Data data everywhere!

Did your business collect information for NHS Test and Trace or other Covid-related information during the Covid-19 pandemic? If so, how long did you keep that data? Or do you still have it hanging about somewhere? Here we look at the risks of holding data for longer than necessary and how you can get compliant with the law.

Data, data, everywhere

From September 2020 until July 2021, the government required, by law, specific businesses to collect the personal details of customers, visitors and staff who spent time at the business premises. From cinemas and hairdressers to cafes, restaurants and tourist attractions, businesses recorded the names and contact numbers of all customers and the time and date of their visit. That’s a lot of data.

Businesses employed a variety of solutions to comply with the law, from paper records to bespoke systems. In each case, it was the responsibility of the business to ensure they kept data safely and securely, regardless of whether the Test and Trace team needed it.

Storing up trouble?

All the data you collected for Test and Trace purposes should have only be kept for 21 days. This is to comply with General Data Protection Regulation (GDPR) and the Information Commissioner’s Office recommendations. After this period, you’re effectively storing up trouble.

The more time that goes by, the more data you accumulate, the higher the risk should you experience a data breach. Plus, can you really remember what information you collected nearly 12 months ago? Data management is vital.

Effective disposal

Storing any data for too long can put you and your organisation at risk. All the more reason to know what data you have and how long you can legally retain it. To protect yourself from a hefty ICO fine and safeguard your clients’ information, you need a data retention schedule. A system to ensure you delete data when you no longer need it or have a lawful basis for keeping it. This doesn’t need to be complicated, but you should list the types of documents you have and how long you need to keep them.

In the case of NHS Test and Trace, safe disposal should have taken place 21 days after collection. You should shred any remaining paper records and delete electronic ones making them irretrievable.

Summer organisation

But what about all the other data you have stored? We recommend an annual Summer clean-up to keep on top of your records and maintain compliance with the law. An annual clean-up presents a regular opportunity to identify and dispose of all the data you hold, which has reached the end of its retention period.

Treat others’ data as you would like them to treat yours. After all, lost or stolen data not only provides a headache for you and a bad reputation for your business, it also puts your clients at risk.


Does your business need more support? Get sorted with our Savvy Data Credits: prepaid time slots so you can get in touch whenever you need us! Or, take our free Data Protection Health Check if you’d like a full, personalised report on your business’s compliance status.

We also offer a free Data Protection Health Check virtual meeting. A chance for you to ask questions and discuss your concerns with a trusted professional. For more information, visit, or contact Dr Sam Linton on 07970 779949 or email