Maintaining records of staff, customers and visitors to support NHS Test and Trace
Venues in certain sectors should continue to ask customers, visitors and staff to 'check in', to help stop the spread of coronavirus (COVID-19)
Applies to England
While cases are high and rising, everybody needs to continue to act carefully and remain cautious. This is why we are keeping in place key protections:
- testing when you have symptoms and targeted asymptomatic testing in education, high risk workplaces and to help people manage their personal risk
- isolating when positive or when contacted by NHS Test and Trace
- border quarantine for those arriving from red list countries and for those people not fully vaccinated arriving from amber list countries
- cautious guidance for individuals, businesses and the vulnerable whilst prevalence is high including:
- while government is no longer instructing people to work from home if they can, the government would expect and recommend a gradual return over the summer
- government expects and recommends that people wear face coverings in crowded areas such as public transport
- being outside or letting fresh air in
- minimising the number, proximity and duration of social contacts
- encouraging and supporting businesses and large events to use the NHS COVID Pass in high risk settings. The government will work with organisations where people are likely to be in close proximity to others outside their household to encourage the use of this. If sufficient measures are not taken to limit infection, the government will consider mandating certification in certain venues at a later date
Although it is no longer a legal requirement for venues to display an NHS QR code or request that customers, visitors and staff ‘check in’, this is still encouraged. People can check in by scanning the NHS QR code poster via their NHS COVID-19 app or by providing their contact details. This will support NHS Test and Trace to contact people exposed to COVID-19, so that they can book a test. This will help us to stop the spread of the virus, protect society and support businesses to stay open.
Establishments in the following sectors should encourage attendees to check in and maintain records of staff, customers and visitors who choose to provide their contact details:
- hospitality, including pubs, bars, nightclubs, restaurants and cafes
- tourism and leisure, including theatres, museums and cinemas
- close contact services
- places of worship
- facilities provided by local authorities such as libraries and community centres
- ask every customer or visitor (over the age of 16) to ‘check in’ by:
- scanning the NHS QR code poster via their NHS COVID-19 app; or
- providing their name and telephone number (this can be done in advance, for example, via a pre-booking system). You should also note the date of entry
- keep a record of all staff working on your premises, their shift times and dates, and their contact details
- keep these records of customers, visitors and staff for 21 days and provide this information to NHS Test and Trace, if requested
- display an NHS QR code poster so that customers and visitors can ‘check in’ using the NHS COVID-19 app (as an alternative to providing their contact details)
- adhere to data protection legislation, including the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018
By asking individuals to check in and sharing the records of those who provide their contact details with NHS Test and Trace, you will help us to identify people who may have been exposed to COVID-19. If there is an outbreak linked to a venue, that is 2 or more COVID-19 cases on the same day, the ‘venue alert’ process will be triggered. This will lead to individuals who checked in to the venue on the same day receiving advice to book a test; there is no requirement to self-isolate unless the recipient tests positive for COVID-19. NHS Test and Trace will only ask for your records if there is an outbreak at your venue.
In the event of an outbreak linked to a venue, individuals who checked in will receive a venue alert. This is a notification from their NHS COVID-19 app if they scanned the NHS QR code, or a text message if they provided their contact number.
- are triggered if there are 2 or more cases at your venue
- are facilitated by NHS Test and Trace obtaining the records of your customers, visitors and staff who were there on the same day. If you are asked by NHS Test and Trace for this information, please share it as soon as possible. Do not inform customers or visitors directly, alerts will be managed by NHS Test and Trace
- inform the attendee of their potential exposure to COVID-19 and advises them to book a test
- are anonymous – your venue will never be named in an alert
- do not close your venue. You will be given guidance at the point you are contacted by NHS Test and Trace so that you can continue to operate safely
You should contact your local health protection team or environmental health department at your local council if you need further support to manage an outbreak in your establishment.
Systems for checking in
Venues should display an NHS QR code poster at their entrance. It’s quick and simple to use for both businesses and users, and enables customers and visitors to scan the NHS QR code when they arrive by using the NHS COVID-19 app.
