Skip to main content

Guidance issued by the Welsh Ministers under regulation 16 of the Health Protection (Coronavirus Restrictions) (No. 5) (Wales) Regulations 2020.

First published:
10 July 2020
Last updated:


Coronavirus is still with us. The purpose of our Test, Trace, Protect strategy is to control the spread of COVID-19. For this to work, it is essential for those who have tested positive to self-isolate and to know where they may have been in contact with others.

People will increasingly mix with others, increasing the risk of spreading coronavirus. Some places of business carry a higher risk of people mixing. These businesses have a key role in supporting contact tracing and keeping Wales safe.

All businesses open to the public must undertake their own COVID-19 risk assessments and in accordance with the results of these, implement reasonable measures to minimise the risk of exposure to coronavirus.

The Test, Trace, Protect service needs to know who those who test positive may have been in contact with. If someone visited premises open to the public contact tracers would need to know who else was there at the same time. For that reason, certain businesses should consider keeping information about who has been on the premises, and when, for 21 days.

This guidance provides advice for businesses on collecting and keeping this information.

NHS Wales Test, Trace, Protect service

Public sector organisations deliver the NHS Wales Test, Trace, Protect service. These include public health bodies and local authorities. Working together they help to contain the spread of the virus.

Why do you need to maintain records of staff, customers and visitors?

Maintaining records of staff, customers and visitors is one of the reasonable measures you can take to minimise the risk of exposure to COVID-19 at your business/setting. By sharing these records with the NHS Wales Test, Trace, Protect service when requested, you can help to identify people who may have been exposed to the virus. 

You can play an important role in helping your staff, customers and visitors to understand the value of the NHS Wales Test, Trace, Protect service. You can also demonstrate responsible business practice(s) in your setting. Please do this by: 

  • Explaining why you are asking for contact information and encouraging them to provide it. 
  • Displaying a notice on your premises and on your website. We will provide material to help you do this, although please be aware that some people may need additional support in accessing or understanding this information. 

In addition to maintaining and sharing records when requested, you must also continue to follow Welsh Government guidance to minimise the transmission of COVID-19. This includes following the self-isolation guidance in the event of a positive case.

Who does this guidance apply to?

There is a higher risk of spreading coronavirus in some settings. This is because people will spend a longer time in some premises than in other surroundings. They may then come into close contact with people outside of their household. 

This guidance is to assist any establishment that determines it is reasonable, as part of their measures to minimise the spread of coronavirus, for their establishment to collect contact details for the purposes of TTP. This guidance applies to both indoor and outdoor venues, regardless of how large or small the venue is. 

However, this guidance is not advised where services are taken off-site immediately, for example a food outlet that only provides takeaways and where customers are attending take-away waiting areas for a short period of time and are distanced from other visitors. If your business offers a mixture of both (sit-in and takeaway services), you would only need to collect contact information for customers who are sitting in.

This guidance does not apply to drop-off deliveries made by suppliers or contractors. Retail would not be within the scope of this guidance as the focus is on higher risk settings where customers and visitors mix with others and come into sustained, close contact in one place over a longer time.

What information needs to be collected?

Collecting contact details for TTP still remains one of the reasonable measures which could be taken, and it is still  specifically listed in regulation 16. The information requested is still of value to the NHS Wales Test, Trace, Protect service in their follow up with potential contacts. If you run an establishment and as a result of carrying out a risk assessment you identify the collection of contact details as a reasonable measure which should be taken to help minimise the transmission of COVID-19 and manage outbreaks locally, you should implement this. If that is the case you will need to collect enough information to enable a contact tracer to contact a person if a positive case is identified.  Information required would be:


  • The names of staff who work at the premises
  • A contact telephone number for each member of staff
  • The dates and times that staff are at work

Customers and visitors

  • The names of customers or visitors
  • A contact telephone number for each customer or visitor
  • Date of visit and arrival and departure time

Many businesses that take bookings already have systems for recording their customers’ and visitors’ details. This can serve as the source of the information needed.

