Professional Comment

Adhering to GDPR When Assisting NHS Test and Trace

By Hiren Gandhi, partner at Blaser Mills Law (

Since the hospitality sector was permitted to reopen on 4th July 2020, there has been a heavy emphasis on assisting NHS Test and Trace to support the gradual easing of the social and economic lockdown measures, following the COVID-19 outbreak.

This means every hotel, pub and restaurant has been urged by the government to keep a temporary record of all customers and visitors for 21 days in a way that is manageable for the business and adheres to general data protection regulation (GDPR). By maintaining records of staff, customers and

visitors, and sharing this information with NHS Test and Trace if request- ed, people who may have been exposed to the virus can be easily identi- fied and told to self-isolate to prevent further spread of the disease.

As a business owner, it can be difficult to know what you should be aware of and what information you will need to store to assist NHS Test and Trace, whilst ensuring your business adheres to GDPR regulations. Here are the main things you need to consider:


Where possible, the government is asking the hospitality sector to keep track of all the names, contact numbers and visiting dates of staff, customers and any other visitors to the premises.

Many businesses will already have a booking system in place to record customers’ details safely and securely, however those who do not are asked to begin implementing it to help fight the spread of COVID-19.

The information can be collected in advance e.g. upon booking, it can also be collected at the point that customers enter the premises or at the point of service.The government advised that this information should ideally be recorded digitally as it is likely to be more secure, but a paper record is also acceptable.

Businesses are also urged to record both the arrival and departure times of customers if possible as it can narrow down the number of people who will need to be contacted by NHS Test and Trace if some- one who recently visited the premises tests positive for COVID-19.

Records of staff, customer and visitors’ information that is kept for the purpose of NHS Test and Trace should be deleted after 21 days. This reflects the 14-incubation period of the virus, as well as an additional 7 days to allow time for testing and tracing.

Once 21 days has elapsed, this information should be securely disposed of or deleted in a way that does not risk unintended access.


Businesses must bear in mind that the information the government is asking them to collect is personal data and therefore must be handled in accordance with GDPR in order to protect the privacy of staff and cus- tomers.

It is not necessary for a business to seek consent from each individual person before requesting information, but it must be made clear as to why the information is being collected and what the business will do with it. Staff and customers are within their rights to refuse to give the information asked of them, however businesses should encourage people to provide the relevant details. Individuals also have the right to exercise their data protection rights, such as the right of erasure.

Personal data that is collected for the purposes of NHS Test and Trace, which would not otherwise be collected in the usual course of business, must only be used for that reason. Businesses should not use this information for any other purposes, such as marketing. If this is done, the business is in breach of GDPR and could face legal sanctions, as well as litigation from customers who have had their data breached.

It is important that businesses implement appropriate technical and security measures to protect this data.The ICO has produced guidance to help with this to ensure data is kept safely and securely.These partic- ular measures will depend on how a business chooses to store the information, for example the security measures would differ whether the data is recorded electronically or as a hard copy.


Businesses collecting such data should do everything in their power to protect this information from data breaches.This includes ensuring their record keeping is watertight, as well as ensuring any information shared is only with NHS Test and Trace.

Employers in the hospitality sector should make all employees aware of the potential fraudulent activity they may experience from someone pre- tending to be from the NHS Test and Trace centre. Employers should provide their employees with information on how NHS Test and Trace will contact businesses for information, this will enable employees to identify fraudsters and ensure that the data does not fall into the wrong hands. Contact tracers will call from a 0300 number or may ask you to sign into the NHS Test and Trace contact-tracing website.They will never ask businesses or individuals to dial a premium rate number, ask for any social media identities or logins, ask you to download any computer software or hand over the control of your PC or ask you to access any website that does not belong to the government or NHS.

If anyone at the premises is contacted by someone claiming to be NHS Test and Trace and it does not seem legitimate, they should not hand over any personal data collected by the business.

If a business requires further guidance on how they can ensure they are adhering to GDPR when collecting data for NHS Test and Trace, they should speak to a reputable lawyer who can look at their business structure and advise further.