Designated venues in certain sectors must have a system in place to request and record contact details of their customers, visitors and staff to help break the chains of transmission of coronavirus.
The UK is currently experiencing a public health emergency as a result of the coronavirus (COVID-19) pandemic. It is therefore critical that organisations take a range of measures to keep everyone safe.
Venues in hospitality, the tourism and leisure industry, close contact services, community centres and village halls must:
- ask at least one member of every party of customers or visitors (up to 6 people) to provide their name and contact details
- keep a record of all staff working on their premises and shift times on a given day and their contact details
- keep these records of customers, visitors and staff for 21 days and provide data to NHS Test and Trace if requested
- display an official NHS QR code poster so that customers and visitors can ‘check in’ using this option as an alternative to providing their contact details
- adhere to General Data Protection Regulations (GDPR)
Hospitality venues must also take reasonable steps to refuse entry to those who refuse to participate.
Failure to do any of these requirements could result in fixed penalty fines.
This guidance provides further instructions on how to fulfil these requirements.
NHS Test and Trace
NHS Test and Trace is a key part of the country’s ongoing COVID-19 response. If we can rapidly detect people who have recently come into close contact with a new COVID-19 case, we can take swift action to minimise transmission of the virus.
NHS Test and Trace includes dedicated contact tracing staff working at national level who work closely with local public health experts. Local public health experts include Public Health England (PHE), health protection teams and local authority public health staff.
You can read further information on how NHS Test and Trace works.
The purpose of maintaining records and displaying an official NHS QR poster
By maintaining records of staff, customers and visitors, and displaying an official NHS QR poster, you will help NHS Test and Trace to identify and notify people who may have been exposed to the virus.
You must register for an official NHS QR code and display the official NHS QR poster.
The NHS COVID-19 app has a feature that allows users to quickly and easily ‘check in’ to your venue by scanning the code. The information stays on the user’s phone. In England, you do not have to ask people who choose to ‘check in’ using the official NHS QR code to provide their contact details. If there is an outbreak associated with a venue, a message will be sent to the relevant app users with the necessary public health advice.
In addition to maintaining and sharing records where requested and displaying an official NHS QR poster, you must also continue to follow other government requirements and guidance to minimise the transmission of COVID-19. This includes maintaining a safe working environment and following social distancing guidelines.
Sectors that this guidance applies to
There is a higher risk of transmitting COVID-19 in premises where customers and visitors spend a longer time in one place and potentially come into close contact with other people outside of their household.
To manage this risk, establishments in the following sectors, whether indoor or outdoor venues or mobile settings, must request contact details from staff, customers and visitors, and display the official NHS QR code poster:
- hospitality, including pubs, bars, restaurants and cafés
- tourism and leisure, including hotels, museums, cinemas and amusement arcades
- close contact services, including hairdressers, barbershops and tailors
- community centres, libraries and village halls
A full list of organisations within scope in these sectors can be found in annex A.
This requirement applies to any establishment that provides an on-site service and to any events that take place on its premises. It does not apply where services are taken off site immediately, for example, a food or drink outlet which only provides takeaways. If a business offers a mixture of a sit-in and takeaway service, contact information only needs to be sought for customers who are dining in.
This could be asked for at the counter, rather than the point of entry, when servers can more easily ask the customer whether they are dining in or taking away.
If you have multiple points of entry you will need to ensure that you have a system that meets the legal requirements. This may mean adapting the way that customers and visitors circulate in your premises.
If your business contains several individual venues, then you as the wider venue are still required to collect details of staff, customers and visitors at the main entrance.
If your business is within a larger venue then you are only required to collect details of customers, visitors and staff in addition to the main entrance if you are a hospitality service, for example a cafe within a museum.
Other types of businesses are not required to collect details, when they exist within a larger premises in scope.
Venues with open-plan dining areas
Some venues might have communal or open-plan dining areas such as food courts. In this situation, the responsibility lies with the legal owner of the space, who is liable for these requirements.