Some businesses collect this information in advance, but if this is not possible this information should be collected at the point that visitors enter the premises. You should record the information digitally if possible, but paper record is acceptable too. You should collect information in a way that is manageable for your establishment.

NHS COVID-19 app users are able to scan (check-in) as they enter a venue. However, this will not provide the NHS Wales Test, Trace, Protect service with contact details and will not enable people who have been at the premises at the same time as a positive case to be contacted. People who check in through the app should therefore also be asked by your establishment to provide their contact details.

At times you may need to collect the data of children under the age of 18, for example, where a 16 year old person visits the premises. You must consider any associated risk in retaining this information. You can find further information on these risks on the Information Commissioner’s Office (ICO) website.

Recording departure times as well as arrival times is also recommended. This includes staff shift times. It is acknowledged that in certain circumstances this may be difficult. It is needed to help reduce the number of people the NHS Wales Test, Trace, Protect service may need to contact.

What if someone does not wish to share their details?

You will play an important role in helping your staff, customers and visitors understand the value of the NHS Wales Test, Trace, Protect service. You will need to make it clear to your customers why this information is being collected. You should explain what you intend to do with the information and that it may be shared with the NHS Wales Test, Trace, Protect service if necessary. You can do this for example, by a verbal explanation, or on your website, or a notice displayed at your premises. Material is available to help you do this. Please be aware that some people may need additional support to access or understand this information.

Sharing details with the NHS Wales Test, Trace, Protect service helps to control the spread of the virus. You should tell people you will only share their details with the NHS Wales Test, Trace, Protect service in the event of a positive case, cluster or outbreak of coronavirus at your premises. A cluster or outbreak means more than one new case of coronavirus that is tracked back to your premises. The NHS Wales Test, Trace, Protect service will use this information to check if they, and any person in their party, may have been exposed.

If the individual still does not want to share their details for the purpose of the NHS Wales Test, Trace, Protect service but wishes to proceed with a booking and/or use your services, there is no legal requirement that they should provide their details for contact tracing purposes. In accordance with the risk assessment and the requirement to take all reasonable measures it is your decision whether to make your services available to that individual. In making that decision it is important to consider the health and safety of your staff, customers and visitors and your community in the event of a local outbreak.

How should you maintain records?

You should hold records for 21 days from the date of each separate instance in which a person has been on the premises. This will allow for contact tracing and testing, should it be required. After 21 days, this information must be securely disposed of or deleted. When deleting or disposing of data, you must do so in a way that does not risk unintended access. Use cross-cut shredders or similar methods to dispose of paper documents. Do not dispose of in public bins, and ensure permanent deletion of electronic files.

General Data Protection Regulation (GDPR)

The data you are collecting is personal data and, under the GDPR you are a data controller for that data. This means you have certain legal obligations in handling that data. You will need to be satisfied that you are complying with the GDPR. This is to protect the privacy of your staff, customers and visitors. This section sets out manageable steps you can take to comply. You can find more detailed information at (ICO) Guidance. You may need to register with the ICO. This is because you will be the data controller for this information.

You should tell customers that their data may be passed to the NHS Wales Test, Trace, Protect service. This will only be in the event of a case, cluster or outbreak of coronavirus that is tracked back to your premises. If you have a database that holds contact details of regular customers, or if you already collect this information for ordinary business purposes, you will not necessarily have to contact each customer individually, although this requires separate notification.

The way you process any personal data you collect must be fair, transparent and lawful. You can collect personal data only for use for contact tracing. This is data you would not usually collect in the course of your business. You must not use this data for other purposes unrelated to contact tracing. The data you collect or share should not have an unjustified detrimental impact on any individuals. 

Appropriate security measures must be in place to protect customer contact information - see ICO guidance. These measures will vary depending on how you choose to hold this information. They will differ according to whether you collect it in hard copy or electronically. Welsh Government would prefer that you take electronic measures. We understand that this will not be possible for all businesses.

