Retaining staff and customer details for NHS Test and Trace is now mandatory


Since 18 September 2020, in England, it has been a legal requirement for businesses in the following sectors to keep a temporary record of customers and visitors for 21 days to assist NHS Test and Trace, unless visitors are ‘checking in’ using a QR code:

  • Hospitality where food or drink is to be consumed on the premises, including pubs, bars, restaurants and cafés
  • tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
  • close contact services, including hairdressers, barbershops and tailors
  • facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres

 To comply with the Regulations, businesses in these sectors must:

  • Ask one member of every party who visits their premises to provide their contact details to assist NHS Test and Trace. This applies unless the customers are under 16 or have a mental or physical disability that means they are unable to provide the details. Venues should refuse entry to those who refuse to provide contact details.
  • Have a system in place to ensure they can collect that information from their customers and visitors, and provide this data to NHS Test and Trace, if it is requested.
  • Display an official NHS QR code poster from 24 September 2020 which is visible on entry to the premises, so that who have downloaded the new NHS COVID-19 app can use their smartphones to easily check-in. Businesses can do this via the following link:

Visitors should then scan the QR code when they arrive at the premises, using the NHS COVID-19 app which launches on 24 September 2020 in England.

Businesses which have been using their own QR code-based systems for test and trace should switch to the NHS version instead.

The following information must be requested and retained for 21 days:

a)     the name of the individual;

b)     a telephone number on which the individual may be contacted;

c)     an e-mail address if the individual is unable to provide a telephone number;

d)     a postal address if the individual is unable to provide an email address;

e)     the date and time that the individual entered the relevant premises;

f)       where the individual is a member of a group seeking permission to enter relevant premises, the number of people in that group.

An alternative system, such as a handwritten register or other paper-based records, must also be maintained by businesses in these sectors for visitors who do not have smartphones.

Additionally, all employers, regardless of size or sector, are required to keep records of staff shift patterns for a period of 21 days, in case they are contacted by NHS Test and Trace requesting this data

Businesses do not have to inform customers individually or obtain their consent to retain the customer’s details. They may, for example, display a privacy notice at their premises or on their website setting out what the data will be used for and the circumstances in which it might be accessed by NHS Test and Trace.

The Government has published guidance on how this can be done in line with data protection legislation, which includes an example template privacy notice at Annex B:

A failure to collect and maintain details for 21 days, where there is a legal requirement to do so (unless visitors are ‘checking in’ using a QR code), may be enforced by fixed penalty notices starting at £1,000 and increasing for each further offence up to £4,000,

If the customer does not want to share their details, then premises should refuse to offer the service requested if they are a hospitality business providing food and drink where it is consumed on the premises. Refusing a customer entry in this circumstance will also avoid the risk of the business facing a fine.  Venues in other settings to which the Regulations apply do not need to refuse entry but should encourage customers and visitors to share their details or scan the official NHS QR poster in order to support NHS Test and Trace

Every organisation or sole trader who processes personal information, including for the purposes of contact tracing for COVID-19, must be registered with the Information Commissioner’s Office (ICO) and pay a data protection fee unless they are exempt.

Similar legislation also applies in Wales and Scotland.  Guidance on maintaining records of customers and visitors for hospitality businesses in Northern Ireland has also been published.

Prior to 18 September 2020 it was advisory, but not mandatory, for businesses in these sectors in England to retain customer records for 21 days and for employers to retain records of staff shift patterns for 21 days to coincide with the introduction of NHS Test and Trace in May 2020.

The NHS Test and Trace service:

  • provides testing for anyone who has symptoms of coronavirus to find out if they have the virus, where testing is available
  • gets in touch with anyone who has had a positive test result to ask them share information about any close recent contacts they have had

A contract tracer will then contact those close contacts, where necessary, and notify them they need to self-isolate, by staying at home for 14 days regardless of whether they are displaying COVID-19 symptoms.

Businesses are not required or advised to contact customers themselves.

Individuals’ information will then be used by NHS Test and Trace to inform them if they may have been exposed to a positive case or cases. 

FSB members may refer to our factsheet Guidance on Keeping Records for NHS Test and Trace available on the FSB Legal Hub.