If your business operates within a food court, where food and/or drink is sold and consumed solely in communal dining areas, then you as an individual business owner within the food court are not required to collect details of customers, visitors and staff. However, the legal owner of the wider venue is required to collect visitor details at a designated entrance to the food court. Where an outlet has their own seating area, the legal owner of that outlet is responsible.
Workplace canteens which are open only to staff at that workplace are not required to collect the details of their staff who visit the canteen.
If a workplace canteen may be accessed by members of the public however (for example, anyone who is not an employee), then this venue would be required to collect the details of customers, visitors and staff.
The requirement to collect contact details does not apply to unstaffed, unticketed heritage sites that are open to the public (for example, ruins or prehistoric sites) or archaeological and historic sites which are not open to the public.
Further education settings
If a venue within a further education college is open to the public, such as a café or swimming pool, then that venue is required to collect details of customers, visitors and staff and to display an official NHS QR code poster.
These requirements are not applicable to these venues when they are accessed by students only.
Community centres and village halls
Community centres and village halls, which may host a variety of social, cultural and recreational activities, must collect information for all activities and events taking place within the venue. This should be collected by the person who hires the space. The venue must also display an official NHS QR code poster which can be used for every activity that takes place there.
Places of worship
Places of worship, including when the venue is used for events and other community activities, are not included in these regulations but are still strongly encouraged to maintain staff, customer and visitor logs and to display an official NHS QR code poster. Consent should still be sought from individuals entering your establishment.
Information to collect
Venues must ask every customer and visitor for the following details (unless they have ‘checked in’ using the NHS COVID-19 app):
- the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group (of up to 6 people) and the number of people in that group
- a contact phone number for each customer or visitor, or for the lead member of a group of people. If a phone number is not available, you should ask for their email address instead, or if neither are available, then postal address
- date of visit, arrival time and, where possible, departure time
- the name of the assigned staff member, if a customer or visitor will interact with only one member of staff (for example, a hairdresser). This should be recorded alongside the name of the customer or visitor
Recording both arrival and departure times (or estimated departure times) will help reduce the number of customers or staff needing to be contacted by NHS Test and Trace. We recognise, however, that recording departure times will not always be practicable and this is not required by law.
All designated venues must also keep a record of all staff working on the premises on a given day, the time of their shift, and their contact details. This covers anyone providing a service or activity including volunteers. Venues must keep these records of staff, but staff can choose to check in using the NHS QR code poster in addition, if they wish.
No additional data should be collected for this purpose.
In England, you do not have to request details from people who check in with the official NHS QR poster, and venues should not ask them to do both. Venues must not make the specific use of the NHS QR code a precondition of entry (as the individual has the right to choose to provide their contact details if they prefer). Should someone choose to check in with the official NHS QR poster, a venue should check their phone screen to ensure they have successfully checked in.
Many organisations that routinely take bookings already have systems for recording their customers and visitors – including restaurants, hotels, and hair salons. Due to the COVID-19 outbreak, more organisations have, or are planning to implement, an ‘advanced booking only’ service to manage the numbers of people on the premises. These booking systems can serve as the source of the information that you need to collect. Customers or visitors can still scan the official NHS QR code if they wish, to help remind them where they have been if asked by NHS Test and Trace.
You should collect this information in a way that is manageable for your establishment. If not collected in advance, this information should be collected at the point that visitors enter the premises. It should be recorded electronically if possible, for example through an online booking system, but a paper record is acceptable. If you are keeping a paper record, this should be out of public sight and stored securely. You must ensure that there are options for people to leave their contact details if they do not own a smartphone.
Venues introducing new systems to manage contact details must conduct a data protection impact assessment under the General Data Protection Regulations. The Information Commissioner’s Office (ICO) has guidance to help you minimise data protection risks.
You must not use this data for any other purposes other than for NHS Test and Trace, unless you would already collect it for another business purpose. For example, you must not use data collected for NHS Test and Trace for marketing purposes. Failing to do this may lead to penalty fines and enforcement action from the ICO.
