• Date

    06 Aug 2020
  • Category

    Business Services, Technology Consultancy

Supporting the Test and Trace programme – what should businesses do?

As the country is easing out of social and economic lockdown measures, and more businesses are opening back up, businesses in certain sectors have been asked to collect data from their customers to support the Test and Trace programme (also known as Test and Protect in Scotland and Test, Trace, Protect in Wales).

This can be seen as a daunting prospect for small organisations who are not familiar with the data protection laws. In this update, we provide practical information for those businesses wanting to support the newly introduced Test and Trace programme.

What is the Test and Trace programme?

On Thursday 28 May, the NHS Test and Trace service was launched and has become a crucial element of the Government’s national strategy to reduce the spread of COVID-19. The service ensures anyone who develops symptoms of COVID-19 can be tested quickly, and traces close recent contacts of anyone who tests positive, notifying them so that they can self-isolate. Further information regarding the programme can be found on the GOV.UK website.

To help with the implementation and success of the programme, the Government have set out a new business plan, a major extension to the service, requesting businesses to collect data from their staff and customers.

The purpose of collecting this data is to track the individuals entering a business’s establishment, who can, if necessary, be contacted if a COVID-19 case is reported by another customer or member of staff, or if a potential local outbreak is noted at your location.

What have businesses been asked to do?

The Government is asking businesses to collect contact details of people in their establishment, including time of entry and departure (if possible). This could be data for both staff and customers. For groups of customers attending together, they only need to collect one of the individual’s details.

When collecting the data, it is important to note that participation is voluntary – customers do not have to provide their details. However, an organisation should encourage customers and staff to participate. Ultimately, this could help contain clusters or outbreaks of COVID-19.

Which sectors do the regulations apply to?

The sectors that need to comply with these regulations differ, depending on whether the business is located in England, Scotland or Wales. It is particularly relevant to the hospitality, tourism and leisure sectors.

Please refer to the relevant regulations for clarification or contact your local Azets advisor. You can view the relevant sector regulations, dependant on your location, here:

What data should businesses collect?

Businesses should only collect the minimum data necessary in order to contact someone. For example:

  • Name
  • Contact telephone number. (If this is not available, an email address or mailing address).
  • If a group arrives, the number of people in the group.
  • Time of entry.
  • Time of departure (if possible).
  • If a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer.

What are the data protection implications?

As this is a new activity, businesses should follow their usual data protection procedures. Specifically, they need to:

  • Document the legal basis for processing this data.
  • Update their privacy policy.
  • Update their information asset register / data flow documentation.
  • Inform their customers and staff.
  • Ensure this fits in with their response to the rights of individuals, e.g. subject access requests and correcting data.
  • Use the data collected ONLY for the stated purpose. They should not use the data collected for a different purpose, e.g. marketing.

If businesses have no current data protection processes in place, this can be a daunting prospect. They should focus their attention on the following:

  • Understand whether they now need to register with the ICO. The vast majority of businesses will already be registered as they will process staff details to facilitate employment and payroll.
  • Document the legal basis for processing data.
  • Document the data flow of the data – Where do they get it from? Where is it stored? Who has access to it? When is it destroyed?
  • Create or update their privacy policy.
  • Understand how they need to respond to the rights of individuals, for example a subject access request.

The Scottish Government have produced an example privacy notice for organisations in tourism / hospitality sectors to use in the context of contact tracing.

Sharing data with the NHS

In certain instances, and only when necessary, the NHS may ask for a copy of the data collected by a business. This is either because someone has tested positive for COVID-19 who listed the business’s premises as a place they visited recently, or because the premises has been identified as the location of a potential local COVID-19 outbreak.

Businesses should only share data with the NHS when asked to do so and only the limited amount that is requested. They must make sure they are speaking to a bona fide member of the Test and Trace team. When sharing data, make sure this is done through a secure method.

The guidelines for sharing the collected data with the NHS can be found here:

Retention / deletion

Businesses should only keep the data they have collected for the time period requested – currently this is 21 days. After this period, they should completely delete this data. If it is then still held on back-up systems, businesses need to document this in their information asset register or data flow documentation.


We all need to do our part to bring this virus under control, and contact tracing is a key component of doing this. Collecting any personal data does, however, put certain obligations on a business, not just according to laws such as the GDPR, but also to foster trust with their customers.

Being transparent and keeping details secure will help businesses comply with the Government’s request in a safe and privacy-conscious manner. 

We are here to help

If you are unsure or concerned about any of the above and need clarity on the next best step for your business, please get in touch with a member of our Business Technology Consulting team.

Please also refer to our insights page for further information, which is regularly updated with the latest news, insight and details of the economic support and measures as they are announced by our Government.

About the author

Fraser Nicol Photo

Fraser Nicol

Partner Glasgow City
View all news & insights

Related content

You might also be interested in