff, what do I need to tell my employees about collecting their personal data for contact tracing?

You should follow government guidance about the specific information you need to collect from your staff.

Government guidance has been published and varies for England, Northern Ireland, Scotland and Wales.

Wherever you are, transparency is very important. As an employer, you should be honest with employees from the start about how and why you need to use their personal data.

You should have clear and accessible privacy information in place before any processing begins. No additional data should be collected beyond the purpose of contact tracing, and you should respect the information rights that staff have in the same way as you would respect the rights of your customers or visitors.

You should not force staff to download a contact tracing app to scan a QR Code. We have looked at this scenario in more detail in our case studies.

Can we collect children’s contact details for contact tracing?

In many cases, a child is likely to be visiting your premises as part of a family group. Much of the guidance referenced suggests that if there is more than one person visiting your premises, you can record the name of the ‘lead member’ of the group and the number of people in the group. In this situation it will probably be sensible to collect an adult’s contact details. We advise that you check your own government guidance pages to ensure you are following the correct procedures.

But there may be times when a young person is unaccompanied – a group of teenagers visiting a cafe, for example. You should follow government guidelines regarding the age limit for those whose contact details you should collect and you need to make sure that you clearly explain why you want to collect this data. It is important that you do this in a way that the child or young person can understand. If there are no government guidelines setting out the age limit for where you live, we advise that if you don’t think that a child or young person has the competency to understand what will happen with their information, then you shouldn’t collect their contact details. A child should be able to make an informed decision when providing their contact details.

You should not conduct intrusive verification checks to determine a child’s age, asking whether a visitor is over a certain age would be sufficient.

In all cases, you should consider the potential risks to children’s data to be greater than to adults so you must make sure that you handle it particularly carefully. We have looked at this scenario in more detail in our case studies.

Case study 1: Risks involved in staff handling personal information collected for contact tracing purposes

A pub is required to collect customers’ personal details for the purpose of assisting with local contact tracing requirements. Staff at the pub collect basic information such as a name and contact number from people.

A staff member at the pub who has access to these customer logs wishes to speak privately to a particular customer outside of work, and decides to take their information from the logs to do so. As a result, the customer is contacted by the staff member and feels that their personal information has been used inappropriately. The unwanted contact causes them distress.

What are the key data protection considerations?

Organisations that do not handle personal information properly run the risk of breaching data protection law, which could have serious consequences for both the organisation and their staff.

In this scenario, the customer information is collected for the sole purpose of assisting a contact tracing scheme. This information must not be used for any other purposes than disclosing it to contact tracing personnel. This purpose should be made clear to customers.

It is important the pub’s management provide training to their staff so that they understand what they should and shouldn’t do with customer information. Management should also ensure that staff are aware that it is an offence under the Data Protection Act to obtain or disclose customer information without the consent of the organisation.

Although organisations cannot always safeguard against rogue behaviour from a member of staff, there are basic measures that should be in place to help ensure the safety and security of customer and visitor information.

If paper records are used, they should be kept out of public sight and in a safe place, with measures to prevent malicious access (eg locked doors, safes and keeping them out of sight and out of reach of customers during opening hours).

The pub’s management could also consider a digital solution in which access can be controlled by password or other access controls.

Whatever approach is taken, staff need to be properly trained so they understand how to play their part in ensuring that the system works effectively, in compliance with data protection law.

Personal information collected for the specific purposes of contact tracing cannot be used for direct marketing or advertising, profiling a customer base or analysing demographics. This would be considered as a misuse of the information.

Case study 2: Collecting young people’s personal information for the purpose of contact tracing

A public library wishes to assist a contact tracing scheme by collecting basic information from visitors, probably a name and contact number.

For contact tracing, normally the library would record information from visiting adults, or family groups that may include children, but there are times where a young person or group of young people may visit the premises on their own. The library wants to know what to do when an unaccompanied young person visits the library.

What are the key data protection considerations?

If there is an adult in the group of visitors then it is sensible to record their details rather than a child’s.

We advise that the library checks the relevant government guidance pages to ensure they are following the correct procedures in terms of the age of those whose contact details they should be collecting. The library should not conduct intrusive verification checks to determine a child’s age, for example asking whether a visitor is over a certain age would be sufficient.

If there are no government guidelines on the age limit for collecting customer contact details, the library will have to make a sensible decision about whether or not they think that the young person can understand why contact information is being collected, and what will happen with their information. In order for the collection and use of this information to be fair, it is very important that the library is transparent when collecting this information.

If staff at the library believe a child is below the age required to provide this information as set out in government guidelines, and do not think that the young person is able to understand why this information is required, they should exercise caution and not collect their contact details. The library should not deny access based on age, if they would usually allow young people to visit unaccompanied by an adult.  

Library staff could place posters at entrances and around the premises that can be understood by all ages. In the case of younger visitors, library staff could greet visitors on entry to explain the process.

Organisations should bear in mind the risks involved in processing children’s data and so it must be managed carefully.

It is very important that information about young people is kept securely, it is not visible to other adults visiting the premises, and access to it by staff should be strictly limited. 

Further information on processing children’s data is available here.

Case study 3: Manually collecting customer contact details

Based on Government guidance, a café is now legally required to collect customer contact details for contact tracing purposes. They will be downloading a government QR code poster and encouraging people to scan it when they visit. However, they have a few regular customers who do not have a mobile phone, and they want to make sure they have alternative methods to collect this information. They have thought about having a list and a pen by the door, and directing people to sign in when they enter the café, but are not sure if this is appropriate.

What are the key Data Protection Considerations?

Whilst the café may encourage the use of government app QR codes as their main way to collect visitor and customer contact details, use of the government apps is voluntary. Organisations should also have an alternative method to collect this information. Businesses will need to decide which alternative method is most suitable for their business and their customers.

If the organisation has decided to collect this information manually, they should not do so with an open list which is in public sight. The café must ensure that they have appropriate security measures in place to protect this information, There is a risk that a customer could write down the contact details of another customer, or that an unattended list of individuals, especially one left by a door, could be stolen. The café may want to consider whether they should collect this information digitally for example through secure, access-controlled software.

If the café does still decide that manually collecting this information is the most suitable alternative for their business, they must think about what measures they can put in place to keep their paper records safe, and ensure that their staff are aware of these. For example, they could consider the following:

  • Requesting contact details when an individual makes a booking over the phone, the café informs the individual why the data is needed and how it will be handled, they then record the contact details in a closed book which is locked away and only used by a trained member of staff.
  • Consider a ballot box style approach. The café could decide to have blank cards requesting basic contact details, and a secure box in an area where it can be monitored by a member of staff. Individuals, or a member of staff record the contact information on a card, and then place it into the secured box.
  • Allocate a trained member of staff per shift to ask for this information when they greet customers, this member of staff knows that they must keep this information secure and that they must explain why they are asking for the details. They ensure that once they have recorded the contact details, they put the list into secure place which the public do not have access to.

Further information about the relevant security requirements are available here