Displaying an official NHS QR poster
Designated venues must display an official NHS QR code poster at their entrance, or at the point of service. It’s quick and simple to use for both businesses and users, and enables customers and visitors to scan the NHS QR code when they arrive by using the NHS COVID-19 app. Organisations must have a system for individuals who do not have a smartphone or the NHS COVID-19 app to provide their contact details.
If an app user chooses to use the QR code check-in feature, you should not ask for their contact details.
Official NHS QR posters can be generated online.
Organisations can find out more about NHS QR codes and how to generate them on the NHS COVID-19 app website.
The NHS COVID-19 app is only able to scan official NHS QR code posters. This is for security reasons and because the NHS QR technology means that venue check-in history remains on the user’s device.
In England, if you’re currently using your own QR code system to collect contact details, you should now switch to the official NHS QR code system. By supporting the official NHS system, you’ll be protecting your staff, customers and visitors.
If you use any other QR code system at your venue, you must ensure that it does not show any NHS or NHS Test and Trace logos. You should also explain to your customers and visitors that you are using more than one QR code system in your venue. Unofficial QR codes will not work with the NHS COVID-19 app, can cause confusion for visitors, and could result in them missing important public health advice. If you do not have access to a printer, you can display your QR code poster at your venue using digital signage, for example, a TV screen or iPad.
If someone does not wish to share their details, provides incorrect information or chooses not to scan the NHS QR code
Hospitality venues must take reasonable steps to refuse entry to a customer or visitor who does not provide their name and contact details, is not in a group (for which one other member has provided name and contact details), or who has not scanned the NHS QR code.
Hospitality venues should verify that an individual has checked in using the QR code by reviewing the individual’s phone screen. This is not necessary if they or another ‘lead’ member of the group have provided their contact details.
Venues in other settings do not need to refuse entry but should encourage customers and visitors to share their details or scan the official NHS QR poster in order to support NHS Test and Trace and advise them that this information will only be used where necessary to help stop the spread of COVID-19.
If in the rare case that a customer or visitor becomes unruly, you should follow your own security procedures. This may include calling the police if you feel the individual poses a risk to yourself or others.
The accuracy of the information provided will be the responsibility of the individual who provides it. You do not have to verify an individual’s identity for NHS Test and Trace purposes, and we advise against doing so except where organisations have a reasonable suspicion that customer or visitor details are incorrect. You may refuse to allow entry if you have reason to believe the details are inaccurate.
You do not need to ask for contact details or check scanning of the NHS QR code if the person is a police officer or emergency responder on duty.
You do not need to ask for contact details for people whose visit is for the sole purpose of making a delivery or collection by supplies or contractors, including food or physical goods.
You do not need to ask for contact details for those under the age of 16. If an individual says they are under the age of 16, you should not ask for identification unless you judge this to be false.
If someone does not have the mental capacity to provide their contact details, hospitality venues should not refuse entry (where they are normally required to do so). Businesses will not be in breach of the requirements if they have reason to believe someone can’t provide the details for disability reasons and don’t ask for them as a result.
Hospitality venues should not deny entry to homeless people who are unable to provide a contact number or email address.
Failure to comply
Collecting contact details and maintaining records for NHS Test and Trace is a legal requirement and failure to comply is punishable by a fine:
- first fixed penalty: £1,000
- second fixed penalty: £2,000
- third fixed penalty: £4,000
- any further penalty notice: £10,000
The person responsible for the organisation is liable. This could be the owner, proprietor or manager with overall responsibility of the organisation, business or service.
How records should be maintained
To support NHS Test and Trace, you must hold records for 21 days. This reflects the incubation period for COVID-19 (which can be up to 14 days) and an additional 7 days to allow time for testing and tracing. After 21 days, this information must be securely disposed of or deleted. When deleting or disposing of data, you must do so in a way that does not risk unintended access (for example shredding paper documents and ensuring permanent deletion of electronic files).
