Posted on: 10 August 2020

How to collect and store customer data for the track and trace system

As the coronavirus lockdown measures ease, more and more people are heading out to pubs, restaurants, shops and indoor leisure facilities. People are also heading back to work as more of these kinds of businesses reopen.

Whilst many are enjoying the freedoms that the easing of measures has allowed, the COVID-19 coronavirus is still very much a threat. Being able to trace customers, contractors and even staff is vital if someone who has visited your business gets in touch to say they have tested positive for COVID-19.

Of course, collecting personal data falls into the realms of GDPR and the Data Protection Act 2018, so it’s essential that you collect, store and destroy data in the correct way. Carry on reading to see our guidance on how to correctly collect track and trace data whilst abiding by data protection laws.

Keeping in line with data protection laws

What kind of data are you collecting?

Under data protection regulations, you should only collect the minimum amount of data that you need to be able to contact the visitor in the event of potential COVID-19 exposure.

For your tracking and tracing system, this will likely be the name, contact phone number and email address of the visitor, as you should be able to get in touch easily with this information.

Communication with visitors

When you are collecting data from a visitor, it is important to explain to them why you are collecting their data, what you will use it for and how you will dispose of it once you no longer need it.

When collecting the visitor’s data, whether this is online or on entry to your business, you need to give them a clear notice that you will need to collect their data for your track and trace system and record that they have understood how their data will be used.

The notice should be easy to understand and transparent to comply with the law.

How long should you keep the data?

As well as restricting the amount of data that you collect, data protection regulations also restrict how long you should keep the data for.

Even though the incubation period of the virus is 14 days, the government recommends allowing further time for a COVID-19 case to develop to help the NHS Track and Trace effort. Therefore, the government’s recommended amount of time to keep track and trace data is 21 days.

Once 21 days have passed, visitor data should be deleted.

Safely deleting data

Simply throwing a piece of paper with phone numbers on in the bin does not count as deleting data. Personal data must be deleted in a way that it can’t be used again in the future.

If you are taking details down on paper, make sure that you have it disposed of in a proper confidential way once the appropriate amount of times has passed. For instance, using a paper shredder or using a confidential waste disposal company.

If you have collected data digitally, you will need to make sure that the records have not only been deleted but also that any backups of that data have also been wiped.

Only use data for what you need

If you have told your visitors that you will be using their data for COVID-19 tracking and tracing, this is what you should use the data for and nothing else.

Selling data to a third party, or using the track and trace data for marketing purposes is a breach of data protection laws and can lead to large fines and reputational damage to your business.

Safely storing data

Correctly storing the data that you collect from visitors is vital in making sure that you are not in breach of personal data protection regulations.

It may be convenient to take visitor data on arrival using pen and paper, which can be safely disposed of, but it may be safer to use a computer and take details on a password-protected spreadsheet. Password protection will keep your visitor data safe, and a spreadsheet can also be easily erased from your computer.

GDPR doesn’t only affect how data is stored; it also restricts who can access the data. Under GDPR guidelines, only people who need to see the data should be allowed to access the data, so limit the number of people who have access to any track and trace data that you collect.

COVID-19 guidance from Premierline

For further guidance on keeping yourself and others healthy during the COVID-19 pandemic, and guidance about data protection, take a look at some of our other articles by following these links:

If you are looking for further COVID-19 business insight, take a look at our Coronavirus Information Page.

Compare business insurance

Compare quotes online:

Get quotes now

Or for expert advice call:


Request a call back

More from our Insight Hub

Should Your Team Continue to Work From Home?

Business Guidance

Should Your Team Continue to Work From Home?

27 July 2020
Cyber breach survey 2020

Business Guidance

Cyber breach survey 2020

19 June 2020

Protect your business against the unexpected

We specialise in sourcing the right business insurance solutions for businesses and understand that every business requires different cover to protect against the unique risks it faces. Compare quotes online or for insurance advice, speak to our knowledgeable insurance specialists today. Call:   .

Compare quotes online

The information and tools contained in this guide are of a general informational nature and should not be relied upon as being suitable for any specific set of circumstances. We have used reasonable endeavours to ensure the accuracy and completeness of the contents but the information and tools do not constitute professional advice and must not be relied upon as such. To the extent permitted by law, we do not accept responsibility for any loss which may arise from reliance on the information or tools in our Insight Hub.