NHS Test and Trace data collection made law: Everything businesses need to know
Posted: Fri 18th Sep 2020
It is now law for certain businesses in England to collect customer and staff data for NHS Test and Trace to help combat the spread of coronavirus. From 24 September, they also need to display an official NHS Test and Trace QR code poster. This detailed Q&A, provided to Enterprise Nation by the Department of Health and Social Care, outlines what businesses need to do to comply.
Please note that as well as the information on NHS Test and Trace data below, it is now also an offence for a business to fail to adhere to 'the rule of six' (respecting all exceptions to this) when taking a booking by allowing entry to a group of more than six people. Once groups are within the premises, businesses also risk offending if they fail to advise groups not to merge in ways that breach the rules.
What do we have to do?
You must keep a temporary record of your staff, customers and visitors for 21 days. You must hold these records for 21 days and you will need to provide this information to the NHS Test and Trace service if it is requested.
From 24 September, you must also display an official NHS QR code poster, so that NHS COVID-19 app users have the opportunity (if they prefer) to check in to the venue in this way. You can get a QR post here.
You should not require that individuals provide contact details and scan in via QR code, one will suffice.
The NHS QR code posters are a quick and secure way for visitors to anonymously register that they have been to your venue. This allows customers or visitors to receive important public health messages if needed.
Is it mandatory for businesses and organisations to do this?
Yes, it is mandatory for businesses organisations in scope to ask all customers and visitors to provide contact details.
From 24 September, it is mandatory to display an official NHS QR code poster so that customers and visitors can scan the QR code using their NHS COVID-19 app if they prefer. Scanning the QR code will be an optional alternative to providing contact details.
Any organisation in scope that is found not to be compliant with these regulations will be subject to penalties. It is vital that relevant venues comply with these regulations to help keep people safe, and to keep businesses open.
What if visitors refuse to give their contact details or check in via the app?
The hospitality sector will be required to ensure that customers and visitors provide their contact information before allowing entry to the venue. You should not permit entry to anyone who does not either scan the QR code or to any groups where at least one person (the 'lead' member) does not leave their contact details.
Other sectors in scope should not refuse entry to individuals, but encourage visitors to share their details or scan the NHS QR poster in order to support NHS Test and Trace and advise them that this information will only be used where necessary to help stop the spread of COVID-19.
If the individual becomes unruly you should notify the police.
What are the penalities for not complying?
The regulations will be enforced by local authorities, who have the power to issue fines of up to £1,000 for venues that are failing to comply, or the police as a last resort. Fines will rise to up to £4,000 for repeat offenders.
How do we collect their details?
For app users, you can promote using the NHS QR code as a simple, quick and easy way to check-in to a venue.
However, use of the app is voluntary and individuals should be allowed to leave their contact details if they prefer or if they do not have the App. You should not stipulate that they must use the QR code.
If some members of the party choose the QR code, but others do not, you will need to ensure at least one person (the 'lead member') leaves their contact details and the number of people in their group (maximum 6).
If the whole group chooses to check-in using the QR code, then the venue does not take the name or contact details of any member of the group.
When someone enters a venue and scans an official NHS QR code poster, the venue information will be logged on the user's phone. The device will check if users have been at that location at the relevant time and if the app finds a match, users will get an alert anonymously with advice on what to do based on the level of risk.
What information do we have to collect?
The following information should be collected by the venue for those people that have not checked-in using the QR code:
Staff
The names of staff who work at the premises.
A contact phone number for each member of staff.
The dates and times that staff are at work.
Customers and visitors
The name of the customer or visitor. If there is more than one person, then you can record the name of the 'lead member' of the group and the number of people in the group.
A contact phone number for the lead member of a group of people.
Date of visit and arrival and, where possible, departure time.
If a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer
No additional data should be collected for this purpose.
Recording both arrival and departure times (or estimated departure times) will help reduce the number of customers or staff needing to be contacted by NHS Test and Trace. We recognise, however, that recording departure times will not always be practicable.
How can I be sure that someone has checked in using the QR code?
Venues should look at the individual's phone screen to verify that they have checked in.
What if a person provides false details? Do we need to do ID checks?
The accuracy of the information provided will be the responsibility of the individual who provides it. You do not have to verify an individual's identity for NHS Test and Trace purposes.
In addition to displaying a QR code, how should we collect the data for non-app users?
Many organisations that routinely take bookings already have systems for recording their customers and visitors - including restaurants, hotels, and hair salons. Due to the COVID-19 outbreak, more organisations are planning to implement an 'advanced booking only' service to manage the numbers of people on the premises. These booking systems can serve as the source of the information that you need to collect.
If not collected in advance, this information should be collected at the point that visitors enter the premises, or at the point of service if impractical to do so at the entrance. It should be recorded digitally if possible, but a paper record is acceptable too.
Which sectors must do this?
Establishments in the following sectors, whether indoor or outdoor settings or mobile venues, including events that take place on these premises, must collect details and maintain records of staff, customers and visitors:
hospitality, including pubs, bars, restaurants and cafés
tourism and leisure, including gyms, swimming pools, hotels, museums, cinemas, zoos and theme parks
close contact services, including hairdressers, and others as defined here
facilities provided by local authorities, including town halls and civic centres (for events), libraries and children's centres
What are the criteria for these places to have to collect data?
Any establishment in scope that provides an on-site service and any events that take place on its premises must ensure individuals either check-in via QR code or leave their contact details. It does not apply where services are taken off-site immediately, for example, a food or drink outlet which only provides takeaways. If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be collected for customers who are dining in.
