COVID-19, contact tracing and protecting customer and visitor details

Pubs, restaurants, and other local businesses in England that reopened over the weekend are now requested to collect customers’ and visitors’ contact details in order to assist with the NHS Test and Trace app. UK Government guidance has been published in respect of England.

Beer gardens and outdoor restaurants in Scotland were allowed to reopen yesterday, 6 July 2020, with indoor hospitality due to follow suit from 15 July 2020. The Scottish Government has also issued its own guidance.

What data should businesses collect?


According to guidance from the UK Government, businesses should assist the test and trace effort by keeping a temporary record of customers and visitors, for 21 days, in a way that is “manageable” for business, as well as complying with requests for that data if required.

The UK Government Guidance further notes that the personal data collected should include, where possible for each venue, the name, contact number and dates and times that each member of staff is working, and the name, contact number, date of visit, as well as the arrival and, where possible, departure time of each customer and visitor.

Where there is more than one person in a group, a business may record only the name and contact number of the ‘lead member’ of the group and the number of people in the group. Where a customer will interact with only one member of staff, for example, a hairdresser, the name of the assigned staff member should be recorded with the name of the customer.


In Scotland, businesses serving customers who remain on their premises will be encouraged to gather similar contact details to support NHS Scotland’s Test and Protect service.

Where customers are attending as a small household group, the contact details for one member of the group – a ‘lead member’ – will be sufficient, and where a business offers both sit-in and takeaway services, contact information only needs to be collected for customers who are sitting in.

The Scottish Government has also provided a style Privacy Notice which hospitality businesses can provide to customers and aids in ensuring compliance with the General Data Protection Regulation (GDPR). The notice sets out the types of data that should be collected, as well as the lawful basis on which the data will be processed. This is the ‘legitimate interest’ of assisting Scotland’s Test and Protect strategy.

Information collected will, alongside the date and time of a customer’s arrival or departure, include a customer’s name and contact number and, if they do not have a number, either their postal or e-mail address. Again, along the same vein as the UK Government Guidance, personal data will be retained only for the purpose of contact tracing and should be held by businesses for no more than 21 days.

How should businesses handle this data?

Businesses will be expected to handle all personal data in line with the GDPR and, to assist with this, the ICO has published a set of initial easy-to-follow guidance for businesses as they introduce these new measures.

The ICO offers the following advice:

Ask for only what's needed

Be transparent with customers

Carefully store the data

Don't use it for other purposes

Erase it in line with government guidance

The ICO will continue to update its guidance on this and other COVID-19 related data protection issues on its dedicated online hub, as well as its helpline for small businesses.

Latest updates from @MacRoberts

  • MacRoberts is recruiting! We currently have a vacancy for a Senior solicitor/associate to join our Private Client… 9 hours ago
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… 23/06/2021
  • Would you like to work at one of Scotland’s leading law firms? We currently have a number of opportunities availabl… 21/06/2021
  • We currently have a vacancy for a Customer Due Diligence Administrator based in Glasgow or Edinburgh. Please shar… 18/06/2021
  • Maya Forstater received a lot of media attention around her tweets relating to her beliefs about sex, resulting in… 18/06/2021
  • Applications for our traineeships starting in 2023 are now open! Get your legal career off to the best possible sta… 18/06/2021
  • RT @DundeeAndAngus: Leading Scottish commercial law firm, @MacRoberts has advised BAM on the ‘game-changing’ Atlantic Square development in… 16/06/2021
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… 16/06/2021
  • Self-employed status: What does the Uber case really mean? 🚖 Kenny Scott explains what the recent ruling means for… 16/06/2021
  • What is the Scottish #gin industry doing to improve #sustainability? Following #WorldGinDay celebrations over the w… 15/06/2021
  • The European Commission has adopted & published versions of two new sets of Standard Contractual Clauses. What ch… 15/06/2021
  • What impact could Ireland High Court's decision to reject an action by Facebook to block an inquiry by the Irish… 14/06/2021
  • Wishing all of our followers a happy #WorldGinDay! ICYMI: Earlier this week, we were delighted to catch up with… 12/06/2021
  • We're #hiring! We have a #vacancy for a Senior #Solicitor or Associate to join our IP, Technology & Commercial team… 10/06/2021
  • Dealing with an employee's misconduct when that employee contends it is linked to a disability can be tricky - read… 09/06/2021