Guidance

NHS QR code venue posters: privacy notice

Updated 1 March 2022

Applies to England and Wales

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/nhs-qr-code-venue-posters-privacy-notice/nhs-qr-code-venue-posters-privacy-notice

The QR venue check-in system was withdrawn in February 2022. This document is provided for archive and reference purposes.

This privacy notice relates to venues using the QR code registration and download process (the QR code process). That process, together with the NHS COVID-19 app (the app), contributes towards the effective management of the coronavirus pandemic.

The QR code process is part of NHS Test and Trace which is overseen by the UK Department of Health and Social Care (DHSC). This service is available for those venues which wish to use it. See https://www.gov.uk/coronavirus for more information.

If you want to know more about the app itself and the service that it supports, you can find more information at:

One of the features of the app is the check-in feature. This enables users to check into venues, whether physical premises or mobile businesses, that display official NHS QR code posters. Users who check-in can then be notified later if they may have visited a venue where someone has tested positive for COVID-19.

This notice will be subject to ongoing review and improvement.

Data used in the QR code process

If you participate in the QR code process, then the following information will be needed from you:

  • your email address
  • the address of your business, place of worship, community organisation or event

If you have more than one venue, the following will also be needed:

  • the address of each location
  • an email address for the manager (or point of contact) for each location
  • a phone number for the manager (or point of contact) for each location

Your email address is used to notify you if your venue is added to the list of venues where people who have COVID-19 have informed Test and Trace that they have been (on the same day). This email will be sent from the QR Poster Service and the subject will be ‘A notification from NHS Test and Trace’. The email will contain information on what you need to do next.

Personal data

‘Personal data’ is a term defined in data protection law.

Your personal contact details such as those above, particularly if you are a sole trader and, or are conducting business in your personal capacity, may be regarded as personal data.

In that case you have certain rights under the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (as it now forms part of UK law (UK GDPR). These are set out in this document.

Sharing your data

The DHSC may share the data you provide with other government departments and relevant local authorities for the purpose of monitoring the use of the QR code process.

Scanned QR codes and associated information, such as the business name of the venue, QR ID and venue postcode, will be visible to the app user. This is to confirm they have checked into the correct venue. They will be able to see it in their ‘venue history’ data.

This information can be shared with Test and Trace when an app user tests positive. This supports the management of the coronavirus pandemic, including the alerting of other app users who have attended the same venue.

Our responsibilities

The law relating to processing personal data

We will adhere to our legal responsibilities. The legal bases for processing your personal data under the UK GDPR and Data Protection Act (DPA) 2018 are:

  • UK GDPR Article 6(1)(e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • DPA 2018 – Schedule 1, Part 1, Section 2(2)(f) – the management of health care systems or services
  • DPA 2018 – Schedule 1, Part 1, Section 3 – public health purposes

Retention of personal data

Personal data processed by the DHSC will be stored in line with the Records Management Code of Practice for Health and Social Care 2016.

This means your personal data may be retained from a minimum time of 14 days or up to 8 years. The principle of data minimisation is applied to ensure that data processing is limited to only what is necessary and for as long as necessary. The data will then be securely disposed of.QR codes that are scanned by users when visiting your venues or engaging with your business are automatically deleted after 21 days. The choice of 21 days takes into account the 14-day incubation period and the infectious period of the virus.

These data retention periods will follow the latest government advice and therefore may increase or decrease.

Your rights under the DPA and UK GDPR

By law, you have rights as a data subject. Your rights under the UK GDPR and the UK Data Protection Act 2018 apply.

Your right to get copies of your information – you have the right to ask for a copy of any information about you that is held or controlled by DHSC.

Your right to update or correct your information – you have the right to ask for any information held about you that you think is inaccurate, to be corrected.

Your right to limit how your information is used – you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.

Your right to object to your information being used – you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case.

Your right to get your information deleted – this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case.

If you’re unhappy or wish to complain about how your personal data is used by NHS Test and Trace you should contact DHSC in the first instance to resolve your issue. If you’re still not satisfied, you can complain to the Information Commissioner’s Office.

You can get in touch with us by contacting the data protection officer. The data protection officer for DHSC can be contacted by email at data_protection@dhsc.gov.uk

Once we receive your request, members of our Data Protection team will endeavour to get back to you as soon as possible to confirm receipt.

Data controller

The DHSC commissioned the NHS Test and Trace programme on behalf of the UK government and is the data controller for the purposes of data protection legislation. DHSC decides what information is required and how it needs to be used.

You can also find further information about how the governments of Wales, Scotland and Northern Ireland are working to manage the pandemic.

Data protection officer

As also noted above, the data protection officer for DHSC can be contacted by email at data_protection@dhsc.gov.uk

Back to top