News & Insights

Collecting data to support the NHS Test and Trace

The Department of Health and Social Care (“DHSC”) have published guidance on which organisations should collect details and maintain records to support NHS Test and Trace.

The Department of Health and Social Care (“DHSC”) have published guidance on which organisations should collect details and maintain records to support NHS Test and Trace.

During the COVID-19 pandemic businesses have an important role to play in keeping everyone safe. Following the recent easing of lockdown restrictions the DHSC have issued guidance on how organisations can assist with the NHS Test and Trace scheme by keeping a temporary record of customers and visitors for 21 days.

By maintaining staff, customer and visitor records and sharing these with the NHS Test and Trace organisations will be able to identify individuals who may have been exposed to the virus and allow outbreaks to be contained.

This guidance is relevant to organisations with premises associated with higher risk of transmitting COVID-19. This is any establishment which provides an on-site service or operates at premises where people are likely to stay for a prolonged period of time with a chance of coming into close contact with people outside their household, for example:

  • Hospitality (pubs, bars, restaurants and cafes);
  • Tourism and leisure (hotels, museums, cinemas, zoos and theme parks);
  • Close contact services (hairdressers, barbershops and tailors);
  • Local authority services (town halls, civic centres, community centres, libraries and children’s centres); and
  • Places of worship.

Where possible, the following data should be collected:


  • Names of staff who work on the premises;
  • Contact numbers;
  • Dates and times that staff are at work;

Customers and visitors:

  • Names of customers or visitors, if there is more than one then the name of the group leader and the number of people in the group;
  • Contact numbers;
  • Date of visit, arrival time and where possible departure time;
  • If the customer will only interact with one member of staff, the name of that staff member.

If the organisation operates an advance booking system, this information can be used for the purposes of NHS Test and Trace. Ideally the data should be stored electronically, but paper recording is also acceptable. Individuals should be encouraged to provide their information but must be offered the opportunity to opt out, in which case the information should not be shared. Organisations are under no obligation to verify the accuracy of the information provided. It is now very common for businesses to have QR codes at the entrance to their premises, enabling customers to use the NHS COVID-19 app to register their presence for Test and Trace.

Data obtained for NHS Test and Trace purposes should be stored for 21 days, then securely disposed of or deleted in a way that does not risk unintended access by third parties. If the data has been obtained for other business purposes it will not need to be deleted after 21 days.

All data must be processed in accordance with the GDPR, in particular bearing in mind the GDPR’s “data minimisation” principle –  only necessary data should be collected, it should not be kept for longer than necessary and it must only be used for the purpose it has been collected.

Organisations must provide clear privacy statements explaining what data is being collected, why, for how long and under what circumstances it will be shared. This means that if data is collected for ordinary business purposes it must be clear that this data may also be shared with the NHS Test and Trace. This can be done displaying a notice on at the premises or on the website.

It is also important that the organisation has sufficient technical and security measures in place to adequately protect personal data and enable individuals to exercise their data protection rights.

If NHS Test and Trace requires your organisation to share the data they will contact you directly using the following methods:

  • Call from 0300 013 5000;
  • Text you from “NHStracing”; or
  • Ask you to sign into the NHS Test and Tract contact-tracing website.

NHS Test and Trace remains in place following the removal of most COVID-19 restrictions on 19 July 2021. As such, it is crucial that organisations continue to follow the Test and Trace guidance.

By providing data to the NHS Test and Trace scheme organisations play a critical role in keeping the public safe and containing outbreaks of the virus, if you have any questions about how this guidance might affect your business or data protection more generally please contact us using [email protected].