Contact tracing: complying with the data protection laws

If you decide to collect customer and visitor information as part of the Government’s COVID-19 contact tracing scheme (Scheme), you must do so in a manner that is compliant with the Data Protection Act 2018 (DPA). This is because the information you collect is likely to be deemed personal data that is protected under the DPA.

You should initially check government guidelines for information on whether your business is encouraged to collect contact information as part of the Scheme. You can do this HERE:

If you are intending to take part in the Scheme, you should consider (and where appropriate, action) the following:

1. What is your lawful basis for collecting the information? If the government is asking you to collect customer data, then it is likely that your lawful basis under the DPA, will either be legitimate interests (if you are a private organisation) or a public task (if you are a public body). You should steer away from relying on consent unless you are collecting sensitive personal information (such as health information) or it is completely voluntary for a customer to provide their personal data. The Information Commissioner (ICO) recommends that you should rely on consent if you provide a service to small groups or on a one-to-one basis (e.g. massages). This is because the information you may be asked to share may only apply to one or two people, making it more likely that you would make assumptions about your customer’s health.
2. You must be clear, open and honest with people that you are collecting their data for a contact tracing scheme (such as the NHS Test and Trace), who you will share it with and how long you will keep it.
3. The government has specified the exact information you should collect for contact tracing, which can be accessed HERE. You should familiarise yourself with the government’s requirements and not collect any additional information for the purpose of contact tracing.
4. You must only keep the information for as long as it is needed. In England, the current period for retaining information collected for contact tracing is 21 days. Once this period has passed, you must securely dispose of the information (e.g. by shredding paper documents or permanently deleting digital records).
5. For the purposes of contact tracing, you only need to accurately record the information that the customer/visitor provides to you. It is not necessary to conduct identity checks to validate that information (unless this is something your business would ordinarily do, for example, age verification at licenced premises).
6. All customers/visitors have certain rights under the DPA in relation to their personal data. This includes, but is not limited to, the right of access to their data and the right to ask for any inaccurate data to be corrected. You must ensure that you have measures in place to recognise, and where appropriate, action, any such requests.
7. Information must only be shared when it is requested by a legitimate public health authority. If you are asked to provide information to a contacting tracing scheme, you must ensure that the caller is genuine and only share the information securely.

The above is a non-exhaustive list of points to consider when collecting information for contact tracing. The ICO has provided additional information which can be accessed HERE.

Please note, the information included in this update is correct at the date of publishing.