Test and Protect Service | Collection of Personal Data

During the COVID-19 (Coronavirus) pandemic, we're supporting NHS Scotland’s Test and Protect strategy in line with data protection requirements.

Who we are

The Board of Trustees of the National Galleries of Scotland is the Data Controller for any personal data you give to us or we collect about you. Our full contact details are:

National Galleries of Scotland
73 Belford Road

0131 624 6200
[email protected]

National Galleries of Scotland is a charity registered in Scotland, No. SC003728. VAT No. GB 100 1904 82

We are a data ‘controller’, which means we are responsible for deciding how we hold and use your personal information.

This notice explains how and why we will collect and use your personal information and your rights in relation to your personal information. We may amend this notice at any time. Please refer back to this page for the most recent version. You may be notified directly of any significant changes which affect you where we believe it is appropriate and proportionate to do so.

Why do we need to collect this data?

For the health and safety of the visitors, staff and contractors, we are recording the name and contact details of those who enter our buildings. This information may be shared with NHS Scotland and their statutory partners to contact you should you have been in the premises around the same time as someone who has tested positive for coronavirus

If your data has been gathered for another purpose, e.g. to book a visit, it will continue to be used for that purpose, in line with the relevant privacy notices. It will not be used for any other purpose.

For further information on the NHS Scotland Test and Protect strategy please visit the NHS website


What data will we collect?

Along with the date and time of your arrival and departure, we will collect the following personal data if applicable:

  • your name; and
  • contact telephone number

If you do not have a telephone number, you have the option to provide:

  • a postal address; or
  • an email address

In many cases, we will already hold most of this information if it was provided for another reason, such as when making a booking to visit, or if you are an employee.

For bookings, only one person’s name and contact number/ email per party is required.

What is our lawful basis for collecting this data?

Under data protection law, GDPR Article 6 (1), we have a number of lawful bases that allow us to collect and process personal information. In this case, the lawful basis for processing your data is 'legitimate interests' to assist with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic.

How long will we retain the data?

Your personal data would only be used for the purposes stated in this privacy notice within 3 weeks (21 days) of your visit. Personal data provided solely for Test and Protect will be deleted once this period has passed.

Any personal data which was provided for another purpose, such as to make a booking to visit the Galleries, may be held for a longer period. This will be explained in the relevant privacy notice, such as the Website user privacy notice.

In all cases, personal data will be held and disposed of in a safe and secure manner.

Your rights over the data we hold on you

You are in complete control. You can object or withdraw your consent to the use of your personal data at any time. This may mean however, that we are no longer able to provide you with a particular service or communication where the information processing is an integral part of the service. We will tell you if this is likely to be the case. Subject to some legal exceptions, you have the right:

  • To access the data we hold about you and to know what we are doing with it
  • To have any inaccuracies corrected
  • To have your personal data erased
  • To place a restriction on our processing of your data
  • To object to processing
  • To request your data to be ported (data portability)

If you want to learn more about these rights, please see the Information Commissioner’s Office (ICO) website www.ico.org.uk


As well as contacting the Data Protection Officer using the details above, you can use our Feedback procedure to make a complaint about the way we process your personal information.

You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO), the data protection supervisory authority in the UK.