loading icon
Since March 2020, businesses have had to change the way that they work and, while technology has facilitated many of these changes, it is important not to lose sight of obligations in regard to data protection policies and procedures.

It has been over two years now since the General Data Protection Regulation (GDPR) came into force for EU countries, and the UK adopted it under the Data Protection Act 2018. Meanwhile Brexit is also on the horizon and, although there is currently no firm guidance on what leaving the European Union will mean to data protection in the UK, it is unlikely that there will be a relaxation in the rules.

While some businesses have survived with people working from home, others have launched delivery services, and organisations which are open to visitors have started to collect data under the Government’s contact tracing system for Covid-19.


Mark Roome 14

‘Each new situation has implications for data privacy,’ points out Mark Roome, Commercial lawyer at Wollens. ‘The tracing obligations differ from the usual GDPR ones and they need to be understood by all staff.  Other changes, such as working from home or using new remote services may also need to be reflected in customer and supplier contracts, and data protection policies.’

Mark Roome, Partner and Head Of Commercial, Wollens

It is also important to plan staff training and consider having a dedicated member of staff to oversee track and trace data collection.

How much data should you collect?

Once you have established that you will be collecting data for track and trace, it will be important to collect only the personal data specifically needed for contact tracing.

Examples of the data that the Government may need include customer and visitor name(s), contact details, time and date of arrival and departure, and members of their party.

How should it be stored and for how long?

It is important to collect the personal data in a secure way by using encrypted online access platforms, a secure app, or a single use paper form.

Unlike with regular GDPR rules, the information you collect for contact tracing purposes must only be stored or kept for as long as it is needed which is typically a shorter time. The recommended period of time is currently 21 days, following which you must ensure you dispose of it in a secure way by shredding paper records, deleting digital files and any backups.

How should you communicate to your customers or clients about it?

Clearly notifying your customers and visitors that you are required by law, for public interest or legitimate interest purposes, to collect their data for contact tracing is crucial as this category of data has wide reaching implications.

You may wish to consider using signage or clear messaging in any online communication or booking system.

Limits on the use of contact tracing data

You can only use the contact tracing data in connection with Covid-19. You should not be using it for marketing or other business purposes.

Similarly, the sharing of such data is restricted to a contact tracing scheme approved and verified by the Government. It is advisable to isolate the whole process, from collection to storage, away from your normal data collection and marketing processes.

What do you need to do if you become aware of a positive Covid-19 case from the data you have collected?

There are strict rules around what to do in the event someone on your contact tracing data list is Covid-19 positive, and you should familiarise yourself with these:


It is not your responsibility to report the case to any contact tracing scheme and you should not seek to contact any people directly on your list. You only need to retain the data and be on hand to support and assist any contact tracing agency if you are requested to do so.

If, however, there is more than one Covid-19 case that has had contact with your business in some way, you should contact your local health protection team.

Other GDPR related steps you should be aware of in relation to track and trace

If you use another business to help you in contact tracing collection, for example an outsourced reception service or a tracing app, you may have data processing agreements or data sharing agreements with them in place which may benefit from a review and an update.

Staff who are involved in collecting contact tracing data should be made aware of the Government guidance and given appropriate training. If the contact tracing data you are collecting relates to employees, this also needs to be appropriately communicated, dealt with and recorded in your data protection policies.

Another area to consider is children’s data. These collection rules are normally stringent under GDPR and if you have to collect children’s contact tracing data, it is advisable to get professional advice on how to do this properly and safely.

How we can help

GDPR on its own can be daunting but the contact tracing element adds an additional layer of compliance for businesses.

If your working practices have changed, because staff are working from home and you expect that they will continue to do so, then it makes sense to ensure that policies reflect current working practices.

Putting in place suitable measures and procedures, and ensuring regular training is just as important as documentation. By guiding you through the rules of contact tracing data collection, any future changes as a result of Brexit, and by updating your contracts and policies, we can help you stay compliant.

For further information, please contact Mark Roome, Partner and head of the company and commercial department at Wollens.

email [email protected] 

or call 01271 342268


(November 20th 2020) This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.