Test & Trace and GDPR


There has already been a lot of publicity and debate about Test, Track and Trace. Many people will already be familiar with this and may even have given their name and telephone number to a pub, restaurant or other business.

The Government has now tightened up the rules and certain “high risk” businesses are required to have a system to collect this information from staff, customers and visitors. These businesses include hospitality businesses, such as pubs and restaurants and personal care businesses, like beauty salons and hairdressers.

The key points of the data collection obligation are:

There is a Customer Logging Toolkit, which provides a QR code system that allows people to “check in” to the business using an app on their smartphone and means that their data does not have to be collected. The app is being launched on 24 September 2020. However, this is not a complete replacement and if people do not (or cannot) use the QR system, there must be a secondary system to allow the business to collect their details.

Information collected for Test & Trace should only be retained for 21 days and should then be disposed of securely (shredding paper documents and permanently deleting electronic records). You should also not use this data for any other purpose, such as marketing.

If the business does not normally collect this information, such as a pub, then a single use system can be put in place. However, the situation is more complicated where the business would normally collect information, such as hairdressers working with pre-booked appointments. Their data protection policy should be updated to reflect the fact that this information may be shared with the NHS tracking system and any additional information collected over and above what the business would normally collect should only be kept for the required 21 days.

The additional information being collected by businesses that are not used to handling data about their customers and visitors could cause problems for that business in terms of breach of data protection legislation. While the information is being gathered under a specific government scheme, it is still personal data and therefore would still be covered by the General Data Protection Regulations (GDPR). Failure to deal with the data in accordance with the scheme guidance would almost certainly be a breach of GDPR, which would need to be self-reported to the Information Commissioner and could result in fines. GDPR legislation provides for fine of up to 4% of the business’s global turnover for a serious breach.

Gardner Leader can assist your business in navigating the new obligations and how the data should be gathered and processed within the confines of the new regulations and GDPR. Please contact our specialists for more details.

Private: Diane Yarrow

Corporate & Commercial Law
Charity Law

Share this article

<i class=