Guidance issued by the Welsh Ministers under regulation 21 of the Health Protection (Coronavirus Restrictions) (No. 4) (Wales) Regulations 2020.
Coronavirus is still with us. The purpose of our Test, Trace, Protect strategy is controlling the spread of new outbreaks but for it to be effective, information about where those who have tested positive may have been in contact with others is essential.
So as people increasingly visit the same places as others, businesses operating in sectors where there is a higher risk of spreading the coronavirus have a key role to play in supporting contact tracing and keeping Wales safe.
All businesses that are open to the public should have in place a strict system to comply with social distancing in all locations at all times, and should be following staying safe at work guidance. Workplaces and premises open to the public are required under Welsh law to take all reasonable measures to minimise the risk of exposure to coronavirus. The starting point is preventing physical interaction within a 2 metre distance, and (especially) where this is not reasonably practicable, other measures to minimise close face to face interaction are required, such as use of protective screens, rearranging furniture and other fittings, controlling the flow of people or wearing personal protective equipment. This will minimise the need for the Test, Trace, Protect service initiating the contact tracing process if a member of staff, customer or visitor to your premises tests positive for coronavirus.
Where any person tests positive, however, the Test, Trace, Protect service needs information about where that person has been, and who that person has been in contact with. Where that person has been on premises open to the public, in particular, the identity of those people may not be known to the person who has tested positive. For that reason, certain businesses are expected to collect and retain information about who has been on the premises, and when, for 21 days.
The purpose of this guidance is to provide advice for organisations and small businesses on collecting and retaining contact information for staff, customers and visitors to their premises.
NHS Wales Test, Trace, Protect service
The NHS Wales Test, Trace, Protect service is delivered by a number of public sector partners working together to help contain the spread of the virus. Together, Public Health Wales, local Health Boards, Local Authorities, and NHS Wales Informatics Service (NWIS) are responsible for implementing one of the biggest public health interventions in a generation.
For further information, visit Test, Trace, Protect: your questions.
Why do you need to maintain records of staff, customers and visitors?
Regulation 21 of the Health Protection (Coronavirus Restrictions) (No. 4) (Wales) Regulations 2020 requires reasonable measures to be taken to minimise the risk of exposure to coronavirus on premises open to the public and on any premises where work takes place, as well as to minimise the spread of coronavirus by those who have been on the premises. Regulation 21 provides information about what those reasonable measures, depending on the circumstances, may be. It should be read in conjunction with this guidance and with the principal guidance issued by the Welsh Ministers under regulation 24 (of those Regulations).
One reasonable measure is:
Collecting contact information from each person at the premises and retaining it for 21 days for the purpose of providing it to any of the following, upon their request
(i) the Welsh Ministers,
(ii)(ii) a contact tracer;
Another reasonable measure is:
(a) taking reasonable measures to ensure that such contact information is correct. 'Contact information', in relation to a person at the premises, means the person’s name and information sufficient to enable the person to be contacted, to inform them that they may have been exposed to coronavirus at the premises (including a telephone number and the date and time at which the person was at the premises).
Whether this measure is one that is “reasonable” and is, therefore, one that must be taken depends on the extent to which people who don’t know each other may interact on the premises and whether there is a risk of close interaction. (See “Who does this apply to?” below).
By adhering to these Regulations by undertaking reasonable measures to maintain records of staff, customers and visitors, and sharing these with the NHS Wales Test, Trace, Protect service when requested, you will help to identify people who may have been exposed to the virus and are asymptomatic (i.e. are not yet displaying symptoms). Containing outbreaks is crucial to reducing the spread of coronavirus, protecting the NHS in Wales and saving lives. This will support the country in returning to, and maintaining, a more normal way of life.
Who does this guidance apply to?
There is a higher risk of spreading coronavirus in some sectors. This is because staff, customers and visitors will spend a longer time on these premises than in other surroundings and potentially come into close contact with people outside of their household (or extended household if they have formed one).
