Organisations in certain sectors should collect details and maintain records of staff, customers and visitors on their premises to support NHS Test and Trace.
The UK is currently experiencing a public health emergency as a result of the coronavirus (COVID-19) pandemic. It is therefore critical that organisations take a range of measures to keep everyone safe.
The easing of social and economic lockdown measures following the COVID-19 outbreak is being supported by NHS Test and Trace. You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your organisation, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.
This publication provides further guidance on how you can do this in a proportionate and effective way.
NHS Test and Trace
NHS Test and Trace is a key part of the country’s ongoing COVID-19 response. If we can rapidly detect people who have recently come into close contact with a new COVID-19 case, we can take swift action to minimise transmission of the virus. This is important as lockdown measures are eased and will help us return to a more normal way of life and reduce the risk of needing local lockdowns in the future.
NHS Test and Trace includes dedicated contact tracing staff working at national level under the supervision of Public Health England (PHE) and local public health experts who manage more complex cases. Local public health experts include both PHE health protection teams and local authority public health staff.
You can read further information on how NHS Test and Trace works.
The purpose of maintaining records
By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, you can help us to identify people who may have been exposed to the virus. Containing outbreaks early is crucial to reduce the spread of COVID-19, protect the NHS and social care sector, and save lives. This will help to avoid the reintroduction of lockdown measures and support the country to return to, and maintain, a more normal way of life.
You can play a significant role in helping your staff, customers and visitors understand the importance of NHS Test and Trace and play their part in stopping the spread of COVID-19. Please do this by explaining why you are asking for contact information and encouraging them to provide it.
In addition to maintaining and sharing records where requested, you must also continue to follow other government guidance to minimise the transmission of COVID-19. This includes maintaining a safe working environment and following social distancing guidelines.
Sectors that this guidance applies to
There is a higher risk of transmitting COVID-19 in premises where customers and visitors spend a longer time in one place and potentially come into close contact with other people outside of their household. To manage this risk, establishments in the following sectors, whether indoor or outdoor venues or mobile settings, should collect details and maintain records of staff, customers and visitors:
- hospitality, including pubs, bars, restaurants and cafés
- tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
- close contact services, including hairdressers, barbershops and tailors
- facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
- places of worship, including use for events and other community activities
This guidance applies to any establishment that provides an on-site service and to any events that take place on its premises. It does not apply where services are taken off site immediately, for example, a food or drink outlet which only provides takeaways. If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are dining in.
This guidance does not apply to drop-off deliveries made by suppliers or contractors.
Information to collect
The following information should be collected by the venue, where possible:
- the names of staff who work at the premises
- a contact phone number for each member of staff
- the dates and times that staff are at work
- customers and visitors
- the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date of visit, arrival time and, where possible, departure time
- if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer
No additional data should be collected for this purpose.
Many organisations that routinely take bookings already have systems for recording their customers and visitors – including restaurants, hotels, and hair salons. Due to the COVID-19 outbreak, more organisations are planning to implement an ‘advanced booking only’ service to manage the numbers of people on the premises. These booking systems can serve as the source of the information that you need to collect.
You should collect this information in a way that is manageable for your establishment. If not collected in advance, this information should be collected at the point that visitors enter the premises, or at the point of service if impractical to do so at the entrance. It should be recorded digitally if possible, but a paper record is acceptable too.
Recording both arrival and departure times (or estimated departure times) will help reduce the number of customers or staff needing to be contacted by NHS Test and Trace. We recognise, however, that recording departure times will not always be practicable.
If someone does not wish to share their details, or provides incorrect information
Although this is voluntary, please encourage customers and visitors to share their details in order to support NHS Test and Trace and advise them that this information will only be used where necessary to help stop the spread of COVID-19.
If a customer or visitor informs you that they do not want their details shared for the purposes of NHS Test and Trace, they can choose to opt out, and if they do so you should not share their information used for booking purposes with NHS Test and Trace.
The accuracy of the information provided will be the responsibility of the individual who provides it. You do not have to verify an individual’s identity for NHS Test and Trace purposes.
How records should be maintained
To support NHS Test and Trace, you should hold records for 21 days. This reflects the incubation period for COVID-19 (which can be up to 14 days) and an additional 7 days to allow time for testing and tracing. After 21 days, this information should be securely disposed of or deleted. When deleting or disposing of data, you must do so in a way that does not risk unintended access (e.g. shredding paper documents and ensuring permanent deletion of electronic files).
