Skip to main content

COVID-19 Test and Trace Privacy Policy

This policy was last updated on 29 July 2020.

This privacy policy details how Cadw (Welsh Government) is supporting the Welsh Government’s Test, Trace, Protect strategy against the spread of coronavirus in Wales.

As part of this, we would like to assure you that we are committed to meeting our data policy obligations in line with GDPR and will continue to handle your information securely.

Cadw (Welsh Government) is the Data Controller for information you provide to us as a heritage organisation and is responsible for compliance with data protection legislation for the period that we hold your information on our database. Cadw (Welsh Government) will process your personal information as part of our public task.


What information do we collect and how?

We are collecting contact information for all of our members, visitors (including school and group organisers), customers, contractors, volunteers, and staff who enter or use facilities at our staffed heritage sites, including:

  • Name
  • Telephone number
  • Date and time of visit

Contact information for our members, visitors and customers will be collected at point of reservation or purchase of site entry tickets via our new online booking system for staffed sites.

If you visit on a multiple person membership or as part as a group, we will record the contact details for the ‘lead member’ or person purchasing the tickets online. We will also record the number of people included in the booking.

For volunteers, contractors and members of staff, we will use the contact information you have provided to us and which we have on file, or you will be asked to provide your contact information upon site entry.


How will your information be used?

We will only use your contact information for test and trace purposes unless you have specified otherwise at point of ticket reservation / purchase (such as to receive Cadw e-newsletter marketing).

Where it is necessary for us to collect information that we would not normally collect via the online ticket booking system, it will only be used for the purpose of the Welsh Government Test, Trace, Protect strategy. Unless you have specified otherwise, it will not be used for any other purpose such as marketing.


What is the legal basis for using your information?

Cadw will retain and process your personal booking data for the purpose of the Welsh Government Test, Trace, Protect strategy only — as a legal, legitimate interest.


Who will your information be shared with and why?

Welsh Government and Public Health Wales or your local authority will only ask Cadw for this information where it is necessary, either because someone who has tested positive for COVID-19 has listed one of Cadw’s heritage properties as a place they recently visited, or because one of Cadw’s properties has been identified as the location of a potential local outbreak of COVID-19.

We will only share this information when it is requested by the Test, Trace, Protect programme and will ensure that this information is shared in a safe and secure way.

Where information is shared with Public Health Wales or your local authority to carry out the Test, Trace, Protect Service, Public Health Wales and your local authority will be the Data Controllers for your personal information at the point they receive the data from Cadw.


How long will we keep your information?

We will only use and store your information for as long as it is required for test and trace purposes. Your personal information is collected to allow us to support the Welsh Government Test, Trace and Protect strategy will be retained for twenty one days from the date of your visit.


What are your legal rights?

Allowing us to share your information with the Welsh Government Test, Trace, Protect programme helps us to keep our members, visitors, customers, contractors, volunteers and staff members safe.

Only those that have shared their details shared for the purposes of Test, Trace Protect will be allowed in to the site.

Under data protection legislation, you have the right:

•to be informed of the personal data Welsh Government holds about you and to access it

•to require us to rectify inaccuracies in that data

•to (in certain circumstances) object to or restrict processing

•for (in certain circumstances) your data to be ‘erased’

•to (in certain circumstances) data portability

•to lodge a complaint with the Information Commissioner’s Office (ICO) who is our independent regulator for data protection


Contact Information

For further information about the information which the Welsh Government holds and its use, or if you wish to exercise your rights under the GDPR, please see contact details below:

Data Protection Officer
Welsh Government
Cathays Park
CF10 3NQ


The Information Commissioner’s Office (ICO), our independent regulator for data protection can be contacted at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF

Telephone: 01625 545 745 or 0303 123 1113    Website:


Changes to this privacy policy

This privacy policy may be updated in due course. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this policy will apply to you and your data immediately. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.