The ICO has published updated guidance for organisations which are asked by the government to collect and retain information about customers and visitors for the purposes of COVID-19 contact tracing. 

In summary, the ICO has confirmed: 

  • data protection law doesn't prevent you from collecting personal data in this context if it is provided voluntarily, as long as it is lawful and customers and visitors are informed about what you are doing; 
  • if you are collecting customer data for a contact tracing scheme (such as the NHS Test and Trace in England), you need to make this clear to individuals; 
  • it is necessary to check government guidelines to confirm whether your business is encouraged to collect customer contact information for contact tracing purposes; 
  • the lawful basis for processing can include legitimate interests, public task (if you are a public authority) or consent; 
  • such personal data should only be retained for as long as is needed. In England, this generally means 21 days based on guidance from public health authorities (although it could be retained for longer if necessary for compliance with other sector specific guidelines). 

The ICO has confirmed most organisations will not need to rely on consent for these purposes. However, in the context of contact tracing, the ICO recommends consent is used if collecting contact details in a place of worship or if you provide a service to small groups of people or on a one to one basis.