The legal requirement under regulation 21 of the Health Protection (Coronavirus Restrictions) (No. 4) (Wales) Regulations 2020 is based on the notion of doing what is “reasonable”, depending on the circumstances. In the Welsh Ministers’ view, however, as one of the two stated purposes of Regulation 21 is to reduce the risk of any person who has been on someone’s premises spreading the virus, it is clearly a reasonable measure for those responsible for the following businesses or premises to collect and retain contact information):
- hospitality, including pubs, bars, restaurants and cafes.
- close contact services including hairdressers, barbers, beauticians, tattooists, sports and massage therapists.
- swimming pools, indoor fitness studios, gyms, spas or other indoor leisure centres or facilities.
- bingo halls
On that basis, collecting and retaining contact information for 21 days is a legal requirement in these cases. There may be exceptional circumstances where the information may be required to be kept for a longer period, e.g. where police ask for information 20 days after collection.
However, where people enter premises only for the purpose of collecting something and immediately leaving, for example where a food outlet provides takeaways which is strictly complying with 2 metre physical distancing requirements where customers are waiting, we do not consider that collecting and retaining contact information is a reasonable measure that needs to be taken. This means where a business offers a mixture of a sit-in and takeaway service, contact information is only needed for customers who are sitting in. Similarly contact information is not needed from those making deliveries.
Businesses and premises are required to take reasonable measures to ensure the contact information they collect is accurate. Customers will need to provide verification of their name when filling in contact details. Methods of verification may vary but might for example include drivers licence, bank or credit cards.
Retail premises are not generally required to collect contact information as the focus is on higher risk settings where they may be close interaction between staff, customers and visitors over a sustained period of time. Tourism accommodation providers collect visitor data through bookings, as a matter of course.
In addition to maintaining records and sharing them when requested, Welsh Government guidance on taking reasonable measures to minimise the risk of exposure to coronavirus (also issued under regulation 20) and other guidance such as the guidance for tourism and hospitality businesses for a phased and safe re-opening should also be followed.
What happens if this information is not collected and retained?
Where a person responsible for premises or a workplace to which regulation 21 applies does not take the reasonable measures required, local authority environmental health officers can take enforcement action. This includes requiring improvements (through issue of a Premises Improvement Notice), and if necessary requiring a premises to close (through issue of a Premises Closure Notice).
What information needs to be collected?
Information sufficient to enable a person to be contacted to inform them they may have been exposed to the coronavirus.
- The names of staff who work at the premises.
- A contact telephone number for each member of staff.
- The dates and times that staff are at work.
Customers and visitors
- The names of customers or visitors
- A contact telephone number for each customer or visitor
- Date of visit and arrival and departure time
Many businesses that take bookings already have systems for recording their customers and visitors - including restaurants, hotels and hair salons - which can serve as the source of the information above.
If not collected in advance, this information should be collected at the point that visitors enter the premises. You should record the information digitally if possible, but a paper record is acceptable too. You should collect staff, customer and visitor information in a way that is manageable for your establishment.
Remember that the onus is on the business or person responsible for the premises, not the customer or visitor.
Although NHS Covid-19 app users are able to scan (check-in) as they enter a venue, this doesn’t replace the legal requirement for certain high risk businesses in Wales to collect information from customers, staff and visitors. Premises which are required to collect details of staff, customers and visitors must continue to do so, including people who check in through the app.
Where the data of children may be collected (for example, where a 16 year old person attends the premises), consideration must be given to any associated risk in retaining this information, and further information on these risks can be found on the ICO website.
Although it is acknowledged that in certain circumstances this may be difficult, recording departure times as well as arrival times (including staff shift times) is also required. The purpose of this is to reduce the number of customers or staff needing to be contacted (and potentially asked to self-isolate) by the NHS Wales Test, Trace, Protect service.
What if someone does not wish to share their details?
