© Crown copyright 2020
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: email@example.com.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/privacy-notice-for-maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace/privacy-notice-for-maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace
To support NHS Test and Trace in England, some organisations in certain sectors of the economy must collect the details, and maintain records, of staff, customers and visitors on their premises.
This privacy information is concerned with the processing of this personal data by the Department of Health and Social Care (DHSC) from the point that it is shared by the relevant venue/establishment.
The privacy information for the initial collection and retention of that data by the venue/establishment is not the subject of this notice and should be available separately from the venue/establishment in question.
The purpose of DHSC’s processing will be to facilitate NHS Test and Trace in conducting contact tracing. This may be necessary in the event that an individual, who is present in a place at the same time as you, tests positive for coronavirus. NHS Test and Trace may then contact you to provide appropriate advice.
NHS Test and Trace is a key part of the country’s ongoing COVID-19 response and is run by DHSC. It includes dedicated contact-tracing staff working at national level under the supervision of Public Health England (PHE) and local public health experts who manage more complex cases. Local public health experts include both PHE health protection teams and local authority public health staff.
By maintaining records of staff, customers and visitors (and sharing these with NHS Test and Trace where requested) this can help to identify people who may have been exposed to the virus.
The more rapidly and accurately we can identify people who may have been exposed to the virus and, if necessary, ask them to self-isolate, the more effectively we can break the chains of COVID-19 transmission.
If you live in Wales, Scotland or Northern Ireland, country-specific links to those nations and their response to coronavirus can be found at the end of this notice.
The venue/establishment will be a data controller for the data obtained at the point the information is collected from the individual. The venue will be responsible for compliance with data protection legislation for the period of time it holds the information. Its legal basis for collecting this information is covered by GDPR Article 6(1)(c): a legal obligation to which the venue/establishment are subject.
DHSC will be the data controller for the data at the point that it receives the data from the venue/establishment (which will be to start contact-tracing activities).
What personal data we collect
You may be asked to provide some basic information and contact details to relevant venues/establishments that you attend. All venues and establishments that collect personal data for their own purposes should be able to provide you with information on how they use your information.
The venue/establishment will disclose your information to DHSC if you have agreed to share it with them. DHSC will collect your information directly from the venue/establishment.
The venue/establishment may be asked to provide the following:
Information about staff:
- the names of staff who work at the premises
- a contact phone number for each member of staff
- the dates and times that staff are at work
Information about customers and visitors:
- the names of all customers or visitors, or if it is a group of people, the name of one member of the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people. An email address will be requested if a phone number cannot be provided, or a postal address if neither can be provided
- date of visit and arrival and departure time
In addition, if a person/group only interacts with one member of staff during their visit, the name of the assigned staff member will be recorded alongside that information.
DHSC will only request these records where it is necessary for running an effective NHS Test and Trace service. It might be necessary (for this purpose) either because:
- someone who has tested positive for COVID-19 has listed a specific venue/establishment as a place they visited recently
- a venue/establishment has been identified as a potential location of a local outbreak of COVID-19
Under these circumstances DHSC, through NHS Test and Trace, will contact the venue/establishment by phone or text and request that it shares specific information (that is, the contact details of individuals who were on the premises between specific times on a specific day). NHS Test and Trace will then conduct a contact-tracing exercise with a view to providing those individuals with appropriate advice.
The purposes that DHSC will use your data for
DHSC is the data controller for the purpose of contact tracing, through PHE and local public health experts, having received the data from the venues/establishments.
Your data that is collected for NHS Test and Trace will be retained locally by the venue you have visited for 21 days after your visit, at which point it will be deleted or destroyed, unless the venue usually collects the data for other legitimate business purposes in accordance with the GDPR.
Where your data is passed to NHS Test and Trace in the case of a suspected outbreak, your information will be kept for up to 8 years, as part of the standard contact-tracing retention period set out by PHE.
Information collected as part of this contact-tracing initiative will be stored securely and lawfully by the organisations involved, and by NHS Test and Trace (if passed to them), in line with the requirements of the GDPR and Data Protection Act 2018.
Legal basis under GDPR and DPA 2018
DHSC’s legal basis for processing your personal data is:
- GDPR Article 6(1)(e): the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
- GDPR Article 9(2)(h): the processing is necessary for the management of health or social care systems and services
- GDPR Article 9(2)(i): the processing is necessary for reasons of public interest in the area of public health
- DPA 2018 – Schedule 1, Part 1, s.3: Public Health
- DPA 2018 – Schedule 1, Part 1, (2)(2)(f): Health or social care purposes
Your rights as a data subject
By law, you have a number of rights as a data subject and this collection of your information does not take away or reduce these rights.
You have a right to:
- get copies of your information: you have the right to ask for a copy of any information about you that is used
- get your information corrected: you have the right to ask for any information held about you that you think is inaccurate, to be corrected
- limit how your information is used: you have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used
- object to your information being used: you can ask for any information held about you to not be used. However, this is not an absolute right, and we may need to continue using your information, and we will tell you if this is the case
- get information deleted: this is not an absolute right, and we may need to continue to use your information, and we will tell you if this is the case
If you’re unhappy or wish to complain about how your personal data is used as part of this programme, you should contact DHSC in the first instance to resolve your issue. DHSC may have to work with partner organisations to resolve your complaint.
If this is unsuccessful, you can also raise a complaint with the Information Commissioner’s Office.
Data protection officer
DHSC’s data protection officer is Lee Cramp, and he can be contacted by sending an email to firstname.lastname@example.org.
Residents in Northern Ireland, Wales and Scotland
If you live in Wales, Northern Ireland or Scotland, further information about how your government is responding to coronavirus, and how they will use your information in doing so (which is specific to each country) can be found here: