Rules around the collection of data can be tricky. But if you follow the below basic principles you will be fine:
- only collect what you need
- explain why you are collecting it
- store it safely
- delete it once you don’t need it
See our FAQs for more info below:
Who should we collect data from? anyone who attends your event in any capacity – so performers, audience, volunteers and anyone else who is there.
What data should we collect? name and phone number, date of visit, time of arrival, and time of departure too if possible (an estimated departure time would be ok too),
If it is a group booking do we need data for everyone in the booking? Yes – the rules have changed (April 2021) so that every visitor must either check in on the NHS app or give their contact details - not just one person in the group (as was the case previously)
What if I already have their data? (mailing list, previous ticket sales etc): you don’t need to collect it again but you should check it is accurate and have a register confirming they attended (with timings as per above). So in practice it is probably simplest to collect it again for this specific purpose.
How long should we keep it? for track and trace purposes 21 days. If you have collected it specifically for this purpose you should delete it after 21 days. If you already had it (mailing list, previous ticket sales etc) you can keep it in line with your normal data protection procedures.
Do we need to tell people why we are collecting it? Yes. We think people are used to this now but a simple written or verbal explanation “We are collecting data for NHS track and trace purposes. We will share the data with the NHS if they request it for track and trace purposes”.
Can we collect the data to use for other purposes? (e.g. adding to mailing list) You can but this should be a separate sign up process and you should make it clear the different ways the data will be used. Remember that for a mailing list sign-up you need to you need a record of their consent.
What if someone won’t provide the data? It is a requirement that every visitor either scans the NHS QR code using their NHS COVID-19 app or provides their name and contact details. Venues are legally required to refuse entry to those who refuse to check in or provide their contact details.
Who do we share the data with? You only have to share the data with NHS Test and Trace if they ask for it. They will only do this where it is necessary, either because someone who has tested positive for COVID-19 has listed your premises as a place they visited recently, or because your premises have been identified as the location of a potential local outbreak of COVID-19
