• Edinburgh: 0131 625 9191
  • Glasgow: 0141 428 3258
  • Galashiels: 01896 550991
Davidson Chalmers Stewart | Lawyers. For Business.

Data Protection and Test and Protect: What about the GDPR?

Date: 11/08/2020 | COVID-19, Data Protection & Information Law, Regulatory Law

On Friday 7 August 2020 the Scottish Government announced that it will be mandatory to collect contact details of customers in a range of hospitality and public settings.  Up until Friday the ‘rules’ were contained in Government Guidance which does not have the force of law backed up with criminal penalties.  It seems likely that from Friday premises who do not collect contact details under the Test and Protect regime in Scotland will face enforcement action, which is likely to include criminal penalties.

The previous Guidance set out the requirements under data protection legislation and provided a template privacy notice which was very helpful for any organisation to understand what information it should be collecting and why.

The information would only be shared with NHS Scotland when requested by them and that would only be in the event of a cluster of coronavirus outbreaks linked to the premises.  This would allow NHS Scotland to contact the individuals who were present at the same time as anyone testing positive to provide them with advice about testing and isolating.

Legal basis for processing data

This also meant that in data protection terms, the legal basis for collecting and sharing the contact information was that it was in the legitimate interests of the business and wider society to process the data in this way: this interest being the need to control the spread of the virus.  This legal basis requires balancing the interest against the impact on the individual customer or visitor. The Guidance stated that the impact on the individual was minimal and given the significant interest that everyone has in supressing the virus, it is hard to envisage circumstances where it could be argued that the invasion of privacy when someone is asked to provide contact details to the café they are eating in, could outweigh that important interest.

As the collection of information was not mandatory, customers and visitors could refuse to supply it.  It was then up to the business as to whether or not it would allow the customer or visitor to use its services.  In practice this could be a difficult decision for businesses who are keen to open up and start recovering from the last few months.

The Likely Impact of Mandatory Collection

It seems likely that the Government will amend the Health Protection (Coronavirus) (Restrictions) (Scotland) Regulations 2020.  Once the new provisions are in place, it has been announced that certain premises, particularly in hospitality, will have a legal obligation to collect contact information.  This could make things simpler for those businesses.  The legal basis for the collecting (and possibly sharing) the personal data will be that it is necessary to comply with a legal obligation.  It will therefore be easier for those organisations to refuse to provide their services to customers or visitors who refuse to supply contact data.  However it could make things more tricky for those who continue to collect the contact data under the previous Guidance – that remains to be seen.

If the 2020 Regulation are amended the penalties for organisations who fail to comply without a reasonable excuse are contained in this legislation.  Organisation are likely to face a fixed penalty of up to £60 and/or face criminal prosecution and a fine of up to £10,000.  In addition, business owners and managers could face prosecution on an individual level as well. 

Additional Data Protection Issues

The Scottish Government produced a template privacy policy for the previous Test and Protect regime and it is hoped that they will do this again.  This is helpful for businesses and all staff to read so that they can provide accurate reassurance to customers and visitors about what will happen with their personal data.  So, for example contact details will be kept for 21 days only for the purpose of the Test and Protect regime.  Posters were also available to explain this to customers and visitors.

Organisations must ensure that they collect and store the data in a secure way.  If it is in written form, ensure that it Is not left lying around.  If you are using technical solutions, ensure that any additional processing is made clear.  If you are collecting contact data anyway, then you must still explain that the information will be collected for the additional purpose of Test and Protect, shared when necessary with NHS Scotland and not used for the purpose after 21 days – even it is being stored for other reasons.


Trust and personal data is important at all times.  During this crisis there have been a number of issues which have lead to a lack of trust between individuals and Government bodies in particular.  Test and Protect is important to all of us and organisations need to get it right in order to do their part in keeping everyone safe.

For practical advice on how to get this right, please contact Laura Irvine.

The matter in this publication is based on our current understanding of the law.  The information provides only an overview of the law in force at the date hereof and has been produced for general information purposes only. Professional advice should always be sought before taking any action in reliance of the information. Accordingly, Davidson Chalmers Stewart LLP does not take any responsibility for losses incurred by any person through acting or failing to act on the basis of anything contained in this publication.

Written by

Laura Irvine | Davidson Chalmers Stewart
Laura Irvine

Latest Updates

Want to get even more insight from Davidson Chalmers Stewart?

Keep your organisation up to date with the latest opportunities and changes in commercial law with regular insight and updates from the experts at Davidson Chalmers Stewart.

Let's Talk

A typical law firm? Not really. But a partner for the people and businesses we work with? Absolutely.

Our determination to do things a better way is nothing without our clients. So if you like what you see and think we’d make a good team, let’s talk. Pick up the phone and call us direct or make specific enquiries to our individual email addresses across the website. Alternatively use the form to submit general questions and comments.

Either way, we’ll get the message.


t0131 625 9191


t0141 428 3258


t01896 550991

Let's Talk form