Contact Tracing

Test & trace data protection considerations

November 1st, 2020 Posted in Data Protection

If your organisation collects personal information for test and trace data purposes then you must ensure the information is handled accordance with the principles of the GDPR. There are a few test and trace data protection considerations to take into account.

Lawful basis

In the first instance this means that you will need a lawful basis for processing the data. Businesses that have a mandatory requirement to collect test and trace data, such as pubs, restaurants, cinemas and hairdressers will be able to rely on ‘legal obligation’ as the lawful basis. We would recommend that you read the latest government guidance to check if your organisation is amongst those who must collect test and trace data by law.

If your organisation isn’t legally required to collect the data then you should be able to rely on ‘legitimate interests’ as your lawful basis for processing the data on the grounds that participating in test and trace protects the interests of your organisation,  and its staff, visitors and customers as well as public health in general.

It is also possible to rely on consent as your lawful basis for collecting test and trace data but only if you offer people a genuine choice over whether to provide their details and don’t penalise them if they refuse (e.g by refusing to admit them to the premises or serve them).

Data minimisation

You should only collect the minimum amount of data necessary for test and trace purposes, which in the case of individual customers or visitors will mean their name and contact details (either a telephone number or email address) and the date and time of their visit (including arrival and departure time where possible).

If you have groups of people attending your premises then it will be sufficient just to take the details of the lead member of those groups as a contact point for everyone else.

When recording test and trace data about your employees it should only be necessary to maintain information about their shift patterns and contact details.

Privacy notices

To ensure your test and trace data is processed fairly everyone whose information you collect must be informed of the purpose for which their personal data is being recorded, and advised that their details may be shared with the NHS contract tracing team if someone they were found to be in close contact with tests positive for Covid-19.

You can achieve this in a number of ways depending on how you plan to collect your test and trace details. For example, if you use an online booking system you could display the information on your app or website. You could also place notices on the walls of your premises informing people that your organisation is participating in test and trace. If you are a business collecting test and trace data about your staff then you could post a notice on the staff intranet, or notify all your employees via an all staff email.

Purpose limitation

You can only use the test and tracefor the same purposes for which you originally collected it, so it follows that you cannot put the contact details to other uses such as sending marketing to customers. You should also take note that there have already been cases of employees making unauthorised use of test and trace data such as this incident where a bus driver used a passengers test and trace details to send text messages to her. It is therefore important to make your staff fully aware of their obligation to keep the test and trace data confidential and not to use it for their own personal reasons.


Access to the data should be limited to the staff who are responsible for maintaining your test and trace records. You will also need to ensure that the information is kept securely which means storing paper documents out of sight and in locked cupboards or rooms. If the records are to be kept on computer then you should ensure that the files are password protected and knowledge of those passwords restricted on a need to know basis.


Test and trace records should be kept for no longer than 21 days in accordance with current government guidelines, at which point they will need to be securely disposed of or deleted. This should be done in a way that makes the information irretrievable, for example by permanently deleting electronic files and shredding any paper documents.

Need help?

If you need further information on collecting and maintaining test and trace data records then please see the latest government guidelines or visit Information Commissioner’s Office (ICO) website for guidance.

We can also help if you need support. Please get in touch if you’d like input or assistance.


PD Headshot 250x250

Written by Phillip Davison

Phillip consults on data protection, e-privacy and freedom of information, and acts as outsourced DPO for clients. He worked for the Information Commissioner's Office for 8 years, as a Case Officer and later as a Lead Policy Officer. Since leaving the ICO, Phillip has worked as a specialist data protection consultant and outsourced Data Protection Officer. He holds the ISEB Practitioner Certificate in Data Protection.