Skip to main content

Guidance issued by the Welsh Ministers under regulation 16 of the Health Protection (Coronavirus Restrictions) (No. 5) (Wales) Regulations 2020.

First published:
10 July 2020
Last updated:


Coronavirus is still with us. The purpose of our Test, Trace, Protect strategy is to control the spread of new outbreaks. For this to work, it is essential to know where those who have tested positive may have been in contact with others.

People will increasingly mix with others, increasing the risk of spreading the coronavirus. Some places of business carry a higher risk of people mixing. These businesses are essential in supporting contact tracing and keeping Wales safe.

All businesses open to the public should have a system in place to ensure social distancing at all times. They should be following staying safe at work guidance. Welsh law requires all businesses to take all reasonable measures to minimise the risk of exposure to coronavirus. The starting point is ensuring people keep a 2 metre distance from each other. Where this is not reasonably practical other measures must be put in place. Examples of these may include:

  • using protective screens
  • re-arranging furniture and fittings
  • controlling the flow of people
  • wearing face coverings and other protective equipment

The Test, Trace, Protect service needs to know who those who test positive may have been in contact with. If someone visited premises open to the public contact tracers need to know who else was there at the same time. For that reason, certain businesses must collect and keep information about who has been on the premises, and when, for 21 days.

This guidance provides advice for businesses on collecting and keeping this information.

NHS Wales Test, Trace, Protect service

Public sector organisations deliver the NHS Wales Test, Trace, Protect service. These include public health bodies and local authorities.  Working together they help to contain the spread of the virus.

For further information, visit Contact Tracing: your questions.

Why do you need to maintain records of staff, customers and visitors?

Regulation 16 of the Health Protection (Coronavirus Restrictions) (No. 5) (Wales) Regulations 2020 requires reasonable measures to be taken to minimise the risk of exposure to coronavirus on premises open to the public and on any premises where work takes place, as well as to minimise the spread of coronavirus by those who have been on the premises.

One example of these reasonable measures contained in regulation 16 is:

Collecting contact information from each person at the premises and retaining it for 21 days for the purpose of providing it to any of the following, upon their request

(i)  the Welsh Ministers

(ii)  a contact tracer

Another reasonable measure is:

(a)     taking reasonable measures to ensure that such contact information is correct

'Contact information', in relation to a person at the premises, means the person’s name and information sufficient to enable the person to be contacted, to inform them that they may have been exposed to coronavirus at the premises (including a telephone number and the date and time at which the person was at the premises).

Whether this measure is one that is “reasonable” and is, therefore, one that must be taken will depend on the circumstances, including how much people who don’t know each other mix on the premises.  It may also depend on whether there is a risk of them coming into close contact with each other. (See “Who does this apply to?” below).

By adhering to these Regulations you will help to identify people who may have been exposed to the virus. Containing outbreaks is crucial to reducing the spread of coronavirus, protecting the NHS in Wales and saving lives. This will support the country in returning to, and maintaining, a more normal way of life.

Who does this guidance apply to?

There is a higher risk of spreading coronavirus in some sectors. This is because people will spend a longer time on these premises than in other surroundings. They may then come into close contact with people outside of their household (or extended household if they have formed one). 

The legal requirements in regulation 16 are based on the idea of doing what is “reasonable”, depending on the circumstances. It is the Welsh Ministers' view that it is a reasonable measure for the following to collect and keep contact information:

  • hospitality venues, including pubs, bars, restaurants and cafes
  • cinemas
  • close contact services including hairdressers, barbers, beauticians, tattooists, sports and massage therapists
  • swimming pools, indoor fitness studios, gyms, spas or other indoor leisure centres or facilities
  • casinos
  • bingo halls

These business must ensure they are collecting and keeping contact information for 21 days where it is reasonable to do so. There may be exceptional circumstances where the information must be kept for a longer period. An example of this is, where police ask for information 20 days after collection.

Where people enter premises only to collect something and immediately leave, it would not be a reasonable measure to collect and keep contact information.  An example of this is where outlets provide takeaway food. Measures to ensure 2 metre physical distancing is maintained must be in place in customer waiting areas. Face coverings must also be worn inside in public areas. Face coverings guidance has been published for both employers and the public. Some businesses offer a mixture of a sit-in service and takeaway service. They only need to collect contact information for customers who are sitting in. Similarly contact information is not needed from those making deliveries to premises.

