DHSC publishes guidance on Test and Trace records

3 mins

Posted on 13 Jul 2020

The Department of Health and Social Care (DHSC) has published guidance on maintaining staff, customer and visitor records to support the NHS Test and Trace scheme. 

The guidance, which applies in England, will be of most use to organisations in the hospitality, tourism and leisure industries. The guidance will also assist businesses where close contact is inevitable (such as hairdressers, nail bars and beauty salons).  Similar guidance is being produced for Wales, Scotland and Northern Ireland.  

This guidance should be considered alongside the ICO’s detailed guidance on Test and Trace.

Key points include:


Records collected for Test and Trace should be kept for 21 days. After that, they should be securely disposed of, or deleted, although they may be retained for other purposes, so long as this is permitted by the GDPR. 

Types of data 

The guidance suggests the following data should be collected:

  • Staff: Names, contact phone numbers and the dates and times they were at work 
  • Customers and visitors: Names (or lead member of group and number of people in the group), contact phone number, date of visit, arrival and departure times and, where there is interaction with only one staff member (for example a hairdresser), the name of the assigned staff

No additional information should be collected for these purposes. 

Method of collecting

Advance booking systems can collect this data. While digital information is preferable, a paper record is acceptable. 

Lawful ground for processing

Consent is not necessarily required. The data can be requested and shared for public health and safety purposes. However, for special category data (for example at places of worship), consent is recommended.

Organisations must be clear why the information is being collected and what they intend to do with it and can communicate this through a notice at the premises or on a website.

The information collected specifically for Test and Trace must not be used for other purposes, such as marketing.

Sharing the data with NHS Test and Trace

NHS Test and Trace will only request the data where necessary. The guidance states NHS Test and Trace will only use the data for the purpose of protecting public health.


As lockdown starts to ease, we are seeing lots of guidance from the ICO, and other organisations on how to collect new types of data. Organisations should check their proposed methods do not conflict with the ICO’s guidance and the grounds for processing under the GDPR. Written records on processing data for new purposes should be kept to comply with the GDPR’s accountability principle.

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top