Test and Trace: collecting personal data about customers

Government guidance about maintaining records of customers and visitors to support NHS Test and Trace, states that a business should keep a temporary record of its customers and visitors. This should consist of the following information:

• the name of the customer or visitor;
• a contact phone number for each customer or visitor;
• the date of visit, arrival time and where possible, departure time (or estimated departure time);
• if the customer is interacting with only one member of staff, the name of the assigned staff member for that customer or visitor.

Where a business is expecting a group of customers, then taking the name and number of the lead person in the group together with the number of people in their group, will suffice.

Names together with contact numbers count as personal data for GDPR purposes. GDPR permits you to process personal data if you have a lawful ground to do so. One of those grounds, includes where processing is necessary in order to protect the vital interests of the data subject or another person, which would cover the collection of contact information for test and trace purposes.

Bear in mind that GDPR requires any processing of personal data to be adequate, relevant and limited to what is necessary, so use these as your guiding principles when it comes to collecting contact information about customers or visitors: only collect what the Government guidance states you should collect, and make sure you don't use any information specifically collected for test and trace, for any other purposes (such as sending marketing by text to the customers/visitors!).

If you have an advanced booking system, as many hospitality businesses do, then information can be collected via this. If you don't have such a system, then Government guidance advises you to collect the information at the point a customer or visitor enters premises, and in the most manageable way: if recording it digitally is not possible, then a paper record will suffice.

GDPR requires you to keep personal data, only for so long as is necessary to achieve the purpose that you are processing it for. Government guidance has stated that you should keep data for test and trace purposes, for a period of 21 days. Therefore, where you have collected data specifically for test and trace purposes (and for no other purpose – see question 11) below), the data should be securely destroyed or deleted after the expiry of the 21 day period. Where you can't set rules for automatic deletion electronically, a simple rolling timetable for deletion should work.

Somewhere safe! If you are storing it digitally, make sure you store it in a secure part of your IT system, and remember to password protect files. Access to the data should also be limited to only those who need to see the data. Where you are storing data in hard copy, then store it in a lockable drawer or cabinet (and make sure you lock it!).

Also be mindful of who can see any lists or screens when they enter premises; try to ensure that hard copy registers, or screens, aren't left unattended for all to see.

The Information Commissioner's Office (ICO), which is the body responsible for data protection compliance in the UK, has provided some simple, practical guidance about the steps which businesses can take to keep data safe.

You will need to share the information with NHS Test and Trace, where the scheme deems it necessary for you to do so. Department of Health and Social Care guidance provides details of what contact tracers will and won't ask you for, and the number they will call from, so that you can be sure of the identity of the tracer, and that you are not sharing the information with a hoax.

GDPR requires you to be transparent about the information you collect about people, what you do with it, and who you share it with. You can do this via a notice at your premises or on your website, setting out that you will be collecting contact information for the purpose of NHS Test and Trace, and that you will share it where required to do so, with the scheme.

If you already have a data collection notice – for example, because you are already using contact information about your customers and visitors for other purposes (see question 11)), then you should revisit it and if necessary, update it so that it is clear that contact information will also be used going forward, and for the time being, for NHS Test and Trace purposes.

The ICO has advised that in some circumstances, where it is possible that sensitive information/special category data might be revealed about someone as a result of recording their contact details for test and trace purposes, consent should be obtained from the individual concerned first. In this situation, consent would have to be sought in addition to the information that you provide to customers about the data you need to collect from them and why. For example, where you are recording a visitor's details in relation to attendance at a service at a place of worship – you might be able to infer their religious beliefs from the fact that they attended, which is regarded under data protection law as sensitive, or special category data giving rise to the need to obtain consent (via a specific consent form completed by the visitor) before you collect this type of information for test and trace. Note that consent must be freely given, so the visitor should not be denied entry to premises, simply because they are not willing to give their consent to their details being collected in this way.

Government guidance doesn't specifically require this. However government guidance does recommend that businesses carry out a risk assessment for COVID, and this may well lead you to conclude that temperature checking is necessary and appropriate in order to discharge your health and safety duties/obligations. For example, temperature checking is a measure which many gyms have indicated that they will take before permitting entrance of their members into their premises.

If you do reach this conclusion, bear in mind the additional rules in GDPR which apply to protection and processing of special category data (our recent briefing on protecting employee data collected for Covid-19 related purposes sets out the rules for special category data, which would also apply to data collected about customers and visitors). Data about a person's health – such as temperature levels – counts as special category data. In short, limit what you collect to what is adequate, relevant and necessary; limit who has access to the data to those who need to know only; and consider the additional transparency and accountability requirements as set out in that briefing.

Also consider whether other alternatives would work better/be more effective – for example, asking customers to take their own temperature, and instructing them to only come to a venue if their temperate level is considered safe (this effectively means that you as a business don't have to collect the data yourself, thereby sidestepping GDPR in this regard).

Only if NHS Test and Trace asks you to contact customers yourself. In most cases, NHS Test and Trace will take responsibility for sharing data about a person's state of health with others who that person has come into contact with. Or you may be asked to contact other customers who were in your premises at the same time, but it might be a case of informing them on a no names basis.

Thermal cameras are essentially, another method of temperature testing so please see our answer to question 8) above for further information.

There are specific rules and guidance around the use of CCTV on premises; it should only be used for particular purposes, such as security, and even then, only if there is no other way to achieve the same purpose; camera location must be thought about carefully and kept only to those areas where it is absolutely necessary to have a camera (and provided that this does not result in an intrusion of privacy); and transparency is of the utmost importance; there must be clear signage up indicating that CCTV cameras are in use, and where they are.

Its worth bearing in mind that CCTV won't necessarily help in solving the identity of the visitors to your premises (for the purpose of aiding test and tracing or as an alternative to recording name and contact details); unless they are all wearing name badges, or you already know who they are. Where you can identify someone from CCTV, and provided your signage is adequate to inform customers/visitors that their data will be used in this way (eg if signage indicates that CCTV is in use for public safety purposes), and where you can't establish the information another way (for example, through collecting data via your booking system or on entry into premises), then make sure that you limit use of any information obtained this way to what is absolutely necessary only.

If you would have already collected the data (ie as part of advanced booking system etc), then hopefully you will already have followed GDPR rules in relation to the collection and processing of such data, in which case you can still use it for the original purposes that you collected it for, assuming that you have followed all necessary GDPR rules for processing the data.

However, it is not advisable to follow the example set by some businesses (according to recent press reports) – and use personal data collected specifically for test and trace purposes, to market to customers. This, in data protection terms, is a big no no.

Data protection legislation provides individuals with rights that they can enforce in respect of the personal data that an organisation holds about them. One of these includes the right to ask for access to all such data. You will therefore need to make sure that you have processes in place to enable you to respond to such requests if needs be, in accordance with legislative requirements.

The above guidelines can also be applied to other consumer facing businesses which continue to open up too – such as gym, beauty salons and theatres. Many gyms will already be familiar with data protection requirements through collecting member data, and will already have systems in place, via access cards, to log who attended their premises and when. However, they will still need to update policies to reflect the new use and potential disclosure of data in respect of test and trace, and extra care will need to be taken where for example they conclude, as a result of a risk assessment, that temperature checks are necessary.