Image of Man In Cafe Bar by Nathan Dumlao on Unsplash

Everything You Need to Know About Collecting and Disposing of Track and Trace Data

As coronavirus cases begin to climb once again, Track and Trace data has never been so vital. Useful for identifying and stemming the spread of the virus, this information needs to be collected, handled, shared and also properly destroyed in line with data protection regulations.

Collecting and Handling Track and TraceData

How businesses handle Track and Trace data is crucial. The improper collection, handling or disposal of this information could amount to a data breach. Companies could even face fines for not meeting data protection regulations.

The Information Commissioner’s Office has published an ‘ABCDE’ approach for protecting Track and Trace data.

A – Ask only for what is needed.

Only ask visitors for specific information detailed in government guidance. For example, names, phone numbers and arrival times.

B – Be transparent.

Be transparent with those you collect Track and Trace data from, letting them know the exact reasons for data collection. Unlike GDPR, the government doesn’t require proven consent for collecting Track and Trace data. A poster on the window of your premises, a website banner, or even verbal confirmation with visitors will suffice.

C – Carefully store the data.

Make sure any information you collect for Track and Trace is stored carefully away from unauthorised personnel. We’ll cover some data security practices in the next section of this blog.

D – Don’t use it for other purposes.

The personal information you collect for Track and Trace should not be used for any other purposes. It should not be used for business marketing, customer profiling, or any other form of communications.

E – Erase data in line with government guidance.

You shouldn’t keep data for longer than specified by government guidelines. At the time of publication, this is 21 days. After 21 days, documents should be securely shredded and digital files should be permanently erased from hard drives, online storage, and back-up storage.

The allowed methods of collecting Track and Trace data are flexible. Collection can be digital or on paper. Whichever method is used, data should only be accessible by authorised personnel and should not be misused.

Ensuring Data is Kept Safe

Between collecting Track and Trace data and having it destroyed, data safety measures should be implemented. Data should be inaccessible to any unauthorised personnel, and should not be left unattended in environments where data could be stolen by other customers or visitors. Businesses should also consider whether the information they are collecting needs any additional protection.

Example – A group of children attend a sports club without an adult present.

Without adults present, businesses need to weigh up whether or not to gather Track and Trace data. One thing to consider is whether the child would understand the purposes of processing their information. Collecting the data of children comes with additional risks, so access to this information should be strictly limited to approved staff, and never visible to other sports club visitors.

Additional information taken such as temperature checks or other data regarding health is categorised as special category data and should be treated accordingly.

It is also worth remembering that individuals are not currently under a legal obligation to share their information for Track and Trace purposes. However, as per the government guidance, hospitality venues must refuse entry to customers or visitors who refuse to provide their name and contact details, are not in a group, and haven’t scanned the NHS QR code.

Whichever way data is collected or stored, all personal data gathered as part of Track and Trace should be treated as confidential and held securely in line with data protection regulations.

Another element of data security that requires consideration is how you responsibly destroy or delete Track and Trace data. Secure disposal is imperative for keeping individuals’ data safe.

Disposing of Track and Trace Data

A key factor of the protection of Track and Trace data is secure disposal.

This should be done through the prompt and permanent deletion of digital files, or, for paper documents, through shredding.

The preferred method of disposal for a lot of businesses is via the process of shredding as it is quick, easy, and guarantees that information is irretrievable.

Shred Station’s secure shredding services are the perfect choice for destroying confidential information. As well as being flexible, cost-effective and eco-friendly, you will also receive a Waste Transfer Note and Certificate of Destruction after every collection for your data compliance records.

Get in touch today to see how we can help your business safely dispose of Track and Trace data.


If you’d like to read the Information Commissioner’s Office guidance around collecting customer and visitor information, you can do so here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/09/data-protection-guidance-for-collecting-customer-information/

To read the UK Government’s most up-to-date guidance on maintaining Track and Trace records, please visit the following link: https://www.gov.uk/guidance/maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace.


Sign up to our newsletter to be alerted about new blog articles, data protection advice, and Shred Station news.

All information featured in this blog post is correct at the time of publication – September 2020.