Official NHS QR code posters can be generated online. Organisations can find out more about NHS QR codes and how to generate them on the NHS COVID-19 app website. If you do not have access to a printer, you can display your QR code poster at your venue using digital signage, for example, a TV screen or iPad.
For those unable to check in using the NHS COVID-19 app, venues should ask customers and visitors (over the age of 16) for their name and telephone number, and you should record the date of visit.
You should also keep a record of staff working on the premises on a given day and their contact details.
How records should be maintained
To support NHS Test and Trace, you should hold these records for 21 days before securely disposing of them. When deleting or disposing of data, you must do so in a way that does not risk unintended access (for example shredding paper documents and ensuring permanent deletion of electronic files).
Records which are made and kept for other business purposes do not need to be disposed of after 21 days. Only data related to a record that is created solely for the purpose of NHS Test and Trace needs to be destroyed at this point. All collected data, however, must comply with UK GDPR and should not be kept for longer than is necessary.
Data Protection Regulation Legislation
The data that you collect is personal data and must be handled in accordance with data protection legislation to protect the privacy of your staff, customers and visitors. Please refer to the guidance from the Information Commissioner’s Office to ensure you have appropriate technical and organisational security measures in place to protect customer, visitor and staff contact information.
GDPR allows you to request contact information from your staff, customers and visitors and share it with NHS Test and Trace to help minimise the transmission of COVID-19 and support public health and safety. It is not necessary to seek consent from each person, but you should make clear why the information is being collected and what you intend to do with it.
For example, if you already collect this information for ordinary business purposes, you should make staff, customers and visitors aware that their contact information may now also be shared with NHS Test and Trace.
You do not have to inform every customer individually. You might, for example, display a notice at your premises or on your website setting out what the data will be used for and the circumstances in which it might be accessed by NHS Test and Trace. A template privacy notice can be found at Annex A.
While consent is not required, we recommend that consent is sought in sensitive settings such as places of worship and for any group meetings organised by political parties, trade unions, campaign or rights groups, philosophical and religious groups or health support groups. This is because of the potentially sensitive nature of the data collected in these circumstances.
Personal data that is collected for NHS Test and Trace, which you would not collect routinely in the course of your business, must be used only to share with NHS Test and Trace. It must not be used for other purposes, including marketing, profiling, analysis or other purposes unrelated to contact tracing, or you will be in breach of UK GDPR.
You should make your staff aware of what they should and shouldn’t do with customer information. You must not misuse the data in a way that is misleading or could cause an unjustified negative impact on people, for example to discriminate against groups of individuals. Misuse of data in this way is a breach of UK GDPR.
How to know if a request from NHS Test and Trace is genuine
If you are contacted by NHS Test and Trace, contact tracers will:
- call you from 0300 013 5000
- send you an email containing a template spreadsheet and a secure link to upload your logbook to the secure Egress system
- the email will come from email@example.com
If we cannot get hold of you in the first instance, we will send you an email asking you to provide the best name, contact phone number and time to call. This email will come from firstname.lastname@example.org.
Local contact tracers may contact you from a different phone number or ask you to call them back. If you are unsure if the telephone number is genuine, check with your local council. More information can be found on your local council website.
Contact tracers will never:
- ask you to dial a premium rate number to speak to them (for example, those starting 09 or 087)
- ask you to make any form of payment or purchase a product of any kind
- ask for any details about your bank account
- ask for your social media identities or login details, or those of your contacts
- ask you for any passwords or PINs, or ask you to set up any passwords or PINs over the phone
- disclose any of your personal or medical information to your contacts
- ask about protected characteristics that are irrelevant to the needs of NHS Test and Trace
- provide medical advice on the treatment of any potential coronavirus symptoms
- ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else
- ask you to access any website that does not belong to the government or NHS
Annex A: template privacy notice
Please note this privacy notice is intended for non-sensitive venues only. If you are a place of worship please see alternative guidance
Recording customer details: how we use your information
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, DHSC has provided guidance which we have chosen to follow. The guidance recommends that we collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing.
