As pubs, cafes, beauty salons and other businesses reopen across the country many find themselves with a new and unexpected challenge: the storage of personal data.

New contact tracing advice means that any business whose service involves visitors spending a longer time in one place and/or coming into close contact with others must endeavour to collect details and maintain records of staff, customers and visitors. Government guidance recommends that this be done electronically.

This data is to include names, telephone numbers and dates and times of visiting or working. It is to be kept for 21 days in a way that is “manageable” for your business, and then should be erased.

This may seem like a daunting task if you’re not used to processing and/ or storing a lot of personal data, but following these simple steps will help you look after this sensitive information responsibly.

1. Check if the is data stored in the cloud

You may be using your existing electronic booking system to collect and store the personal information you collect, or perhaps a spreadsheet. Either way, make sure you’re clear on where this data goes when it is saved. Is it only stored locally on your device or does it go to cloud storage? If the data is kept in cloud storage, are you confident in the cloud provider’s ability to keep data secure? It can be helpful to look out for ISO:27001 certification as a sign that your provider takes data security seriously.

2. Back it up

Although you’d hope not to have to, you may need to access the information you’ve collected. Hopefully you’re in the practice of backing up your data; it’s important in case your usual device(s) should become inaccessible due to a cyber attack, loss, theft or physical damage, but it needs to be stored in a way that means it is not also susceptible to the kinds of events that could compromise the original data.

3. Password protect it

Individual staff members may have their own log ins to the booking system, so make it clear that they must not re-use this password for any other account. Otherwise, you can password protect individual documents if you are saving contact details in this way. However the information is being stored, ensure that it is protected with a strong, secure password.

Extra Tip: By making sure that employees always lock the screens of their work devices (tablets, PCs, etc), you put a barrier between any opportunist looking to take advantage of a busy environment and your data.

4. Limit access to only those that need it

Once the relevant data has been collected, only trusted senior management should need to access it in the event that the NHS Track & Trace service does contact you. Set permissions so that data is available only to those that need it.

5. Erase data when you no longer need it

The data you collect should only be kept for 21 days. Once that time is up, make sure the information is deleted from

• Your device
• Your Recycle Bin (to permanently delete files without sending them to the Recycle Bin, hold down the Shift + Delete buttons simultaneously)
• Your cloud storage (if applicable)
• Your backups

6. Be wary of access requests

We’ve seen that cyber criminals are moving quickly to take advantage of the uncertain atmosphere created by the Coronavirus pandemic, and the personal data you’ve collected could be of great value to them.

NHS Test and Trace outlines exactly how they would contact you and how they would request data on their website, but if anyone claiming to be from Track & Trace contacts you with a request for a payment, that you download software or disclose PINs or log-in details of any sort, alarm bells should ring.