You will play an important role in helping your staff, customers and visitors by supporting them to understand the value of the NHS Wales Test, Trace, Protect service. When collecting the details you will need to make it clear to your customers why this information is being collected, explain what you intend to do and that it may be shared with the NHS Wales Test, Trace, Protect service. You can do this for example, by a verbal explanation, or on your website, or a notice displayed at your premises. Material is available to help you do this, although please be aware that some people may need additional support in accessing or understanding this information.
Sharing details will support the NHS Wales Test, Trace, Protect service’s efforts to control the spread of the virus. It is a requirement under regulation 21 of the Health Protection (Coronavirus Restrictions) (No. 4) (Wales) Regulations 2020 for organisations and businesses to take reasonable measures to minimise risk of exposure to coronavirus, which in the type of circumstances set out above can include collecting and retaining contact information. We ask that you encourage individuals to share their details and help them understand the reasons why they are required. You should advise them that their details will only be used in the event of a case, cluster or outbreak of coronavirus (i.e. more than one new case of coronavirus) that is tracked back to your premises. The NHS Wales Test, Trace, Protect service will use this information to check if they, and any person in their party, may have been exposed.
If the individual still does not want to share their details, and you are under a duty to collect those details, they should not be allowed on the premises.
How should you maintain records?
You should hold records for 21 days from the date of each separate instance in which a staff member, customer or visitor has been on the premises. This will allow for testing and contact tracing, should it be required. After 21 days, this information must be securely disposed of or deleted. When deleting or disposing of data, you must do so in a way that does not risk unintended access (e.g. use cross-cut shredders to dispose of paper documents instead of disposing in public bins, and ensuring permanent deletion of electronic files).
General Data Protection Regulation (GDPR)
The data you are collecting is personal data and, under the GDPR you are a data controller for that data. This means you have certain legal obligations in handling that data and you will need to be satisfied that you are complying with the GDPR so as to protect the privacy of your staff, customers and visitors. This section and more detailed Information Commissioner’s Office (ICO) Guidance sets out the manageable steps that you can take to comply in a way that does not impact detrimentally on your business. You may need to register with the Information Commissioner’s Office as the data controller for this information.
In the circumstances set out above, regulation 21 of The Health Protection (Coronavirus Restrictions) (No. 4) (Wales) Regulations 2020 requires certain organisations and businesses to request contact information from your staff members, customers and visitors and share it with the NHS Wales Test, Trace, Protect service for the purpose of their public health functions. This, together with the fact that collection of the data is in the public interest of providing a public health response to minimise the risk of spreading coronavirus forms a lawful basis for processing personal data under Article 6(1)(c).
You should inform customers that their data may be passed to the NHS Wales Test, Trace, Protect service in the event of a case, cluster or outbreak of coronavirus (i.e. more than one new case of coronavirus) that is tracked back to your premises. If you have a database that holds contact details of regular customers, or if you already collect this information for ordinary business purposes, you will not necessarily have to contact each customer individually, although this will require separate notification and if someone refuses consent, and you are under a duty to collect those details, they should not be allowed on the premises.
GDPR requires that any personal data you collect must be processed fairly and transparently, as well as lawfully. If it has been collected for contact tracing purposes only (i.e. information that you would not ordinarily collect in your usual course of business) it must be used only for those purposes and not for other purposes including marketing, profiling, analysis or other purposes unrelated to contact tracing. There should not be an unjustified detrimental impact on individuals as a result of you collecting and/or sharing their data.
Appropriate technical and security measures must be in place to protect customer contact information, for example, against hacking - see ICO guidance. These measures will vary depending on how you choose to hold this information, including whether it is collected in hard copy or electronically. Welsh Government would prefer that you take electronic measures, if possible, but we understand that this will not be possible for all.
Individuals have a number of rights under the GDPR (see ICO guidance for more details), and you must ensure that these rights can be exercised.
More information on data protection and the coronavirus can be found on the ICO website.
When should information be shared with the NHS Wales Test, Trace, Protect service?
