With the COVID-19 outbreak continuing to disrupt the economy and businesses across the UK, employers are legally obliged to maintain records of staff, visitors, and customers to help NHS Test and Trace inform those who may have been exposed to the virus.

Employers in all sectors are required to support NHS Test and Trace by handling the data collection and maintenance process according to national data protection legislation.

The UK Information Commissioner’s Office (ICO) has issued guidance on the correct protocols to employ in terms of collecting, storing, and processing sensitive data from both employees and clients, although these vary from sector to sector.

Employers’ Test and Trace Responsibilities: Employees

The ICO gives clear guidance on how to protect your employees’ data while supporting NHS Test and Trace:

  1. Only ask for information specified by the government guidelines, such as name, contact details, time of arrival etc. Unless it is standard practice to request identity verification, this should not form a part of your Test and Trace data collection process.
  2. Be transparent with employees about what data you’re collecting, and how you intend to both use it and store it. 
  3. All personal data should be securely stored and according to government instructions. That includes keeping physical documents locked away when not in use and protecting online data with strong passwords and by limiting the number of people who have access to it.
  4. Do not use NHS Test and Trace data for any other purposes, such as data analytics, profiling, or direct marketing.
  5. No personal data should be stored for longer than the government guidelines specify. Current recommendations suggest retaining data for no longer than 21 days. After that, it should be disposed of securely by shredding paper documents and permanently deleting any digital files, including copies in recycle bins and back-up cloud storage.

Data Collection Guidance: Clients and Visitors

High-risk sectors are required to collect contact details from customers and visitors, as well as their staff. These requirements apply to businesses operating in the following sectors:

  • Hospitality (bars, cafes, restaurants, and pubs)
  • Tourism and leisure (amusement arcades, cinemas, hotels, and museums)
  • Close contact services (barbers, hairdressers, tailors etc.)
  • Community services (village halls, libraries, and community centres).

Those operating in these sectors must request the following information from every visitor and customer:

  • Name
  • Contact phone number
  • Data of visit, arrival time and departure time (where possible)
  • Name of the assigned staff member (if the customer is to interact with only one staff member)

Alternatively, visitors may check-in using the NHS COVID-19 app.

Inform your clients and visitors before collecting this information, advising them as to why this data is being requested, what purposes it will be used for, and how NHS Test and Trace may accessed that information. A template privacy notice is available on the UK government’s official website.

Information about your clients and visitors, like the data you collect from your employees, must be used only as specified by the government and must be safeguarded throughout its 21-day storage period, before being securely disposed of.



As an employer, proprietor or manager, you have a legal obligation to collect contact details and maintain records for NHS Test and Trace according to government guidelines and the principles of data protection as specified in the General Data Protection Regulation (GDPR).

Failure to comply could result in a hefty fine, so employers throughout the UK must stay up-to-date with the latest government guidance and regulations.