Skip to main content

Organisations and businesses follow this guidance on keeping records of people on your premises.

First published:
10 July 2020
Last updated:


Coronavirus will be with us until an effective vaccine is available or there is enough immunity among the population. As lockdown restrictions ease, general rules around social distancing and handwashing will remain important in reducing the risk of transmission. Our Test, Trace, Protect strategy will also be key in controlling the spread of new outbreaks, particularly as public spaces start to re-open.

As people increasingly visit the same places as others, businesses operating in sectors where there is a higher risk of transmitting COVID-19 have a key role to play in supporting contact tracing and keeping Wales safe.

First and foremost, all businesses that are open to the public should have in place a strict system to comply with social distancing in all locations at all times. You should be following the staying safe at work guidance. No one at your premises should come into contact with another individual within 2 metres. Where this is not possible, Personal Protective Equipment (PPE) or protective screens should be used. This will minimise the risk of the NHS Wales Test, Trace, Protect service initiating the contact tracing process if a member of staff, customer or visitor to your premises tests positive for COVID-19.

Purpose of this guidance

The purpose of this guidance is to provide advice for organisations and small businesses on collecting and retaining records of staff, customers and visitors to their premises for a limited period. This is to support the NHS Wales Test, Trace, Protect service in the event that the contact tracing process is initiated because someone within your premises tests positive for COVID-19 or is identified as a contact.  

The guidance is intended for those with and without experience of collecting and retaining personal data for business purposes.

NHS Wales Test, Trace, Protect service

The NHS Wales Test, Trace, Protect service is delivered by a number of public sector partners working together to help contain the spread of the virus. Together, Public Health Wales, local Health Boards, Local Authorities, and NHS Wales Informatics Service (NWIS) are responsible for implementing one of the biggest public health interventions in a generation.

For further information, visit Test, Trace, Protect: your questions.

Why do you need to maintain records of staff, customers and visitors?

By maintaining records of staff, customers and visitors, and sharing these with the NHS Wales Test, Trace, Protect service when requested, you can help to identify people who may have been exposed to the virus and are asymptomatic (i.e. are not yet displaying symptoms). Containing outbreaks is crucial to reducing the spread of COVID-19, protecting the NHS in Wales and saving lives. This will support the country in returning to, and maintaining, a more normal way of life.

You can play an important role in helping your staff, customers and visitors to understand the value of the NHS Wales Test, Trace, Protect service. You can also demonstrate responsible business practice(s) in your setting. Please do this by:

  • Explaining why you are asking for contact information and encouraging them to provide it.
  • Displaying a notice on your premises or on your website. We will provide material to help you do this on Business Wales, although please be aware that some people may need additional support in accessing or understanding this information.

In addition to maintaining and sharing records when requested, you must also continue to follow government guidance to minimise the transmission of COVID-19. This includes following the guidance for tourism and hospitality businesses for a phased and safe re-opening, and following the social distancing guidelines. 

Who does this guidance apply to?

There is a higher risk of transmitting COVID-19 in some sectors. This is because customers and visitors will spend a longer time on these premises than in other surroundings and potentially come into close contact with people outside of their household.

If your establishment is in one of the following sectors, you should* collect details and maintain records of staff, customers and visitors to your premises:

  • Hospitality, including pubs, bars, restaurants and cafes.
  • Tourism and leisure, including theme parks, museums and cinemas.
  • Close contact services including hairdressers, barbers, beauticians, tattooists, sports and massage therapists, dress fitters, tailors and fashion designers.
  • Facilities provided by local authorities, such as libraries and leisure centres.

This guidance applies to any establishment that falls within these sectors and provides an on-site service or event that takes place on the premises. This guidance applies to indoor and outdoor venues, regardless of how large or small the venue is.

However, this guidance does not apply where services are taken off-site immediately. For example, a food outlet that only provides takeaways and strictly complies with 2 metre social distancing where customers are in take-away waiting areas. If your business offers a mixture of a sit-in and takeaway service, you only need to collect contact information for customers who are sitting in. This guidance does not apply to drop-off deliveries made by suppliers or contractors. Retail is not within the scope of this guidance as the focus is on higher risk settings where customers and visitors come into sustained, close contact in one place over a longer time.

* “Should”. Where the guidance states that an activity should take place this is not a legal requirement under the Health Protection (Coronavirus, Restrictions) (Wales) Regulations 2020. However it is strongly advised that consideration is given to following this advice to reduce the risk of transmission of COVID-19.

What information needs to be collected?

If you run an establishment in any of the sectors within scope, where possible, you will need to collect the following information. This is regardless of any social distancing measures that you have put in place.


  • The names of staff who work at the premises.
  • A contact telephone number for each member of staff.
  • The dates and times that staff are at work.