The service will ask for these records only where it is necessary, either because someone who has tested positive for coronavirus has listed your premises as a place they have worked at or visited recently, or because your premises has been identified as the location of a potential cluster or outbreak of coronavirus. If asked to do so, you are required to share the information of staff, customers and visitors with the NHS Wales Test, Trace, Protect service as soon as possible. You should not share the information that has been collected for this purpose with anyone else.
The NHS Wales Test, Trace, Protect service will handle the data according to GDPR, security and ethical standards at every stage of the process - from its collection and storage to its transfer and use by the service. The NHS Wales Test, Trace, Protect service will use it only for the purposes of protecting the public’s health. This information must not be used for any other purposes other than disclosing it to the NHS Wales Test, Trace, Protect service. Use outside of this, for example if businesses contacted customers to notify them of any symptoms other customers may be experiencing, may constitute as a breach.
What will happen if a visitor, customer or member of staff displays symptoms of COVID-19 or tests positive for coronavirus?
If you are operating accommodation and a customer starts displaying symptoms of COVID-19 whilst staying at your premises, then they (and anyone travelling with them) should return home as quickly as possible, if well enough to do so. They must use the most direct route, and should not use public transport. They should then self-isolate immediately and follow the self-isolation guidance The person with symptoms should apply for a free COVID-19 antigen test preferably at a convenient location close to their home as soon as possible.
What can I expect if my business is contacted by the NHS Wales Test, Trace, Protect service?
The NHS Wales Test, Trace, Protect service will only contact your business through the service if a visitor, customer or member of staff has received a positive test for coronavirus or where a cluster or an outbreak is potentially linked to your premises.
- calls will usually come from this number: 02921 961133
- if you miss a call from the service, you will be called again. It is important that you answer calls from the NHS Wales Test, Trace, Protect Service promptly. You will not receive a voicemail, but if you ring the number back you will hear a message confirming that you were called by the NHS Wales Test, Trace, Protect service. Calls from this number are outbound only, so you will not be able to speak to a contact tracer and will need to wait for a call back the following day
- you will be asked if you want to provide information over the telephone or via the NHS Test, Trace, Protect service website. If you choose to provide information via the website, a secure one-time code will be texted to you with the link to the form you need to complete. If you cannot use the website, your information will be taken over the telephone.
You may be asked to provide the contact information you have collected for the purposes of supporting the NHS Wales Test, Trace, Protect service.
You will not be asked for any financial information, bank details, passwords or any other data not covered above. If you have any doubts then you should not provide the information. For more information on staying alert to scams.
What steps will the NHS Wales Test, Trace, Protect service take to minimise transmission if a potential outbreak on your premises is identified?
If there is more than one case of coronavirus potentially associated with your business, the NHS Wales Test, Trace, Protect service will decide on a case-by-case basis what follow-up action to take. They will:
- undertake a risk assessment
- provide public health advice
- where necessary, establish a multi-agency outbreak control team to manage the incident
Depending on the circumstances and the length of time that has elapsed, this could include arranging for staff who work for you to be tested (regardless of whether they are displaying symptoms or not), asking them to take extra care with social distancing and/or – in some circumstances – asking them to self-isolate. Your staff will be included in the risk assessment, and the NHS Wales Test, Trace, Protect service will advise what they should do. Should they need to self-isolate, they should follow the self-isolation guidance and can review our contact tracing guidance and support.
If a person is required to self-isolate, and does not self-isolate due to the behaviour of their employer then this may result in the employer being issued with a fixed penalty notice of up to £10,000 and could face prosecution.
If asked by the service, you are required to share your visitor/customer log to identify any other people who could have come into contact with the individuals who tested positive for coronavirus up to 2 days before symptom onset, in order to help identify ‘clusters’ i.e. where multiple cases appear to point back to a common location and time period. Any customers and visitors identified as confirmed contacts of the infected cases will be followed up separately by the service.
If an outbreak has been identified as originating on your premises, a rapid response team will be assigned to gather information about the outbreak and support your business.