Records which are made and kept for other business purposes do not need to be disposed of after 21 days. The requirement to dispose of the data relates to a record that is created solely for the purpose of NHS Test and Trace. All collected data, however, must comply with the General Data Protection Regulation and should not be kept for longer than is necessary.
General Data Protection Regulation (GDPR)
The data that you collect is personal data is and must be handled in accordance with GDPR to protect the privacy of your staff, customers and visitors. This section sets out the steps you can take to comply with GDPR.
You need to explain to people why you are collecting this data but this does not mean that you have to inform every customer or visitor individually. You might, for example, display a notice at your premises or on your website setting out what the data will be used for and the circumstances in which it might be accessed by NHS Test and Trace. A template privacy notice can be found in annex B. You may need to offer some people additional support in accessing or understanding this information, for example, if they have a visual impairment or cannot read English.
In places of worship, where this is not a legal requirement, consent to collect the data should still be sought from individuals.
Personal data that is collected for NHS Test and Trace, which you would not collect in your usual course of business, must be used only to share with NHS Test and Trace. It must not be used for other purposes, including marketing, profiling, analysis or other purposes unrelated to contact tracing, or you will be in breach of GDPR.
You should make your staff aware of what they should and shouldn’t do with customer information. You must not misuse the data in a way that is misleading or could cause an unjustified negative impact on people, for example to discriminate against groups of individuals. The ICO may issue penalties against businesses in breach of GDPR.
Appropriate technical and security measures must be in place to protect customer contact information, and the ICO has produced guidance on this. These measures will vary depending on how you choose to hold this information, including whether it is collected in hard copy or electronically. We would prefer you to record and protect information electronically, but we understand this might not be possible.
When information should be shared with NHS Test and Trace
NHS Test and Trace or Public Health Officers will ask for these records only where it is necessary. For example, if your premises has been identified as the location of a potential COVID-19 outbreak. You and your staff must not share this information with anyone else and respect individuals’ privacy.
NHS Test and Trace will work with you, if contacted, to ensure that information is shared in a safe and secure way. You must share the requested information as soon as possible to help us identify people who may have been in contact with the virus and help minimise the onward spread of COVID-19.
NHS Test and Trace will handle all data according to the highest ethical and security standards and ensure it is used only for the purposes of protecting public health, including minimising the transmission of COVID-19.
If you are contacted by NHS Test and Trace, contact tracers will:
- call you from 0300 013 5000
- send you text messages from ‘NHStracing’
- ask you to sign into the NHS Test and Trace contact-tracing website
Local contact tracers may contact you from a different phone number or ask you to call them back. If you are unsure if the telephone number is genuine, check with your local council. More information can be found on your local council website.
Contact tracers will never:
- ask you to dial a premium rate number to speak to them (for example, those starting 09 or 087)
- ask you to make any form of payment or purchase a product or any kind
- ask for any details about your bank account
- ask for your social media identities or login details, or those of your contacts
- ask you for any passwords or PINs, or ask you to set up any passwords or PINs over the phone
- disclose any of your personal or medical information to your contacts
- ask about protected characteristics that are irrelevant to the needs of NHS Test and Trace
- provide medical advice on the treatment of any potential coronavirus symptoms
- ask you to download any software to your PC or ask you to hand over control of your PC, smartphone or tablet to anyone else
- ask you to access any website that does not belong to the government or NHS
How NHS Test and Trace will take steps to minimise transmission
If you receive a request for information from NHS Test and Trace, this does not mean that you must close your establishment. NHS Test and Trace will, if necessary, undertake an assessment and work with you to understand what actions need to be taken.
Depending on the circumstances and the length of time that has elapsed, this could include arranging for people to be tested, asking them to take extra care with social distancing and/or – in some circumstances – asking them to self-isolate. NHS Test and Trace will give you the necessary public health support and guidance. Your staff will be included in any risk assessment and NHS Test and Trace will advise them what they should do.
If a staff member, customer or visitor tells you they have tested positive for COVID-19, you should tell them to stay at home and self-isolate as soon as possible (along with the rest of their household) and encourage the individual to inform NHS Test and Trace of their recent contacts. You must not use the information you have collected to contact people.
