The purpose of this notice

This notice has been provided to you by the organisation responsible for processing your personal information and is intended as a supplement to that organisation’s standard Privacy Notice. This notice explains how your personal information is processed during the particular circumstances around Covid-19 and the Test, Trace and Protect programme. For further information about how the organisation processes your information, including your rights as a data subject and how to exercise them, you should consult their standard Privacy Notice which will be available via their website (see details below), or contact their Data Protection Officer.


Contact tracing is a fundamental approach to public health practice and has the aim of reducing the number of secondary cases of an infectious disease in an outbreak and the consequences of infection in subsequent cases.

In this next recovery phase contact tracing will seek to achieve its aim of reducing transmission of the infection by identifying contacts who may have come into contact with the person with COVID-19 at the time the case was infectious.

The organisations that are processing your personal data?

Depending on where you live and the contact that you have through the contact tracing service, your data may be processed by one or more of the organisations listed below. All organisations names have the status of ‘Joint Data Controller’, which means that they are responsible in law for the data that they process and they are all party to an agreement across Wales that sets out how and why they process that information.

  • All 22 Welsh Local Authorities
  • All 7 Local Health Boards
  • Public Health Wales NHS Trust
  • Velindre Hospital NHS Trust (through NHS Wales Informatics Service - NWIS)
  • Welsh Ambulance Service Trust 

The personal data being processed

To trace the contacts of people with COVID-19, contact tracers will need to collect personal data.  The data we will collect about you will include;

  • Full name
  • Date of birth
  • Gender
  • NHS number
  • Full Address including postcode
  • Telephone number and email address
  • Details on COVID-19 symptoms
  • Details on COVID-19 Test Results
  • Disability and ethnicity data
  • Places you’ve visited
  • Names & Addresses of people you have been in close contact with

If the contact details of those you have been in close contact with are not known we may need to contact employers for details.

How long the personal data is kept

The data we collect for people tested positive with Covid-19 will be held for 7 years.

The data collected on contacts of people with COVID-19 but do not have any symptoms will be held for the minimum retention period of 5 years.

Test results and information related to any ongoing conditions related to Covid 19 will also reside in your electronic health record for a longer period in accordance with normal NHS retention schedules.

Information used for other purposes

Information held may also be used for:

  • Understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
  • Identifying and understanding information about patients or potential patients with or at risk of COVID-19
  • Delivering services to patients, clinicians, the health services
  • Research and planning in relation to COVID-19 (including potentially being invited to be part of clinical trials)
  • Monitoring the progress and development of COVID-19

The legal basis for processing your personal data

  • The legal basis for processing your personal data for contract tracing purposes under the General Data Protection Regulation (GDPR) is:
  • Article 6(1)(e) – Task carried out in the public interest or in the exercise of official authority vested in the controller

For special category data an additional legal basis is required and is:

  • Article 9(2)(i) - Processing must be necessary for reasons of public interest in the area of public health (such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices)
  • Article 9(2)(h) Provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems

Other applicable legislation

  • Public Health (Control of Disease) Act 1984
  • The Health Service (Control of Patient Information) Regulations 2002
  • Coronavirus Act 2020
  • The Health Protection (Coronavirus Restrictions) (Wales) Regulations 2020

Useful Contacts

You will find details on how the Local Health Board or Local Authority handles information from their own local privacy notices.  

You can find contact details for your Local Health Board and Local Authorities by visiting:

Public Health Wales provides specialist support, advice and leadership at a national level supported by NWIS who provide the digital platform.

If you would like further information on how Public Health Wales handles your personal data, or how we work with data processors please see our main Privacy Notice (PHW) (external link).

If you would like further information on how NWIS handles your personal data, or how we work with data processors please see our main Privacy Notice (NWIS) (external link).

If you have any concerns or complaints over the handling of your personal data you should in the first instance contact the Data Protection Officer at your local authority or Local Health Board, you can find this from the contacts listed above. 

If however you remain unsatisfied you may complain to the Information Commissioner’s Officer at the following address

Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
CF10 2HH
Telephone 0330 414 6421