Customers and visitors

  • The names of customers or visitors, or if it is a group of people, the name of one member of the group – the ‘lead member’.
  • A contact telephone number for each customer or visitor, or for the lead member of a group of people.
  • Date of visit and arrival and departure time.

Many businesses that take bookings – including restaurants, hotels and hair salons – already have systems for recording their customers and visitors, which can serve as the source of the information above. If you do not already do this, you should do so to help the NHS Wales Test, Trace, Protect service follow up with potential contacts, when requested. This may help minimise onward chains of COVID-19 transmission and manage outbreaks locally to avoid a return to national lockdown measures.

If not collected in advance, please collect this information at the point that visitors enter the premises. You should record the information digitally if possible, but a paper record is acceptable too. You should collect staff, customer and visitor information in a way that is manageable for your establishment. If you have a large booking, for example at a restaurant, you only need to collect the name and telephone number of the lead member of the party, and the number of people in the party.

Although it is acknowledged that in certain circumstances this may be difficult, recording departure times as well as arrival times (including staff shift times) is recommended. The purpose of this is to reduce the number of customers or staff needing to be contacted (and potentially asked to self-isolate) by the NHS Wales Test, Trace, Protect service.

What if someone does not wish to share their details?

Sharing details will support the NHS Wales Test, Trace, Protect service’s efforts to control the spread of the virus, and we are therefore asking that you encourage the individual to share their details. You should advise them that their details will only be used in the event of an outbreak of COVID-19 (i.e. more than one new case of COVID-19) which is tracked back to your premises. The NHS Wales Test, Trace, Protect service will use this information to check if they, and any person in their party, may have been exposed to the outbreak.

If the individual still does not want to share their details for the purpose of the NHS Wales Test, Trace, Protect service but wishes to proceed with a booking and/or use your service, there is no legal requirement that they should do so for contact tracing purposes. It is your decision whether to make your services available to that individual. Although, in making that decision it is important to consider the health and safety of your staff, customers and visitors and your community in the event of a local outbreak.

How should you maintain records?

You should hold records for 21 days from the date of each separate visit that a staff member, customer or visitor made. This covers the typical maximum 14-day incubation period of the virus and an additional 7 days during which people may be infectious after symptom onset. This will allow for testing and contact tracing, should it be required. After 21 days, this information should be securely disposed of or deleted. When deleting or disposing of data, you must do so in a way that does not risk unintended access (e.g. shredding paper documents instead of disposing in public bins, and ensuring permanent deletion of electronic files).

General Data Protection Regulation (GDPR)

The data you are collecting is personal data and, under the GDPR you are a data controller for that data. This means you have certain legal obligations in handling that data and you will need to be satisfied that you are complying with the GDPR to protect the privacy of your staff, customers and visitors. This section and more detailed Information Commissioner’s Office (ICO) Guidance sets out the manageable steps that you can take to comply in a way that does not impact detrimentally on your business.

In the particular circumstances of the COVID-19 pandemic, GDPR may permit you to request contact information from your staff members, customers and visitors and share it with the NHS Wales Test, Trace, Protect service for the purpose of their public health functions, should it be required but you must have a legal basis for doing do. This may be on the basis that your customers have given their consent although, for practicable reasons, it may not always be possible to obtain consent.

For example, if you have a database that holds contact details of regular customers, or if you already collect this information for ordinary business purposes, you will not have to contact each customer individually to ask whether that information can be made available to the NHS Wales Test, Trace, Protect service. If the customer does not give their consent this does not necessarily mean that the GDPR does not permit you to share personal data. You will need to consider whether there is another lawful basis for doing so.

There are alternative legal ways to collect, hold and disclose data under the GDPR  – the ICO guidance sets out more information.

When collecting the details you will need to make it clear to your customers why this information is being collected, explain what you intend to do and that it may be shared with the NHS Wales Test, Trace, Protect service. You can do this, for example, by a verbal explanation or on a website or a notice displayed at your premises. 

The GDPR requires that any personal data you collect must be processed fairly and transparently. If it has been collected for contact tracing purposes only (i.e. information that you would not ordinarily collect in your usual course of business) it must be used only for those purposes and not for other purposes including marketing, profiling, analysis or other purposes unrelated to contact tracing. There should not have an unjustified detrimental impact on individuals as a result of you collecting and/or sharing their data.

Appropriate technical and security measures must be in place to protect customer contact information for example, against hacking - see ICO guidance. These measures will vary depending on how you choose to hold this information, including whether it is collected in hard copy or electronically. Welsh Government would prefer that you take electronic measures, if possible, but we understand that this will not be possible for all.

Individuals also have certain rights under the GDPR, such as the right to require that you should erase their personal data if they ask you to or that you should put right any errors in the data you hold. You must ensure that individuals are able to exercise these rights (where applicable).

When should information be shared with the NHS Wales Test, Trace, Protect service?