By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to coronavirus.
As a customer or visitor of [insert name of business] you might be asked to provide some basic information and contact details. The following information will be collected:
- the names of all customers or visitors
- a contact phone number for each customer or visitor
- date of visit
The venue or establishment as the data controllers for the collection of your personal data, will be responsible for compliance with data protection legislation for the period of time it holds the information. If that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation for that period of time. NHS Test and Trace as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from the venue or establishment, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.
NHS Test and Trace as part of its guidance, has recommended that we retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them. For example, if other customers at the venue subsequently tested positive, NHS Test and Trace can request the log of customer, visitor and staff details on a particular day.
We may/will [delete as necessary] require you to pre-book appointments for visits or to complete a form on arrival.
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing it will be destroyed by us 21 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation. The use of your information is covered by the UK General Data Protection Regulations Article 6 (1) (f) – legitimate interests of the venue or establishment. The legitimate interest in this case is the interest of the venue/establishment in co-operating with NHS Test and Trace in order to help maintain a safe operating environment and to help fight any local outbreak of coronavirus.
Collection of information from or about children under the age of 18 requires the consent of their parent or guardian.
[Venue or establishment please add text whether or not you transfer personal data outside the UK, the EU or to anywhere else (if known).]
By law, you have a number of rights as a data subject, such as the, right to be informed, the right to access information held about you, the right to rectification on any inaccurate data that we hold about you. You have the right to request that we erase personal data about you that we hold (although this is not an absolute right). You have the right to request that we restrict processing of personal data about you that we hold in certain circumstances. You have the right to object to processing of personal data about you on grounds relating to your particular situation (also again this right is not absolute). If you are unhappy or wish to complain about how your information is used, you should contact a member of staff in the first instance to resolve your issue.
If you are still not satisfied, you can complain to the Information Commissioner’s Office.
[Please insert the data protection officer details or whoever is in charge of data protection duties of your venue or establishment.]
We keep our privacy notice under regular review, and we will make new versions available on our privacy notice page on [your venue or establishment website]. This privacy notice was last updated on 12 July 2021.
Last updated 20 July 2021 + show all updates
Updated to give advice on how to know if a request from NHS Test and Trace is genuine. Also updated guidance on variants of concern.
Updated in line with the Step 4 announcement to move from regulations to guidance.
Updated to add a call-out about the new COVID-19 variant of concern.
Updated in line with step 3 of the roadmap to explain how certain venues should be collecting customer, visitor and staff contact details and displaying an NHS QR code poster.
Updated the 'Information to collect' section to give clarity on how venues should ensure that a customer has checked in.
Updated rules for businesses reopening, and for entering a venue.
Updated to reflect the change in rules for when a group enters a venue. From 29 March 2021, every customer or visitor should be asked to scan the NHS QR code or provide their name and contact details, not just a lead member.
Updated to reflect the change from local restriction tiers to a national lockdown.
Updated to reflect the new local tiered system implemented on 2 December 2020. If your venue can open in the tier it is in, you must continue to follow the guidance on this page. If your venue must close in the tier it is in, you must follow this guidance when you are allowed to reopen.
Added cinemas, concert venues and theatres to the list of venues that must have a system in place to request and record contact details of their customers, visitors and staff to help break the chains of transmission of coronavirus. Added clarification that indoor sports and leisure centres includes gyms.
Added that national restrictions start on 5 November 2020. If your venue can stay open during this time, you must continue to follow the guidance on this page. If your venue must close during this time, you must follow the guidance on this page when you're allowed to reopen.
Updated to add further clarification on the venues in scope of the policy. Also added guidance to hospitality venues on how to verify whether an individual has checked in on the NHS COVID-19 app.
Updated to reflect the new legal requirements for designated venues to collect contact details and display official NHS QR code posters.
Updated with information for organisations on displaying an official NHS QR poster.
Removed line saying that NHS Test and Trace will ask for records when someone who has tested positive for COVID-19 has listed a premises as a place they visited recently.