Site navigation

Venues Must Hold Personal Data Under New Contact Tracing Rules

Michael Behr


contact tracing

The new regulations have raised concerns about how businesses will use and store the data.

New UK contact tracing rules will require people visiting restaurants and bars to either use the NHS’s contact tracing app or provide venues with contact details.

Businesses will need to display a QR Code for customers to scan with the contact tracing app and deny entry to those who either refuse to scan it or provide their details.

The Health Protection (Coronavirus, Collection of Contact Details etc and Related Requirements) Regulations 2020 came into force on 18th September in England, ahead of the release of the test and trace app on 24th September.

The law covers a range of establishments, including pubs and restaurants, which will legally have to deny people entry if they refuse to provide details.

Additional venues include leisure and tourism services, such as hotels and sports clubs, and places that provide close physical contact services such as hairdressers, or community centres. However, these places do not have to refuse people entry.

The venues will need to record personal contact information, including a person’s name and contact details, such as phone number, e-mail address or postal address, along with the date and time the person visited the venue and the number of people they entered with.

Businesses will need to keep these details for 21 days, after which they must be destroyed.

Should the business fail to comply, or if they fail to deny entry to people who refuse to supply their information, it will be fined up to £1,000, with repeat offences increasing the size of the fine up to £4,000.


The requirement for people to hand over their personal data to businesses has been met with criticism over concerns that the data may be misused.

Civil liberties and privacy campaigning group Big Brother Watch’s Legal and Policy Officer, Madeleine Stone, stated: “This major legal change requires the mass recording of our movements. This new approach to contact tracing is no longer based on public trust, but on exclusion, criminal sanctions and police enforcement.

“Many people will be rightly shocked to find they’re refused entry to coffee shops and restaurants unless they hand over their personal contact details. This is an astoundingly excessive law that poses a serious risk to privacy and data rights.

“We’ve already seen businesses misuse personal data collected for contact tracing, whether for marketing or even to harass customers. Businesses won’t be able to comply with this draconian new diktat as well as data protection law overnight and many will be fearing sanctions.”

Previously, privacy rights organisation Open Rights Group (ORG) made a legal challenge against the deployment of the test and trace app, demanding the government perform a Data Protection Impact Assessment (DPIA) on the app’s deployment.

The creation of the NHS contact tracing app has been mired in controversy – the app was scrapped in June after it was revealed it would not detect other users while the handset was not in use. A new version was finally trialled after months of delays.

The contact tracing rules are set to expire after 12 months.

Michael Behr

Senior Staff Writer

Latest News

%d bloggers like this: