How to collect contact information to help NHS Test and Trace
This guidance relates to England.
The Government is asking businesses where people spend an extended period to collect information to assist with contact tracing by the NHS should the need arise.
Examples of applicable businesses are:
- Hospitality businesses such as restaurants, bars, and cafes should collect contact details where customers will stay inside or outside premises – but not if just takeaway or delivery services.
- Hotels, museums, cinemas, zoos, and theme parks
- Close contact businesses such as hairdressers, barbers, and tailors
- Local authorities providing facilities such as libraries, event spaces
- Places of worship
Collecting contact information is voluntary and customers do not have to provide it. Staff, visitors, and customers can also opt out by asking the business not to pass on their contact information to NHS Test & Trace.
Businesses are encouraged to explain that this information is being collected for NHS Test & Trace and it will only be used to stop the spread of COVID-19.
Both the Information Commissioner Office and the Government have issued guidance to enable businesses who might not normally collect this information to carry this out in line with the GDPR (General Data Protection Regulation).
Key steps to collecting contact data:
- Only ask for what is required – name (lead member name can be taken if it is a group and the number in the group), contact number, date of visit, arrival time, departure time if possible.
N.B. You should not ask for I.D to prove details are accurate (unless you already do this for other purposes e.g. age verification).
- Be clear what the information is for, why you need it and that it will not be used for anything else. This could be communicated by a privacy notice on a displayed notice or on your website. If you already collect this information as part of your booking process you should explain that this information could also be given to NHS Test & Trace. Remember, the person can ask you not to pass the information on and you should make a note that they have opted out.
- Look after the data by storing it securely. The information can be collected in any way you wish however you should ensure that whichever method you use, the data can be securely stored on a device or computer or locked away if a physical written record. Here are some useful tips from the ICO on data security
- Do not use the information for anything else such as marketing.
- Destroy or erase the information after 21 days. Bear this in mind when thinking about the way you are going to collect the information. If you are going to use a paper diary or log, each day you could remove and shred the page that was 21 days previously. If you have a digital record you should ensure that the information is deleted from recycle folders and any cloud or back up storage.
Other things to consider:
- Ensure that your staff understand the key steps of collecting customer data
- Provide clear guidelines as to what to do if a customer becomes difficult. For example, getting a senior manager to speak with the customer or you could prepare a few phrases for staff to use in these instances.
- Consider if your customer is visually impaired or perhaps can’t read English; you could prepare a large print version, use the ‘read aloud’ function on a word document or translate any notices that you have.
A simple way for a small business to do this, is to make contact forms available for customers and visitors to complete, which they place in a secure box as they leave. At the end of each day, these can be collated and stored in an envelope in case needed – or destroyed 21 days later.
If you want to reassure your staff, visitors, and customers that you are following best practice, ask us about COVID-SAFE UK Approval