Contact information collected must be accurate. There must be reasonable measures in place to ensure this is the case. Customers will need to provide proof of their name when filling in contact details. Types of proof could include, for example, drivers licence, bank or credit cards.

Retail premises are not generally required to collect contact information. The focus is on higher risk settings where close interaction between people over a sustained period of time is more likely. Tourism accommodation providers collect visitor data through bookings, as a matter of course. 

In addition to maintaining records and sharing them when requested, Welsh Government guidance on taking reasonable measures to minimise the risk of exposure to coronavirus (also issued under regulation 18) and other guidance such as the guidance for tourism and hospitality businesses for a phased and safe re-opening should also be followed.

What happens if this information is not collected and retained?

Local authority environmental health officers (EHOs) can take enforcement action where regulation 16 applies. This includes requiring improvements to be made and if necessary requiring a premises to close. EHOs can issue a Premises Improvement Notice or a Premises Closure Notice as appropriate.

What information needs to be collected?

You need to collect enough information for a contact tracer to contact a person if a positive case is identified.


  • The names of staff who work at the premises
  • A contact telephone number for each member of staff
  • The dates and times that staff are at work

Customers and visitors

  • The names of customers or visitors
  • A contact telephone number for each customer or visitor
  • Date of visit and arrival and departure time

Many businesses that take bookings already have systems for recording their customers and visitors details.  This can serve as the source of the information above.

Some businesses collect this information in advance. Otherwise, you should collect this information when visitors enter the premises. You should record the information digitally if possible. A paper record is acceptable too. You should collect information in a way that is manageable for your establishment.

Remember -the onus is on the business or person responsible for the premises, not the customer or visitor.

NHS Covid-19 app users are able to scan (check-in) as they enter a venue. This doesn’t replace the legal requirement for certain high risk businesses in Wales to collect information from people. Premises which are required to collect details of staff, customers and visitors must do so. This includes people who check in through the app.

At times you will collect the data of children under the age of 18, for example, where a 16 year old person visits the premises. You must consider any associated risk in retaining this information. You can find further information on these risks on the Information Commissioner’s Office (ICO) website.

Recording departure times as well as arrival times is also required. This includes staff shift times. It is acknowledged that in certain circumstances this may be difficult. It is needed to help reduce the number of people the NHS Wales Test, Trace, Protect service may need to contact. Those contacted may potentially be asked to self-isolate.

What if someone does not wish to share their details?

You will play an important role in helping your staff, customers and visitors understand the value of the NHS Wales Test, Trace, Protect service. You will need to make it clear to your customers why this information is being collected. You should explain what you intend to do with the information and that it may be shared with the NHS Wales Test, Trace, Protect service if necessary. You can do this for example, by a verbal explanation, or on your website, or a notice displayed at your premises. Material is available to help you do this. Please be aware that some people may need additional support to access or understand this information.

Sharing details with the NHS Wales Test, Trace, Protect service helps to control the spread of the virus. You should tell people you will only share their details with TTP in the event of a case, cluster or outbreak of coronavirus at your premises. A cluster or outbreak means more than one new case of coronavirus that is tracked back to your premises. The NHS Wales Test, Trace, Protect service will use this information to check if they, and any person in their party, may have been exposed.

If the individual still does not want to share their details, and you are under a duty to collect those details, you should not allow them on the premises.

How should you maintain records?

You should hold records for 21 days from the date of each separate instance in which a person has been on the premises. This will allow for contact tracing and testing, should it be required. After 21 days, this information must be securely disposed of or deleted. When deleting or disposing of data, you must do so in a way that does not risk unintended access.  Use cross-cut shredders or similar methods to dispose of paper documents. Do not dispose of in public bins, and ensure permanent deletion of electronic files.

General Data Protection Regulation (GDPR)

The data you are collecting is personal data and, under the GDPR you are a data controller for that data. This means you have certain legal obligations in handling that data. You will need to be satisfied that you are complying with the GDPR. This is to protect the privacy of your staff, customers and visitors. This section sets out manageable steps you can take to comply. You can find more detailed information at (ICO) Guidance. You may need to register with the ICO. This is because you will be the data controller for this information.

You should tell customers that their data may be passed to the NHS Wales Test, Trace, Protect service.  This will only be in the event of a case, cluster or outbreak of coronavirus that is tracked back to your premises. If you have a database that holds contact details of regular customers, or if you already collect this information for ordinary business purposes, you will not necessarily have to contact each customer individually, although this will require separate notification. If someone refuses consent, and you are under a duty to collect those details, they should not be allowed on the premises.