NHS Test and Trace will provide the necessary public health advice and support if they assess an individual was on your premises while potentially infectious. If NHS Test and Trace identifies more than one case of COVID-19, or any other specific risk circumstances, at your venue you will be contacted to receive support and to share the contact details you have collected so that they can contact anyone who may have been exposed to the virus.
If you identify that there is more than one case of COVID-19 on your premises, you should contact your local health protection team to report the suspected outbreak.
Registration with the ICO
Every organisation or sole trader who processes personal information, including for the purposes of contact tracing for COVID-19, must be registered with the ICO and pay a data protection fee unless they are exempt. If you are unsure whether you need to register, please contact the ICO via their helpline on 0303 123 1113, or visit the ICO website.
The cost of the data protection fee depends on the size and turnover of the business, but for most businesses it will cost £40 or £60. The registration form will take around 15 minutes to complete.
The ICO has published its own detailed guidance on collecting customer and visitor details for contact tracing.
Annex A: full list of settings in scope
- restaurants, including restaurants and dining rooms in hotels or members’ clubs
- cafes, including workplace canteens
- bars, including bars in hotels or members’ clubs
- public houses
Leisure and tourism:
- amusement arcades
- art fairs
- betting shops and bingo halls
- clubs providing team sporting activities
- concert venues
- facilities for use by elite and professional sportspeople (including sports stadia)
- heritage locations and attractions open to the public (including castles, stately homes and other historic houses)
- hotels and other guest accommodation provided on a commercial basis, including in bed and breakfast accommodation, boats, campsites, caravans, chalets, guest houses, holiday parks, hostels, motels, pubs, sleeper trains and yurts
- indoor sport and leisure centres, including gyms
- outdoor swimming pools and lidos
- museums and galleries
- music recording studios open for public hire or other public use
- public libraries
Close contact services:
- beauticians (including those providing cosmetic, aesthetic and wellness treatments)
- dress fitters, tailors and fashion designers
- nail bars and salons
- skin and body piercing services
- sports and massage therapists
Local authority run services:
- community centres
- youth and community centres
- village halls
Annex B: template privacy notice
This privacy notice is intended for designated venues only.
Recording customer details: how we use your information
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we have been mandated by law to collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing.
By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.
As a customer/visitor of [insert name of business] you will be asked to provide some basic information and contact details. The following information will be collected:
- the names of all customers or visitors, or if it is a group of people, the name of one member of the group
- a contact phone number for each customer or visitor, or for the lead member of a group of people
- date of visit and arrival time and departure time
The venue/establishment as the data controllers for the collection of your personal data, will be responsible for compliance with data protection legislation for the period of time it holds the information. When that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation for that period of time.
The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from the venue/establishment, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.
NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.
For example, if another customer at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).
We may/will [delete as necessary] require you to pre-book appointments for visits or to complete a form on arrival.
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, date of birth and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation.
The use of your information is covered by the General Data Protection Regulations Article 6 (1) (c) – a legal obligation to which we as a venue/establishment are subject to. The legal obligation to which we’re subject, means that we’re mandated by law, by a set of new regulations from the government, to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of corona virus.
[Venue/establishment, please add text on whether or not you transfer personal data outside the UK, the EU or to anywhere else (if known).]
By law, you have a number of rights as a data subject, such as the right to be informed, the right to access information held about you and the right to rectification of any inaccurate data that we hold about you.
You have the right to request that we erase personal data about you that we hold (although this is not an absolute right).
You have the right to request that we restrict processing of personal data about you that we hold in certain circumstances.
You have the right to object to processing of personal data about you on grounds relating to your particular situation (also again this right is not absolute).
If you are unhappy or wish to complain about how your information is used, you should contact a member of staff in the first instance to resolve your issue.
If you are still not satisfied, you can complain to the Information Commissioner’s Office. Their website address is www.ico.org.uk.