This requirement does not apply to emergency services staff, when fulfilling their official duties, or to drop-off deliveries made by suppliers or contractors.
Part or all of my business is outside, does it apply to outside settings as well?
Yes, this applies to indoor and outdoor venues.
Is there a minimum capacity size of venue where the data would need to be collected?
No, any establishment from the sectors within scope must collect this data, regardless of how large or small the venue is.
Do we need to collect the information if we have social distancing measures in place so that no one will be within two metres of another person?
Yes, if you run an establishment in any of the sectors within scope, you will need to collect this information. This is regardless of any social distancing measures that you have put in place.
Why is retail/other sectors not within scope of this guidance?
There is a higher risk of transmitting COVID-19 in premises where customers and visitors spend a longer time in one place and potentially come into sustained, close contact with other people outside of their household. The sectors where this is most likely to happen are the sectors which are in scope.
What format does contact detail data need to be recorded in?
Ideally, the information should be collected digitally so there is a record that can be shared securely online. This will be easy for some organisations who already collect this data in a digital format. For other organisations who do not collect this data already, we want to help you to implement a system that does not place additional burdens on you.
If you don't have the capability to collect this information in a digital format, then paper-based records will be accepted. If keeping a paper record, this should be kept out of public sight. NHS Test and Trace will work with you to obtain the necessary records should they be required.
How quickly will we be expected to give the data to NHS Test and Trace if it is requested from us?
You must work with NHS Test and Trace to securely transfer the data as soon as possible. Time is of the essence and the quicker this is done the more effective NHS Test and Trace will be in reducing the spread of Covid.
If we are collecting details on paper, where should these be kept?
You should keep this data safe and secure, as you would keep any other personal data. You will need to ensure that you are compliant with GDPR, which requires you to take appropriate security measures to protect the records that you keep.
How long does the data have to be stored for?
To support NHS Test and Trace, you should hold records for 21 days. This reflects the incubation period for COVID-19 (which can be up to 14 days) and an additional seven days to allow time for testing and tracing.
What should we do with the data?
The data that we are asking you to collect is personal data and must be handled in accordance with GDPR to protect the privacy of your staff, customers and visitors. ICO has published detailed guidance on how you can ensure you are GDPR compliant:
You should hold the records for 21 days, and after 21 days, this information should be securely disposed of or deleted. You must do this in a way that does not risk unintended access (e.g., shredding paper documents and ensuring permanent deletion of electronic files).
Records which are made and kept for other business purposes do not need to be disposed of after 21 days. The requirement to dispose of the data relates to a record that is created solely for the purpose of NHS Test and Trace. However, all collected data, must comply with GDPR and should not be kept for longer than is necessary.
If requested by NHS Test and Trace you must share the requested information as soon as possible to help us identify people who may have been in contact with the virus and help minimise the onward spread of COVID-19.
Can we use the data for other things e.g. mailing lists?
No, if you do not already collect this data then you must not use this data for any other purposes. Any misuse of personal data that is collected for NHS Test and Trace is a serious matter and could, depending on the circumstances, lead to you being prosecuted. You must only use personal data that is collected for NHS Test and Trace, which you would not collect in your usual course of business, to share with NHS Test and Trace.
If you use it for other purposes, including marketing, profiling, analysis or other purposes unrelated to contact tracing, you will be in breach of GDPR. You must not misuse the data in a way that is misleading or could cause an unjustified negative impact on people e.g. to discriminate against groups of individuals.
When will NHS Test and Trace ask for the data?
NHS Test and Trace will ask for these records only where it is necessary, for example if your premises has been identified as the location of a potential COVID-19 outbreak
Do we have to note where people go on our premises?
If you already collect this data or it is easy to do so (e.g., table settings in a restaurant), then please do so. However, if this is not practical, then you do not need to.
What about contractors/visitors (e.g., someone pops in to deliver food to my pub etc), do I need to keep their details too?
If you have contractors and visitors on site, then you should record their contact details. However, you do not need to record contact information of people spending a short amount of time on the premises (e.g., a supplier or contractor who is making a delivery). If the visitor will spend longer on site, then their details should be captured.
Similarly, this does not apply where services are taken off-site immediately, for example, a food or drink outlet which only provides takeaways.
What should we do if a customer approaches us directly to tell us they've tested positive?
If a customer tells you they have tested positive for coronavirus, you should tell them to self-isolate as soon as possible and to register their contacts with NHS Test and Trace.
You should not use the log of customer details you have collected to contact other customers yourself. Instead, if NHS Test and Trace assess that the customer was on your premises while potentially infectious, they will contact you to provide support and to obtain the details of anyone who may have been exposed to the virus. You should share your log of customer details with NHS Test and Trace as soon as possible when asked to do so.
Can we collect children's contact details for contact tracing purposes?
The requirements to collect contact details would not apply where a customer or visitor is aged under 16. Designated venues should ask whether a child is 16 or over and take the answer given at face value, rather than requiring evidence of date of birth. This age limit aligns with the age limit for the app, and the 'Gillick competence'.
In many cases, a child is likely to be visiting your premises as part of a family group. Much of the guidance referenced suggests that if there is more than one person visiting your premises, you can record the name of the 'lead member' of the group and the number of people in the group. In this situation you could therefore collect an adult's contact details.
You should consider the potential risks to children's data to be greater and therefore make sure that you protect the data and handle it appropriately.
The latest coronavirus support information
We are keeping you updated on the latest information COVID-19 business support, funding and advice in Enterprise Nation's coronavirus business advice hub. Follow Enterprise Nation on Twitter too for updates.