Records which are made and kept for other business purposes do not need to be disposed of after 21 days. The requirement to dispose of the data relates to a record that is created solely for the purpose of NHS Test and Trace. All collected data, however, must comply with the General Data Protection Regulation and should not be kept for longer than is necessary.
General Data Protection Regulation (GDPR)
The data that we are asking you to collect is personal data and must be handled in accordance with GDPR to protect the privacy of your staff, customers and visitors. This section sets out the steps you can take to comply with GDPR.
GDPR allows you to request contact information from your staff, customers and visitors and share it with NHS Test and Trace to help minimise the transmission of COVID-19 and support public health and safety. It is not necessary to seek consent from each person, but you should make clear why the information is being collected and what you intend to do with it.
For example, if you already collect this information for ordinary business purposes, you should make staff, customers and visitors aware that their contact information may now also be shared with NHS Test and Trace.
You do not have to inform every customer individually. You might, for example, display a notice at your premises or on your website setting out what the data will be used for and the circumstances in which it might be accessed by NHS Test and Trace. You may need to offer some people additional support in accessing or understanding this information, for example, if they have a visual impairment or cannot read English.
While consent is not required, we recommend that consent is sought in sensitive settings such as places of worship and for any group meetings organised by political parties, trade unions, campaign or rights groups, other philosophical/religious groups or health support groups. This is because of the potentially sensitive nature of the data collected in these circumstances.
Personal data that is collected for NHS Test and Trace, which you would not collect in your usual course of business, must be used only to share with NHS Test and Trace. It must not be used for other purposes, including marketing, profiling, analysis or other purposes unrelated to contact tracing, or you will be in breach of GDPR. You must not misuse the data in a way that is misleading or could cause an unjustified negative impact on people e.g. to discriminate against groups of individuals.
Appropriate technical and security measures must be in place to protect customer contact information, and the ICO has produced guidance on this. These measures will vary depending on how you choose to hold this information, including whether it is collected in hard copy or electronically. We would prefer you to record and protect information electronically, but we understand this might not be possible.
You must ensure that individuals are able to exercise their data protection rights, such as the right of erasure or the right to rectification (where applicable).
When information should be shared with NHS Test and Trace
NHS Test and Trace will ask for these records only where it is necessary, either because someone who has tested positive for COVID-19 has listed your premises as a place they visited recently, or because your premises have been identified as the location of a potential local outbreak of COVID-19.
NHS Test and Trace will work with you, if contacted, to ensure that information is shared in a safe and secure way. You should share the requested information as soon as possible to help us identify people who may have been in contact with the virus and help minimise the onward spread of COVID-19.
NHS Test and Trace will handle all data according to the highest ethical and security standards and ensure it is used only for the purposes of protecting public health, including minimising the transmission of COVID-19.
If you are contacted by NHS Test and Trace
Contact tracers will:
- call you from 0300 013 5000
- send you text messages from ‘NHStracing’
- ask you to sign into the NHS Test and Trace contact-tracing website
Contact tracers will never:
- ask you to dial a premium rate number to speak to them (for example, those starting 09 or 087)
- ask you to make any form of payment or purchase a product or any kind
- ask for any details about your bank account
- ask for your social media identities or login details, or those of your contacts
- ask you for any passwords or PINs, or ask you to set up any passwords or PINs over the phone
- disclose any of your personal or medical information to your contacts
- ask about protected characteristics that are irrelevant to the needs of test and trace
- provide medical advice on the treatment of any potential coronavirus symptoms
- ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else
- ask you to access any website that does not belong to the government or NHS
How NHS Test and Trace will take steps to minimise transmission
If you receive a request for information from NHS Test and Trace this does not mean that you must close your establishment. NHS Test and Trace will, if necessary, undertake an assessment and work with you to understand what actions need to be taken.
Depending on the circumstances and the length of time that has elapsed, this could include arranging for people to be tested, asking them to take extra care with social distancing and/or – in some circumstances – asking them to self-isolate. NHS Test and Trace will give you the necessary public health support and guidance. Your staff will be included in any risk assessment and NHS Test and Trace will advise them what they should do.
If there is more than one case of COVID-19 on your premises, you should contact your local health protection team to report the suspected outbreak.