Updated guidance from the Department of Health and Social Care requires businesses in certain sectors to collect and record contact details of staff, visitors and customers for Test and Trace purposes. As businesses plan to reopen as part of the Roadmap to end COVID restrictions, it’s important to ensure you follow the new rules.
The updated guidance requires the following details to be collected from ALL staff, customers and visitors over 16 years old. Previously, if groups were entering hospitality venues, for example, businesses only needed to collect details from the lead person in the group.
Visitors and customers may prefer to scan an NHS Test and Trace QR code to record their visit, in which case you do not need to record their details, but you should ask to see the onscreen confirmation on their device that the registration has been completed.
You can create a QR code for your business here. These should be displayed at every entrance to your premises.
What information do you need to record?
- the name of the customer or visitor
- a contact phone number for each customer or visitor. If a phone number is not available, you should ask for their email address instead, or if neither are available, then postal address
- date of visit, arrival time and, where possible, departure time
- the name of the assigned staff member, if a customer or visitor will interact with only one member of staff (for example, a hairdresser). This should be recorded alongside the name of the customer or visitor.
- You must register with the ICO if you are required to collect the data shown above, as this process classifies you as a Data Processor under GDPR Regulations.
- You should display a copy of your Privacy Notice within your premises, and on your website to ensure customers are aware of how their data will be used. An example Privacy Notice can be found here.
What should you do with the data?
- Data should be kept securely for at least 21 days.
- After this time, the records should be securely destroyed.
- The data cannot be used for any other purpose, eg Marketing.
You are legally required to share the data with NHS Test and Trace immediately if they request it. They will contact you from 0300 013 5000 and will send you an email with instructions to follow. You do not have to contact your customers; NHS Test and Trace will do so. if you’re unsure whether contact is genuine, you can check with your local council.