Customers sit outside a café entering test and trace data

Test and trace – protecting data collected from customers

23 Sep 2020

The Information Commissioner’s Office (ICO) has published data protection guidance for organisations mandated to collect customer and visitor information for test and trace purposes.

Since 18 September, the UK government has made it mandatory for all businesses in the hospitality, leisure and tourism sector, and close contact businesses such as barbers and beauticians, in England to collect customer information for the test and trace programme.

The ICO is advising organisations across the UK to follow five simple steps so they handle people’s information responsibly. Organisations must:

Only ask people for the specific information that has been set out in government guidance;
Be clear, open and honest with people about what is being done with their personal information;
Keep people’s data secure. Organisations should not use open logbooks, and should ensure their customers’ personal information is kept private;
Not use the personal information collected for contact tracing for other purposes, such as direct marketing, profiling or data analytics; and
Erase or dispose of the personal information collected after 21 days.

Organisations do not have to ask people for their information if individuals are using a contact tracing app to check into venues. They should not make the use of contact tracing apps mandatory, and should give people options to give their details for contact tracing purposes.

The ICO has developed clear examples and case studies that organisations can use to ensure they are collecting customer information securely and complying with data protection law.

Ian Hulme, ICO’s Director of Assurance, said:

“We appreciate the challenge that many businesses face, particularly those that are handling personal data in this way for the first time. Our aim is to help the thousands of businesses that are doing their best to do the right thing. We want to support and guide them to handle people's data responsibly and keep it safe and secure.”

Kate Nicholls, CEO of UKHospitality, said:

“There is now an even greater need for hospitality businesses to focus on test and trace. It’s critical that data protection is at the heart of all of our efforts. We know organisations have a lot to think about during this time and we are keen that the ICO guidance is well publicised and well understood.”