Sign In

My Neighbourhood

Use your postcode to find local councillors, facilities, school catchment areas and more.

Find facilities in my area

Cardiff Council

Cardiff and Vale Trace and Protect Covid-19

​​​​​​​​​​​This privacy notice explains how Cardiff Council, Vale of Glamorgan and Cardiff and Vale University Health Board (as Data Controllers) will collect, use and protect personal data specifically with regards to the coronavirus pandemic.

Personal information is shared across organisations for the purpose of responding to the critical public health crisis in respect of the COVID-19 pandemic.  The personal data in respect of this service is processed for three purposes, these are to:​​


The testing of key health and social care workers, other critical workers, members of their household and citizens across the Cardiff and the Vale UHB area at Community Testing Units, Mobile Testing Units and/or at home. ​


Using results of confirmed cases to make contact with individuals and identify details and make contact with household members.​


Enhancing the public health surveillance and response system to enable the prevention of infection and the tracking of the virus as restrictions are eased. The Protection Team operated by Cardiff Council and Vale of Glamorgan Council will make daily contacts with the Primary and Secondary Contacts to monitor the wellbeing and provide advice and clinical recommendations.​

What is the legal basis for our use of your personal information?

Some of the personal information we process is provided to us directly by you, or your representative, for the following reasons:
  • In order to operate a COVID-19 contact tracing service, including providing advice and support to those that have been in contact with an individual who has received a positive SARS-CoV-2 test, and the booking of SARS-CoV-2 tests for those displaying COVID-19 symptoms.
  • In order to comply with our responsibilities as employers, where a staff member contracts COVID as a result of an incident at work, the data controllers may be required to report it to the Health and Safety Executive in accordance with RIDDOR (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013).

We also receive personal information indirectly, from the following sources in the following scenarios:
  • ​If you have received a positive SARS-CoV-2 test; your name, date of birth, address and contact details would have been provided to us by your testing centre operated by one of the partner organisations.
  • If you have been identified as having been potentially in contact with an individual who has received a positive SARS-CoV-2 test; your name, date of birth, address and contact details would have been provided to us by that individual or their representative or employer, or another organisation or individual that may hold the relevant information.​

The lawful bases we rely on for using your personal information are:  

  • GDPR Article 6 (c) we need it to for compliance with a legal obligation​
  • GDPR Article 6 (e) we need it to perform a public task

As extra protection is provided for certain classes of information called 'special category personal data' such as health information, an additional lawful basis must be identified in order to process these classes of information, as outlined below:
  • UK GDPR Article 9(i) – processing is necessary for reason of public interest in the protection of public health.

Other applicable articles may include:

  • ​UK GDPR Article 9(g) – processing is necessary for reasons of substantial public interest
  • UK​ GDPR Article 9 (2) (h) Provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems

Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – Health and social care purposes
Data Protection Act 2018 – Schedule 1, Part 1, (3) (a) – necessary for reasons of public interest in the area of public health

Your data may also be processed by one or more of the partner organisations listed below. 

All partner organisations have the status of ‘Joint Data Controller’, which means that they are responsible in law for the data that they process, and we are all party to an agreement that sets out how and why we process that information.

  • ​All 22 Welsh Local Authorities
  • All 7 Local Health Boards
  • Public Health Wales NHS Trust
  • Digital Health and Care Wales – (DHCW)
  • Welsh Ambulance Service Trust

In limited circumstances your information may be shared with organisations who are not directly involved in the contract tracing process . For example, the self-isolation regulations make it a legal requirement for people to self-isolate if instructed to do so by a contact tracer. The agencies responsible for enforcing the self-isolation regulations may ask a contact tracer for the self-isolation status of an individual. They will only make the request if they suspect an individual is not self-isolating when they should be. 

Specific procedures set out the detail of how such requests and disclosures are handled. Further detail regarding the legislation that allows for information to be shared is available on the Welsh Government webpage.

How we store your personal information

Your information is securely stored securely.  We keep information only for as long as it is needed and when no longer needed it will be deleted / destroyed securely.

  • ​The data we collect for people tested positive with COVID-19 will be held for 7 years
  • The data collected on contacts of people with COVID-19 but do not have any symptoms will be held for the minimum retention period of 5 years
  • Test results and information related to any ongoing conditions related to COVID-19 will also reside in your electronic health record for a longer period in accordance with normal NHS retention schedules

The processing of your data for contact tracing purposes is supported by:

  • Public Health (Control of Disease) Act 1984
  • Coronavirus Act 2020
  • The Health Protection (Notifications)(Wales) Regulations 2010
  • The Health Protection (Local Authority Powers) (Wales) Regulations 2010
  • The Health Protection (Coronavirus Restrictions) (Wales) Regulations 2020

Covid-19 Vaccine Programme

In order to oversee preparations for the Covid-19 vaccine delivery programme in Wales – and the offer of a vaccine to health and care staff information on eligible staff, the minimum amount of personal data necessary in order to create lists of those staff to be offered a vaccination will be shared. 

To support the creation of this list, demographic details already held about you will be shared with Digital Health and Care Wales (DHCW). Data will be shared with DHCW in a secure manner, and DHCW will use this data to ensure staff are accurately identified ahead of the administration of any vaccine. Your details are not kept for any longer than they are required for these purposes and when no longer required are securely disposed of.

Your vaccination status may be used for verification (for example, to ensure you are provided with appropriate information about any requirement to self-isolate).​

Your rights

Under data protection law, you have rights including:
  • ​Your right of access - You have the right to ask us for copies of your personal information.
  • Your right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances.
  • You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

How to complain if you are unhappy about how your data is used​

You can complain directly to the Council you can complain directly to:

Cardiff Council
By post: Data Protection Officer, County Hall, Room 357, Atlantic Wharf, Cardiff Bay, CF10 4UW

Vale of Glamorgan Council
By post: The Data Protection Officer, Vale of Glamorgan Council, Civic Offices, Holton Road, Barry, Vale of Glamorgan, CF63 4RU

Cardiff and Vale University Health Board
By post: Cardiff and Vale University Health Board, Information Governance Department, Woodland House, Maes-y-Coed Road, Cardiff, CF14 4TT

You also have the right to complain to the Information Commissioner’s Office using the following details:

Information Commissioner's Office (ICO)
By post: The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0330 414 6421
Further advice and guidance from the ICO on this issue can be found on the ICO website​​​​​​​​​​​​​​​​​​


© 2022 Cardiff Council