More detail on how and when customer and visitor data should be collected
"The government has issued guidance for businesses, including licensed businesses on collecting and maintaining records of staff, customers and visitors on the premises to support NHS Test and Trace, which can be found here
The below is a brief summary of the guidance, which applies to England only.
The purpose of collecting records is, where requested, so that businesses can help the NHS identify people who may have been exposed to coronavirus.
The guidance explicitly refers to hospitality, including pubs, bars, restaurants and cafés as well as tourism and leisure, including hotels, museums, zoos, cinemas and theme parks.
The guidance applies to any establishment that provides an on-site service and to any events that take place on its premises. It does not apply where services are taken off site immediately, for example a food or drink outlet which only provides takeaways. If you offer a mixture of a sit-in and take away service, contact information only needs to be collected for customers who are dining/drinking in (whether this is indoors or outdoors).
Equally, the guidance does not apply to drop off deliveries made by suppliers or contractors.
Information to collect
Importantly, the guidance states the below information should be collected ‘where possible’. Our view is that a customer refusing to provide the information does not necessarily mean you must refuse entry, which might for example create unnecessary flashpoints. This is a matter for each premises to assess at the time taking into account the intention behind the request - UKH have created a helpful advisory note – see here.
For staff, the names of staff who work at the premises, a contact phone number for each member of staff and the dates and times that staff are at work.
For customers and visitors, the name of the customer or visitor – if there is more than one person, then you can record the name of the "lead member" of the group and the number of people in the group. You should also take a contact number for each customer or visitor, or for the lead member of a group of people, as well as the date of visit, arrival time and, where possible, departure time.
You should collect this information in a way that is manageable for your establishment and if not collected in advance it should be collected at the point that visitors enter the premises or at the point of service if impractical to do so at the entrance. The information should be recorded digitally if possible, but a paper record is also acceptable.
The government recognises that recording departure times will not always be practicable, although it is preferred.
The government also recognises that the sharing of this information by customers and visitors is voluntary, but urges businesses to encourage customers and visitors to support NHS Test and Trace. They should also be advised that this information will only be used when necessary to help stop the spread of COVID-19.
If a customer or visitor does not want their details shared they can choose to opt out and if they do so you should not share their information used for booking purposes with NHS Test and Trace. Neither do you have to verify an individual's identity for NHS Test and Trace purposes - the accuracy of this information will be the responsibility of the individual who provides it.
How records should be maintained
You should hold records for 21 days, which reflects the incubation period for COVID-19 (up to 14 days) and an additional 7 days to allow time for testing and tracing.
After 21 days, this information should be securely disposed of or deleted.
Records which are made and kept for other business purposes do not need to be disposed of after 21 days - this requirement relates only to records created solely for the purpose of NHS Test and Trace.
All collected data, however, must comply with the GDPR obligations and should not be kept for longer than it is necessary.
The data licensed businesses are being asked to collect is personal data and must be handled in accordance with GDPR to protect the privacy of staff, customers and visitors. It is not necessary to see consent from each person, but you should make clear why the information is being collected and what you intend to do with it, for example if you already collected information for ordinary business purposes, you should make people aware that their contact information may now also be shared with NHS Test and Trace.
You do not have to inform every customer individually – you can, for example, set out in a display notice at your premises or on your website what the data will be used for. The government will be providing a template for this.
This is only a summary of the main points and we recommend that you read the guidance in full."