The service will ask for these records only where it is necessary, either because someone who has tested positive for COVID-19 has listed your premises as a place they have worked at or visited recently, or because your premises has been identified as the location of a potential outbreak of COVID-19. If asked to do so, you should share the information of staff, customers and visitors with the NHS Wales Test, Trace, Protect service as soon as possible. You should not share the information that has been collected for this purpose with anyone else.

The NHS Wales Test, Trace, Protect service will handle the data according to GDPR, security and ethical standards at every stage of the process - from its collection and storage to its transfer and use by the service. The NHS Wales Test, Trace Protect service will use it only for the purposes of protecting the public’s health.

What will happen if a visitor, customer or member of staff displays symptoms or tests positive for COVID-19?

If a member of your staff or customer develops COVID-19 symptoms, then they should self-isolate immediately and apply for a free COVID-19 antigen test

If you are operating accommodation and a customer starts displaying symptoms of COVID-19 whilst staying at your premises, then they (and anyone travelling with them) should return home as quickly as possible, if well enough to do so. They must use the most direct route, and should not use public transport. They should then self-isolate immediately and follow the self-isolation guidance. The person with symptoms should apply for a free COVID-19 antigen test, preferably at a convenient location close to their home as soon as possible.

Visitors booking a stay in Wales should consider the cost implications around developing COVID-19 symptoms before making their booking. If they travel to the accommodation using public transport, they will need to consider the requirement to organise private transport to return home if they develop symptoms. Or they must be prepared to cover the cost of extending their stay and self-isolating in the accommodation if they are not well enough to travel or cannot organise private transport home. If a visitor is unable to return home on developing symptoms, then they should order a test from their accommodation.

If a visitor, customer or member of staff tells you that they have tested positive for COVID-19, then they must follow the contact tracing guidance that will be provided directly to them by the NHS Wales Test, Trace, Protect service. The service will contact them as soon as they receive a positive test.

What can I expect if my business is contacted by the NHS Wales Test, Trace, Protect service?

The NHS Wales Test, Trace, Protect service will only contact your business through the service if more than one visitor, customer or member of staff has received a positive test for COVID-19 and the outbreak is potentially linked to your premises.

  • Calls will only come from this number: 02921 961133.
  • If you miss a call from the service, you will be called again the following day. You will not receive a voicemail, but if you ring the number back you will hear a message confirming that you were called by the NHS Wales Test, Trace, Protect service. Calls from this number are outbound only, so you will not be able to speak to a contact tracer and will need to wait for a call back the following day.
  • You will be asked if you want to provide information over the telephone or via the NHS Test, Trace, Protect service website. If you choose to provide information via the website, a secure one-time code will be texted to you with the link to the form you need to complete. If you cannot use the website, your information will be taken over the telephone.

You may be asked to provide the following information you have collected for the purposes of supporting the NHS Wales Test, Trace, Protect service:


  • The names of staff who work at the premises.
  • A contact telephone number for each member of staff.
  • The dates and times that staff are at work.

Customers and visitors

  • The names of customers or visitors, or if it is a group of people, the name of one member of the group – the ‘lead member’.
  • A contact telephone number for each customer or visitor, or for the lead member of a group of people.
  • Date of visit and arrival and departure time.

You will not be asked for any financial information, bank details, passwords or any other data not covered above. If you have any doubts then you should not provide the information. For more information on staying alert to scams.

What steps will the NHS Wales Test, Trace, Protect service take to minimise transmission if a potential outbreak on your premises is identified?

If there is more than one case of COVID-19 potentially associated with your business, the NHS Wales Test, Trace, Protect service will decide on a case-by-case basis what follow-up action to take. They will:

  • undertake a risk assessment
  • provide public health advice
  • where necessary, establish a multi-agency incident management team to manage the outbreak.

Depending on the circumstances and the length of time that has elapsed, this could include arranging for staff who work for you to be tested (regardless of whether they are displaying symptoms or not), asking them to take extra care with social distancing and/or – in some circumstances – asking them to self-isolate. Your staff will be included in the risk assessment, and the NHS Wales Test, Trace, Protect service will advise what they should do. Should they need to self-isolate, they can review our contact tracing guidance and support.

You may be asked by the service to share your visitor/customer log to identify any other people who could have come into contact with the individuals who tested positive for COVID-19 up to 2 days before symptom onset, in order to help identify ‘clusters’ i.e. where multiple cases appear to point back to a common location and time period. Any customers and visitors identified as confirmed contacts of the infected cases will be followed up separately by the service.

Your regional Test, Trace, Protect team will take into account additional circumstances surrounding the potential outbreak. It is unlikely that a contact will be identified if the following are implemented correctly:

  • Personal Protective Equipment (PPE)
  • Protective screens used on your premises
  • Adherence to the 2m distancing rule

If an outbreak has been identified as originating on your premises, a rapid response team will be assigned to gather information about the outbreak and support your business.

Share this page