COVID-19 Support for Businesses

Track and trace advice for businesses

Maintaining Records for Track and Trace

It is a legal requirement for businesses to keep records of who they have been in contact with, for the purposes of track and trace. If you don't collect these details, you could be given a fixed penalty notice.

QR code check-in 

If you don't already have a good system in place, one of the easiest ways to get your guests to check in, is to create your own QR code. Complete the form on the GOV.UK website, and you'll be sent a copy of your own unique QR code. You can then print this code out as a poster, or display it on a tablet or TV screen, and ask visitors to check in, using the NHS COVID-19 app to scan your QR code. The COVID-19 app is available to use from Thursday 24 September.

Create a coronavirus NHS QR code to display in your venue 

Why do businesses need to keep records?

  • Keeping records of staff, customers and visitors, and sharing these with NHS Test and Trace if requested, helps to identify people who may have been exposed to the virus.
  • Containing outbreaks early is a crucial way of reducing the spread of COVID-19. It helps to protect the NHS and social care sector, and save lives
  • The records help to avoid the reintroduction of lockdown measures
  • They help to support the country in retunring to a more normal way of life

You must also continue to follow other government guidance to minimise the transmission of COVID-19. This includes maintaining a safe working environment and following social distancing guidelines.

Who does this apply to?

There is a higher risk of transmitting COVID-19 in premises where customers and visitors spend a longer time in one place and potentially come into close contact with other people outside of their household.

Businesses in these sectors, whether indoor, outdoor or mobile settings, must collect details and maintain records of staff, customers and visitors:

  • hospitality, including pubs, bars, restaurants and cafés 
  • tourism and leisure, including hotels, museums, cinemas, zoos and theme parks 
  • close contact services, including hairdressers, barbershops and tailors 
  • facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres 
  • places of worship, including use for events and other community activities

What information should I collect?

Staff information:

  • the names of staff who work at the premises
  • a contact phone number for each member of staff
  • the dates and times that staff are at work

Customer and visitor information

  • the name of the customer or visitor. If there is more than one person, record the name of the ‘lead member’ of the group and the number of people in the group
  • a contact phone number for each customer or visitor, or for the lead member of a group
  • date of visit, arrival time and, where possible, departure time. recording departure times will help reduce the number of people who need to be contacted by NHS Test and Trace
  • if a customer interacts with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer

No additional data should be collected for this purpose.

Many organisations that routinely take bookings already have systems for recording their customers and visitors – including restaurants, hotels, and hair salons.

Collect this information in a way that is manageable for your establishment. If you don't collect it in advance, then you must collect it at the point that visitors enter the premises, or at the point of service if it is impractical to collect it at the entrance. Record it digitally if you can, but a paper record is acceptable too.

How do I maintain my records?

Kepp any records for 21 days. This covers the incubation period for COVID-19 (which can be up to 14 days) and an additional 7 days to allow time for testing and tracing. After 21 days, delete or securely dispose of the information. Permanently delete electronic files, and shred paper files so there is no chance of anyone accessing the information. 

If you keep records for other business purposes, you don't need to get rid of these after 21 days. However, all collected data must comply with the General Data Protection Regulation and should not be kept for longer than is necessary.

General Data Protection Regulation (GDPR)

GDPR allows you to request contact information from your staff and customers, and share it with NHS Test and Trace to help minimise the transmission of COVID-19 and support public health and safety.

You do not have to inform every customer individually. You might, for example, display a notice at your premises or on your website setting out what the data will be used for and the circumstances in which it might be accessed by NHS Test and Trace. You may need to offer some people additional support in accessing or understanding this information, for example, if they have a visual impairment or cannot read English.

Personal data collected for NHS Test and Trace, which you would not otherwise collect, must only be used only to share with NHS Test and Trace. It must not be used for other purposes, including marketing, profiling, analysis or other purposes unrelated to contact tracing, or you will be in breach of GDPR.

You must not misuse the data in a way that is misleading or could cause an unjustified negative impact on people e.g. to discriminate against groups of individuals.

Appropriate technical and security measures must be in place to protect customer contact information.

Contact for further information

If you need any more information about any of this advice, please email, or ring 01282 662009