COVID-19: Data Protection post Lockdown

Insights / / COVID-19: Data Protection post Lockdown

With the easing of lockdown measures, businesses around the country are now reopening. 

The easing of the lock down restrictions is supported by the NHS Test and Track system.  Businesses are being asked by the government to maintain records of staff, customers and visitors, and where requested, to share these with NHS Test and Track so that people who have been in contact with coronavirus can be identified and the spread of the virus curbed.

The government advice is that: “You should assist this service by keeping a temporary record of your customers and visitors for 21 days, in a way that is manageable for your organisation, and assist NHS Test and Trace with requests for that data if needed. This could help contain clusters or outbreaks.”

However, whilst keeping such records may be easy for certain businesses such as restaurants, hairdressers and hotels to collect, others such as cafes and pubs who do not maintain booking systems or apps to deal with the same may struggle.  The government has confirmed that there is no need to maintain records through a formal booking system or app if you do not have one.  Records may be kept in a manner which is manageable for your business which means paper records can be kept if this is more practical.

To assist businesses on how they may collect the data required the government has published guidance on ‘Maintaining records of staff, customers and visitors to support NHS Test and Trace’ see here.

A summary of the government guidance is set out below.

Does record keeping apply to my business?

The new guidance applies to:

  • hospitality, including pubs, bars, restaurants and cafés
  • tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
  • close contact services, including hairdressers, barbershops and tailors
  • facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
  • places of worship, including use for events and other community activities.

Record keeping will not apply if your business provides only services that are taken off-site e.g. takeaway food or drink or deliveries made by suppliers.  However the guidance suggests that where your business provides both take-away and dine in information needs to be collected for those customers sitting in.

If I am a business that is subject to record keeping - What information should I collect?

The government guidance suggests the following information should be collected:

  • staff:
    • the names of staff who work at the premises;
    • a contact phone number for each member of staff; and
    • the dates and times that staff are at work
  • customers and visitors:
    • the name of the customer or visitor (if there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group);
    • a contact phone number for each customer or visitor, or for the lead member of a group of people;
    • date of visit, arrival time and, where possible, departure time; if a customer will interact with only one member of staff (eg, a hairdresser) the name of the assigned staff member should be recorded alongside the name of the customer. 

The Information Commissioner’s Office has also provided guidance in their recently published ‘ABCDE’ steps guide see here. The 5 simple steps they suggest help businesses consider what they need to think about and do when collecting and keeping a record of data from staff, customers and visitors from a data protection point of view:

The ‘ABCDE’ steps are:

  • Ask for only what’s needed
  • Be transparent with customers
  • Carefully store the data
  • Don’t use it for other purposes, and
  • Erase it in line with government guidance

Further Q&A’s have also been published by the ICO addressing queries that businesses (new to dealing with maintaining personal data records) may have around the around the collection and retention of personal data.

Most businesses will not need to rely on consent from individuals to collect the data required in respect of NHS Test and Track.  However, the government and ICO guidance each suggest that consent “is sought in sensitive settings such as places of worship and for any group meetings organised by political parties, trade unions, campaign or rights groups, other philosophical/religious groups or health support groups. This is because of the potentially sensitive nature of the data collected in these circumstances.”

What happens if I do not collect data and keep records as suggested?

At the moment there appears to be no statutory obligation for businesses to collect data and keep records to support the NHS Test and Track.  The government guidance only suggests that businesses ‘should assist’.  It is unclear whether this may change going forward.

Whilst there may be no strict legal requirements to adhere to the government guidance, not co-operating may be detrimental to your business.  Customers will see that the business is not observing government and public health guidance and may be less confident to frequent your establishment.

The guidance also confirms that ‘”there is also a wider system of enforcement, which includes specific obligations and conditions for licensed premises”, adding “regulators are carrying out compliance checks nationwide to ensure that employers are taking the necessary steps.”  It is therefore likely that businesses will be closely monitored either at a local authority level or through the various regulators who monitor health and safety in the workplace.  The failure to follow the government guidance may be caught by these measures.

What happens if my customers refuse to provide the required data?

It is not mandatory for your customers to provide this data.  The government guidance asks that you “please encourage customers and visitors to share their details in order to support NHS Test and Trace and advise them that this information will only be used where necessary to help stop the spread of COVID-19.  If the customer tells you that they do not want their data used for the NHS Test and Track you must not share their booking details with NHS Test and Track.

Assuming I shall be retaining records per the government guidance what immediate practical steps should I take?

  • Display a clearly visible notice at you premises and on your website confirming the data you will be collecting, what it will be used for and that it may be made available to the NHS Test and Track.
  • Consider existing data collection and record keeping processes to establish whether any changes are required to these.
  • Update your privacy policy to reflect changes to data collection, record keeping and use of data.
  • Keep data processing activities continuously up to date including a record of the disposal of data collected for the purpose of the NHS Test and Track (data for the Test and Track must only be kept for 21 days after which it must be disposed of unless the information is to be retained for some other business purposes).
  • Ensure that data collected is secure and is not used for any purpose unrelated to the NHS Test and Track (it must not be used for marketing).
  • Make sure all staff are trained adequately and are aware of the government guidance and any new requirements relating to data collection and record keeping within your business.

The above does not constitute legal advice nor does it consider a complete list of issues to consider in the context of COVID-19 and the collection and recording of personal data for the purpose of NHS Test and Track. Should you have any queries please do not hesitate to contact the author of this article.

Related Content:

Mona Patel

Mona Patel Partner

Related services:


Data protection

Featured news & insights

News / COVID-19: What are the implications for data protection?

24-03-2020 /

As governments work to contain the COVID-19 pandemic and companies implement emergency measures to comply with public health initiatives, it is important that any steps taken are consistent with the EU General Data Protection Regulation (“GDPR”). We set out below the basic data protection questions you may have from a UK perspective.

COVID-19: What are the implications for data protection?