Skip to main content
Visit Scotland | Alba
Article published 25/08/2020

Regulations make it mandatory to collect customer and visitor information

It's now mandatory for hospitality settings to collect the contact details of visitors to their premises in support of Test and Protect.

The gathering of contact information from customers by hospitality businesses, in a secure and safe manner, will assist NHS Scotland’s Test and Protect service to identify any clusters of cases, contact those who may have been exposed to the virus, and request them to take appropriate steps to prevent potential onward spread.

We’ve outlined key points on this page but please do read the full Scottish Government guidance on collecting customer contact details.

Who does it apply to?

The new regulations apply to restaurants, cafes, pubs and hotels in which food or drink are sold for consumption on the premises. Contact information only needs to be collected for customers who are dining in.

It includes where a service is provided indoors, or outdoors in a designated service area such as a beer garden.

What to collect

Customers / visitors

  • the name of each customer, or when customers are attending as a small household group, the contact details for one member of that group – a ‘lead member’
  • a contact phone number for each customer, or for the ‘lead member’ of a small household group
  • date of visit and arrival and, where possible, departure time


  • the names of staff who work at the premises
  • a contact phone number for each member of staff
  • the dates and times that staff are at work

What if a customer does not want to provide contact details?

You must encourage individuals to share their details in order to support NHS Test and Protect and advise them that this will only be used in the event of an outbreak or if a number of new cases are tracked back to the premises. Their information will then be used to inform them if they may have been exposed to a positive case or cases.

If the individual still does not want to share their details, then premises should refuse to offer the service requested.

Information Commissioner's Office

In order to gather and store customer information securely, businesses may need to be registered with the Information Commissioner’s Office (ICO). This will be the case if you are using an electronic system to gather and store data.

If your business is already a data controller, you should already be registered with the ICO. If you’re unsure, contact the ICO.

Data protection

You must ensure data is collected and handled in line with data protection laws. The Scottish Government has published a template privacy notice, setting out the terms of how data should be gathered, stored, used and disposed of.

Once customer details have been gathered, the business will be the data controller, and the data must not be shared with individuals or organisations other than public health officers. All customer data should be stored securely and in accordance with the requirements of the GDPR.

You should hold records for at least 21 days from the date of each separate visit of a staff member or customer. Following this, subject to any other lawful obligation to retain it, the data will normally no longer be required to be held by the business and must be disposed of securely.

When information should be shared

If cases of COVID-19 detected that have a link to a business, NHS Scotland may contact the business by phone to request staff and customers’ details to allow contact tracing to take place.

Take a look at the Scottish Government full guidance to see the information the NHS will ask for – and never ask for.

Further information

Read the full Scottish Government guidance on collecting customer contact details.

Businesses are requested to maintain the excellent work that has been undertaken so far to reopen safely for customers and staff and to continue working with authorities to build on that progress. Take a look at the useful resources available from Scottish Government and sector groups.