News and Events

ICO publishes new guidance for contact tracing scheme

View profile for Brian Bannister
  • Posted
  • Author

At the end of June, businesses in certain industries were given just 10 days to prepare themselves for re-opening, which included implementing a system to collect their customer data in case it was required for the NHS Test and Trace system.  Initial guidance was announced at the time, leaving many unsure as to how they would collect this data while also remaining compliant with the General Data Protection Regulation (GDPR).  The Information Commissioner’s Office (ICO) has now published further guidance; Brian Bannister, Solicitor and data protection specialist, here explains the new guidance and advises how businesses can remain compliant during this time.

Which industries should be collecting data from their customers and visitors?

As announced by the Government, the following sectors should collect and maintain the necessary records:

  • Hospitality – such as restaurants, pubs, bars and cafes, unless a takeaway service is provided where the individual moves offsite immediately.
  • Places of worship.
  • Tourism and leisure – such as hotels, cinemas, zoos, theme parks and museums.
  • Hairdressers, barbers, beauty salons and tailors.
  • Event and community centres.
  • Libraries.

What are the lawful reasons for collecting data?

Under GDPR, you are permitted to collect data from your customers provided you inform them of:

  • Why you are collecting the data.
  • What you intend to do with that data.
  • Who you will be sharing it with, if any other third party.

As the current collection of data is required by the Government for certain industries to assist with controlling the spread of coronavirus, there are several lawful reasons to justify the collection:

  • Public task – for example, allowing you to carry out your legal responsibilities around public health.
  • Legitimate interest – this allows the collection of data if in the interests of the individual, organisation and the public health efforts we are currently facing.
  • Consent – it is voluntary for an individual to give their information, however all customers, staff and visitors should be encouraged to provide their data.  As the current situation is a public health emergency, consent does not need to be relied on as a lawful basis. Nor should it be the express basis used for collecting the data, because consent can be withdrawn at any time, which would defeat the public health interest. 

You must ensure that the data you collect is relevant only to performing the public task and that the information is only used as and when requested by the NHS service.  Under no circumstances can you use the data in the future for other purposes, for example direct marketing or advertising.

As the data is being used for the contact trace scheme, you may be contacted by a contact tracing agency/representative if they have identified that an individual visited your premises and they have since tested positive for coronavirus.  There have been reports of fraudulent organisations seeking to obtain personal data; a legitimate contact tracer will:

  • Call from 0300 013 5000
  • Send a text message from ‘NHStracing’
  • Request you to sign in to the NHS Test and Trace contact-tracing website

You should not attempt to contact previous visitors or customers yourselves, but instead work with the contact tracing agency for them to take the necessary steps.

What information should I be collecting for track and trace and how long can I keep it for?

The ICO has given the following guidance on the information and timeframe of information:

  • For staff, you should store their name, contact phone number and dates and times they work.
  • For customers and visitors, you should collect:
    •    Their name.  If in a group you can ask for only the lead member’s information.
    •    A contact phone number for either each individual or the lead member.
    •    Date, arrival time and departure time (if possible).
    •    Name of the individual staff member they have interacted with, if only one member of staff.
  • The data should only be stored for as long as it is needed.  In England, the guidance states that this should be 21 days, which allows for the 14 day incubation period for coronavirus as well as an additional 7 days to allow for the test and trace system to operate.  Once this time has passed, the data should be destroyed securely either by shredding or permanently deleting an electronic document.  You are responsible for the data being held and destroyed securely, and for ensuring that your staff are adequately trained in the collection and storage of such data, as well as the steps to take should the data be lost, stolen or damaged.

How can I collect the data?

For those industries that already operate on a booking system, the collection of this data should not be too onerous a task as it is likely it will already be a requirement when making a booking.  Under GDPR, you should now make those using your booking service aware that their data may now also be used to support NHS Test and Trace.

If your industry does not operate in this way however, you will need to implement a system that is manageable and reasonable for your own business, whether that be electronically or using a paper system.  No matter the system you use, you will need to ensure you follow Government guidance and GDPR.  If you have any questions about how you can remain compliant with GDPR during the coming weeks and months, you can discuss your operations with Brian or a member of the Company Commercial team by calling 023 8071 7466 or email  


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.