Individuals have a number of rights under the GDPR (see ICO guidance for more details). You must ensure that they can exercise these rights.

More information on data protection and the coronavirus can be found on the ICO website.

When should information be shared with the NHS Wales Test, Trace, Protect service?

The service will ask for these records only where it is necessary. This will be because:

  • someone who has tested positive for coronavirus has listed your premises as a place they have worked at or visited recently
  • the TTP service has identified your premises as the location of a potential cluster or outbreak of coronavirus

If asked to do so, you should share the information with the NHS Wales Test, Trace, Protect service as soon as possible. You must not share the information you have collected with anyone else.

The NHS Wales Test, Trace, Protect service will handle the data according to GDPR, security and ethical standards at every stage of the process - from its collection and storage to its transfer and use by the service. The service will use it only for the purposes of tracing contacts. You should not contact customers to notify them of any symptoms other customers may be experiencing. This may constitute a breach.

What will happen if a visitor, customer or member of staff displays symptoms of COVID-19 or tests positive for coronavirus?

If anyone develops COVID-19 symptoms, then they should self-isolate immediately. They should also apply for a free COVID-19 antigen test.

If customers are staying at your premises and they display symptoms they should return home as quickly as possible, if well enough to do so. All members of their party must also return home. This applies to situations where people are spending an extended time on your premises, such as in a hotel. They must use the most direct route, and should not use public transport. They should then self-isolate immediately and follow the self-isolation guidance. The person with symptoms should apply for a free COVID-19 antigen test preferably at a convenient location close to their home as soon as possible.

What can I expect if my business is contacted by the NHS Wales Test, Trace, Protect service?

The NHS Wales Test, Trace, Protect service will only contact your business if it needs to trace potential contacts. Calls will usually come from this number: 02921 961133

  • if you miss a call from the service, they will call you again
  • it is important that you answer calls from the service promptly
  • you will not receive a voicemail. If you ring the number back you will hear a message confirming that you were called by the NHS Wales Test, Trace, Protect service
  • calls from this number are outbound only, so you will not be able to speak to a contact tracer and will need to wait for a call back the following day
  • they will ask if you want to provide information over the telephone or via the NHS Test, Trace, Protect service website
  • if you choose to provide information via the website, a secure one-time code will be texted to you with the link to the form you need to complete
  • if you cannot use the website, your information will be taken over the telephone
  • they may ask you to provide the contact information you have collected for the purposes of supporting the NHS Wales Test, Trace, Protect service
  • they will not ask for any financial information, bank details, passwords or any other data not covered above
  • if you have any doubts then you should not provide the information.

What steps will the NHS Wales Test, Trace, Protect service take to minimise transmission if a potential outbreak on your premises is identified?

The service will decide on a case-by-case basis what follow-up action to take. They will:

  • undertake a risk assessment
  • provide public health advice
  • where necessary, establish a multi-agency outbreak control team to manage the incident

This could include:

  • arranging for your staff to be tested even if they do not have symptoms
  • asking your staff to take extra care with social distancing
  • asking your staff to self-isolate

Anyone who is asked to self-isolate should follow the self-isolation guidance. They can also review our contact tracing guidance and support.

An employer must not make it difficult for employees to self-isolate. An employer who does this may be issued with a fixed penalty notice of up to £10,000 and could face prosecution.

You should share your visitor/customer log if asked to do so by the TTP service. This is to identify other people who may have come into contact with the person who tested positive. They will look at the period up to 2 days before the positive individual’s symptoms started. It is also used to help identify clusters. This is where more than one case appears to point back to a common place and time. The TTP service will follow up any customers and visitors identified as confirmed contacts. They will make the contact with those individuals, you are not expected to do this yourself.

The TTP service may identify that an outbreak has started on your premises. In this case, a rapid response team will be assigned to gather information and offer you support.