On 18 September 2020, the UK Government made it mandatory for businesses in the hospitality, leisure and tourism sectors, and other close-contact businesses in England, to collect customer information for the COVID-19 test and trace programme. The Information Commissioner’s Office has now published data protection guidance for these organisations, advising them to follow five steps (ABCDE) to handle people’s information responsibly:

A – Ask for only what’s needed

  • Only ask for the specific information that has been set out in the government guidance.
  • This may include: their name, contact details, time of arrival.
  • Do not ask people to prove their details with identity verification, unless this is standard practice for your business.

B – Be transparent with customers

  • Be clear, honest and open with people about what you are doing with their information, and why you need it.
  • You could display a notice in your premises, include it on your website, or tell them in person.
  • If you already collect customer data for bookings, make it clear that their personal data may also be used for contact tracing.

C – Carefully store the data

  • If collecting the records digitally on a device, keep them secure.
  • For paper records, keep the information locked away and out of public sight. Do not leave sign-in sheets or books containing the personal data out in the open.
  • Simple security measures suggested are here.

D – Don’t use the data for other purposes

  • Such as for direct marketing, profiling or data analytics.

E – Erase it in line with government guidance

  • Do not keep the data for longer than the guidelines specify – “only for as long as it’s needed”, which is usually recommended to be 21 days.
  • It is important to dispose of the data securely to reduce the risk of someone else accessing the data.
  • Shred paper documents and permanently delete digital files from your recycle bin or back-up cloud storage, etc.

More detailed advice on collecting, storing, sharing, and deleting the data has been provided by the ICO here.

For advice in relation to this notice or any other matter relating to the privacy of personal data, please contact any member of the Brown Rudnick Data Privacy team or your usual advisor.


Prior results do not guarantee a similar outcome.
Brown Rudnick is a tradename of both Brown Rudnick LLP, a limited liability partnership organized under the laws of the Commonwealth of Massachusetts ("BR-USA"), and its affiliate Brown Rudnick LLP, a limited liability partnership registered in England and Wales with registered number OC300611 ("BR- UK"). BR-UK is a law firm of Solicitors and Registered Foreign Lawyers authorized and regulated by the Solicitors Regulation Authority of England and Wales, and registered with the Paris Bar pursuant to the 98/5/EC Directive. A full list of members of BR- UK, who are either Solicitors, European lawyers or Registered Foreign Lawyers, is open to inspection at its registered office, 8 Clifford Street, London W1S 2LQ, England (tel. +44.20.7851.6000; fax. +44.20.7851.6100).
Information contained in this Alert is not intended to constitute legal advice by the author or the lawyers at Brown Rudnick LLP, and they expressly disclaim any such interpretation by any party. Specific legal advice depends on the facts of each situation and may vary from situation to situation.
Distribution of this Alert to interested parties does not establish a lawyer-client relationship. The views expressed herein are solely the views of the authors and do not represent the views of Brown Rudnick LLP, those parties represented by the authors, or those parties represented by Brown Rudnick LLP.