Skip to main content

We are still developing our new site in both English and Welsh but if you cannot find what you are looking for please visit

Privacy Statement

Your information – Your rights – What you need to know 

This page explains why NHS Wales collects information about you and how this may be used.

Why does NHS Wales collect information about you?

To help you

Many organisations in the NHS such as, hospitals, GPs, Dentists, Opticians, and Community Pharmacists provide healthcare services to the people of Wales.

The people providing these services aim to provide you with the highest quality care. To do this they must keep records about your health and any treatment or care which they provide you. The NHS hold your information in a written or computer record, sometimes it is in both. These records help to guide and manage the care you receive.

This is to make sure that:

  • the people who are involved in your care, have accurate and up-to-date information to assess your health and decide what treatment or care you need, and when and where you will receive it. They may be part of the health care team or a support service providing your care
  • you are invited to receive routine treatment such as immunisations and relevant screening programmes
  • there is a good basis for assessing the type and quality of care you have received. This will lead to better care both for you and for other patients in the future
  • if you need to complain about the care you receive, your concerns or complaints can be properly investigated

When we collect and use your personal information, we will ensure this is processed in accordance with at least one of the legal grounds available to us under data protection legislation.  Where necessary, we may process your personal information either with your consent or where the law enables us to do so. For example, where we have a legal obligation as a public authority and/or in carrying out our functions or performing a task in the interests of the public.

You may receive care from organisations that are not part of NHS Wales, such as Social Services or private and voluntary health and social care providers. If so, there may be a need to share some information about you so that everyone involved in your treatment or care can work together for your benefit.

If you are a Welsh resident who has received treatment by an NHS care provider in England, your information will be shared back into NHS Wales in order to verify and combine with your information held in Wales. That information will be used by the Health Board/Trust to identify you and validate what care was provided.

NHS Wales handles your information in the strictest confidence whenever it is used. We will ensure that:

  • only the minimum amount of information needed will be passed on
  • anyone receiving information about you is under an obligation to keep it confidential and safe, and to only use the information for the specified purpose
  • information sharing agreements between organisations will control the way your information is shared
  • secure systems are in place to help prevent unauthorised access to your information

We will keep your personal information for as long as we need to, so that we are able to deliver our services and to make sure that we are providing you with the highest quality care. We will keep your information in line with our legal requirements and the law. When your information is no longer required, we will make sure it is disposed of in a secure manner.

To help NHS Wales

From time to time, your information can help to run and improve the NHS in Wales by using it to:

  • review the care given to patients to make sure it is of the highest possible standard
  • make sure services are planned to meet patients’ needs in the future
  • investigate complaints, legal claims or important incidents
  • check and report on how effectively NHS Wales has been performing
  • make sure that NHS Wales gives value for money

If your information is used, whenever possible all personal information will be removed. Where this is not possible, rules and contracts are in place to ensure that patient information is safe and its use complies with the law.

Sometimes we have to use organisations outside of NHS Wales to provide information services, for example, for audit or computer system maintenance. Where this is the case, these outside organisations must meet strict NHS rules around the safety and security of your information.

To help others

Your information may be used to help protect and improve the health of other people, and to help create new services. This will always be in line with data protection laws.

Where necessary and to comply with the law, the people involved in your care may have to give personal information to certain organisations, for example if you have an infectious disease, which may endanger the safety of others (e.g. acute meningitis, whooping cough or measles).

Some services need information to support medical research and find out how diseases develop. This will make sure that:

  • healthcare organisations can plan ahead and provide the right services to the right people
  • progress can be made in diagnosing and managing diseases
  • drugs can be made more effective, for example by reducing side effects

Whenever possible your information will anonymised, where it is required to be identifiable, strict confidentiality rules will apply.

Data protection laws and your rights

There are laws, which provide certain rights to individuals regarding the processing of their personal information. Within health these rights include, a right to:

  • be informed about the reasons why we collect and use your information. We have a duty to ensure the information we use is limited to what is necessary for that purpose and to either inform you or ask for your consent if we use it for another reason
  • either look at or receive a copy of your health records (whether held in writing or on a computer)
  • correct any inaccurate information we hold on you. We have a duty to keep information about you accurate, however it should be noted that entries in your health record cannot generally be amended, although this will be considered on a case-by-case basis
  • object to us processing your information, for example, for marketing reasons
  • ensure that your information is kept for no longer than is necessary
  • expect your information to be protected from unauthorised or unlawful processing and against accidental loss, destruction or damage

Not all individual rights under data protection law are absolute. Where possible we will look to comply with any request from you, but we may need to hold or process your personal information in connection with one or more of our legal functions.

To follow up any of these rights please see the contact details on our website or speak to a Receptionist for further information.

Many organisations in the NHS such as, hospitals, GPs, Dentists, Opticians, and Community Pharmacists provide healthcare services

The people providing these services aim to provide you with the highest quality care. To do this they must keep records about your health and any treatment or care they provide you.

They take their responsibility to look after your information very seriously. NHS Wales staff are under a legal duty to keep your information confidential, accurate and secure at all times, and are trained to handle your information correctly and to protect your privacy.

There may be a need to share your information with people and organisations within the NHS who are responsible for providing you with treatment and care. For example, your Dentist could share your information with a doctor in a hospital, so that they can provide you with further treatment or a hospital could share information about your medication following discharge, with your community Pharmacist for them to carry out a medication review.

Sometimes members of a care team, which may include people from organisations such as health, social care, or other care organisations, may need to share your information within the team to provide your care.

There may be occasions where we are required to use or share your information to help us to plan our services for patients and check how well we are doing when we provide you with treatment and care.

We will only share the minimum information needed at that time and only where the law allows us to share it.  We will never sell your information.

Further Information

Leaflets are available which give you more details about how we manage your information and the rights you have in respect of the personal information that we hold about you. A child friendly privacy notice can be found HERE

Please ask a member of staff for a copy or you can download the electronic version below.

If you have any concerns about the way your information is used you may wish to discuss these with the healthcare professional responsible for your care or our Data Protection Officer. Contact details for the Data Protection Officer for Cwm Taf Morgannwg University Health Board are:

Data Protection Officer
Cwm Taf Morgannwg University Health Board
Ynysmeurig House
Navigation Park
CF45 4SN 


Telephone:  01443 744800 and ask for the Data Protection Officer.