New guidance has been released by the Government on maintaining test-and-trace records of staff, customers and visitors during the COVID-19 pandemic. This guidance applies to establishments in the hospitality, tourism and leisure sectors, and close-contact services such as hairdressers. It explains how organisations can keep records in a way that is proportionate, effective and manageable – thus in accordance with GDPR.
Essentially, an organisation should collect information (ideally in a digital format) about:
- Staff: Names of staff, contact phone numbers and the dates and times they are at work.
- Customers and visitors: Name of the customer or visitor (or lead member of a group and number of people in the group), contact phone number, date of visit, arrival time and, where possible, departure time plus the name of the assigned staff member.
No additional information should be collected for these purposes. The records should be held for 21 days to support NHS Test and Trace, and then securely disposed of or deleted, although can be retained for other purposes in accordance with the GDPR.
Note that customers and visitors can choose to opt out. In relation to data protection, the guidance states that consent is not required, but consent is recommended in relation to sensitive personal data.
Organisations should make clear why the information is being collected and what it intends to do with it, for example by way of a notice on the premises or on a website. The guidance also reminds organisations of requirements in relation to the security of personal data and not using information specifically collected for this purpose for marketing or other purposes.
In relation to sharing with NHS Test and Trace, this will only be requested where necessary in certain circumstances and NHS Test and Trace will only use the data for the purpose of protecting public health.