The way you process any personal data you collect must be fair, transparent and lawful. You can collect personal data only for use for contact tracing. This is data you would not usually collect in the course of your business. You must not use this data for other purposes unrelated to contact tracing. The data you collect or share should not have an unjustified detrimental impact on any individuals. This, together with the fact that collection of the data is in the public interest of providing a public health response to minimise the risk of spreading coronavirus forms a lawful basis for processing personal data under Article 6(1)(c).

Appropriate security measures must be in place to protect customer contact information - see ICO guidance. These measures will vary depending on how you choose to hold this information. They will differ according to whether you collect it in hard copy or electronically. Welsh Government would prefer that you take electronic measures. We understand that this will not be possible for all businesses.

Individuals have a number of rights under the GDPR (see ICO guidance for more details). You must ensure that they can exercise these rights.

More information on data protection and the coronavirus can be found on the ICO website.

When should information be shared with the NHS Wales Test, Trace, Protect service?

The service will ask for these records only where it is necessary.This will be because:

  • someone who has tested positive for coronavirus has listed your premises as a place they have worked at or visited recently
  • the service has identified your premises as the location of a potential cluster or outbreak of coronavirus

You must share the information with the NHS Wales Test, Trace, Protect service as soon as possible. You must not share the information you have collected with anyone else.

The NHS Wales Test, Trace, Protect service will handle the data according to GDPR, security and ethical standards at every stage of the process - from its collection and storage to its transfer and use by the service. The service will use it only for the purposes of tracing contacts. You should not contact customers to notify them of any symptoms other customers may be experiencing. This may constitute a breach.

What will happen if a visitor, customer or member of staff displays symptoms of COVID-19 or tests positive for coronavirus?

If anyone develops COVID-19 symptoms, then they should self-isolate immediately. They should also apply for a free COVID-19 antigen test.

If customers are staying at your premises and they display symptoms they should return home as quickly as possible, if well enough to do so. All members of their party must also return home. This applies to situations where people are spending an extended time on your premises, such as in a hotel.They must use the most direct route, and should not use public transport. They should then self-isolate immediately and follow the self-isolation guidance. The person with symptoms should apply for a free COVID-19 antigen test preferably at a convenient location close to their home as soon as possible.

What can I expect if my business is contacted by the NHS Wales Test, Trace, Protect service?

The NHS Wales Test, Trace, Protect service will only contact your business if it needs to trace potential contacts. Calls will usually come from this number: 02921 961133

  • if you miss a call from the service, they will call you again
  • it is important that you answer calls from the service promptly
  • you will not receive a voicemail. If you ring the number back you will hear a message confirming that you were called by the NHS Wales Test, Trace, Protect service
  • calls from this number are outbound only, so you will not be able to speak to a contact tracer and will need to wait for a call back the following day
  • they will ask if you want to provide information over the telephone or via the NHS Test, Trace, Protect service website
  • if you choose to provide information via the website, a secure one-time code will be texted to you with the link to the form you need to complete
  • if you cannot use the website, your information will be taken over the telephone
  • they may ask you to provide the contact information you have collected for the purposes of supporting the NHS Wales Test, Trace, Protect service
  • they will not ask for any financial information, bank details, passwords or any other data not covered above
  • if you have any doubts then you should not provide the information. For more information on staying alert to scams

What steps will the NHS Wales Test, Trace, Protect service take to minimise transmission if a potential outbreak on your premises is identified?

The service will decide on a case-by-case basis what follow-up action to take. They will:

  • undertake a risk assessment
  • provide public health advice
  • where necessary, establish a multi-agency outbreak control team to manage the incident

This could include:

  • arranging for your staff to be tested even if they do not have symptoms
  • asking your staff to take extra care with social distancing
  • asking your staff to self-isolate

Anyone who is asked to self-isolate should follow the self-isolation guidance. They can also review our contact tracing guidance and support.

An employer must not make it difficult for employees to self-isolate. An employer who does this may be issued with a fixed penalty notice of up to £10,000 and could face prosecution.

You must share your visitor/customer log if asked to do so by the service. This is to identify other people who may have come into contact with the person who tested positive. They will look at the period up to 2 days before their symptoms started. It is also used to help identify clusters. This is where more than one case appears to point back to a common place and time. The service will follow up any customers and visitors identified as confirmed contacts.  They will make the contact, you are not expected to do this yourself.

The service may identify that an outbreak has started on your premises. In this case, a rapid response team will be assigned to gather information and offer you support.