Your information – Your rights – What you need to know
This page explains why NHS Wales collects information about you and how this may be used.
Why does NHS Wales collect information about you?
To help you
Many organisations in the NHS such as, hospitals, GPs, Dentists, Opticians, and Community Pharmacists provide healthcare services to the people of Wales.
The people providing these services aim to provide you with the highest quality care. To do this they must keep records about your health and any treatment or care which they provide you. The NHS hold your information in a written or computer record, sometimes it is in both. These records help to guide and manage the care you receive.
This is to make sure that:
When we collect and use your personal information, we will ensure this is processed in accordance with at least one of the legal grounds available to us under data protection legislation. Where necessary, we may process your personal information either with your consent or where the law enables us to do so. For example, where we have a legal obligation as a public authority and/or in carrying out our functions or performing a task in the interests of the public.
You may receive care from organisations that are not part of NHS Wales, such as Social Services or private and voluntary health and social care providers. If so, there may be a need to share some information about you so that everyone involved in your treatment or care can work together for your benefit.
If you are a Welsh resident who has received treatment by an NHS care provider in England, your information will be shared back into NHS Wales in order to verify and combine with your information held in Wales. That information will be used by the Health Board/Trust to identify you and validate what care was provided.
NHS Wales handles your information in the strictest confidence whenever it is used. We will ensure that:
We will keep your personal information for as long as we need to, so that we are able to deliver our services and to make sure that we are providing you with the highest quality care. We will keep your information in line with our legal requirements and the law. When your information is no longer required, we will make sure it is disposed of in a secure manner. Further information as to how the UHB handles and processes all records in accordance with the legal requirements, codes of practice and guidance issued by relevant authorities including, but not restricted, to the Welsh Government and the Information Commissioner’s Office is contained in our records management policy and is available at the following web address.
As described in the policy, we have adopted the retention periods set out in the Records Management: NHS Code of Practice (detailed in the UHB’s Retention Schedules for Health and Non-Health Records). As retention periods vary by the type of record, a searchable schedule to help you find the information that you require is available at this web link:
To help NHS Wales
From time to time, your information can help to run and improve the NHS in Wales by using it to:
If your information is used, whenever possible all personal information will be removed. Where this is not possible, rules and contracts are in place to ensure that patient information is safe and its use complies with the law.
Sometimes we have to use organisations outside of NHS Wales to provide information services, for example, for audit or computer system maintenance. Where this is the case, these outside organisations must meet strict NHS rules around the safety and security of your information.
To help others
Your information may be used to help protect and improve the health of other people, and to help create new services. This will always be in line with data protection laws.
Where necessary and to comply with the law, the people involved in your care may have to give personal information to certain organisations, for example if you have an infectious disease, which may endanger the safety of others (e.g. acute meningitis, whooping cough or measles).
Some services need information to support medical research and find out how diseases develop. This will make sure that:
Whenever possible your information will anonymised, where it is required to be identifiable, strict confidentiality rules will apply.
Data protection laws and your rights
There are laws, which provide certain rights to individuals regarding the processing of their personal information. Within health these rights include, a right to:
Not all individual rights under data protection law are absolute. Where possible we will look to comply with any request from you, but we may need to hold or process your personal information in connection with one or more of our legal functions.
To follow up any of these rights please see the contact details on our website or speak to a Receptionist for further information.
Sharing your information
Many organisations in the NHS such as, hospitals, GPs, Dentists, Opticians, and Community Pharmacists provide healthcare services
The people providing these services aim to provide you with the highest quality care. To do this they must keep records about your health and any treatment or care they provide you.
They take their responsibility to look after your information very seriously. NHS Wales staff are under a legal duty to keep your information confidential, accurate and secure at all times, and are trained to handle your information correctly and to protect your privacy.
There may be a need to share your information with people and organisations within the NHS who are responsible for providing you with treatment and care. For example, your Dentist could share your information with a doctor in a hospital, so that they can provide you with further treatment or a hospital could share information about your medication following discharge, with your community Pharmacist for them to carry out a medication review.
Where it is relevant to do so, we may share your information with other organisations directly concerned with health, education, safety, crime prevention and social well being (including a limited number of third sector organisations). Further information about this data sharing is provided at www.waspi.org
To deliver care, we also need to share your data with organisations that provide services to us (for example our cloud-based data storage providers or computer system providers). These will all be organisations with which we have legal contracts and measures in place to safeguard your individual rights.
Data protection laws: Our legal basis for collecting, holding and using your information
As a public sector body we are here to provide you with healthcare and well being services. Data protection law sets out various lawful legal bases (or ‘conditions’) which allow us to collect, hold and use your personal information, these are
Data protection law recognises certain "special categories" of personal information, which is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric information for uniquely identifying a person, information concerning health, and information concerning a person's sex life or sexual orientation. These special categories are considered particularly sensitive
and so we will only collect and use this information where one or more of the following conditions applies:
Information we Collect
Information we may collect about you and where it comes from?
The Health Board holds and records information about you including: -
Information we receive from other sources
We work closely with other organisations, such as other NHS bodies, academic institutions and social care providers, and we may receive information about you from them. We also share information with third parties who provide services for us, such as analytics providers and search information providers.
If you are a Welsh resident who has received treatment by an NHS care provider elsewhere in the United Kingdom, your information will be shared back into NHS Wales in order to verify and combine with your information held in Wales. That information will be used by the Health Board/Trust to identify you and validate what care was provided. We Collect
Use of this website & User Tracking
We do not collect personal information about site users. When you voluntarily submit identifiable data on this website (this includes submission of feedback forms, subscriptions or questionnaires), the information submitted is used solely to respond to your queries and for its intended purpose. We do not share web user information with third parties.
We monitor user activity to enhance content provided on the site. Google Analytics (external website) is a free service provided by Google (external website) that generates detailed statistics about the visitors to a website.
Information collected includes referring / exit web pages, click patterns, most / least viewed web pages, session duration, number of visitors, browser type, operating system, etc. Information is collected by using cookies.
Leaflets are available which give you more details about how we manage your information and the rights you have in respect of the personal information that we hold about you. A child friendly privacy notice can be found HERE
Please ask a member of staff for a copy or you can download the electronic version below.
If you have any concerns about the way your information is used you may wish to discuss these with the healthcare professional responsible for your care or our Data Protection Officer. Contact details for the Data Protection Officer for Cwm Taf Morgannwg University Health Board are:
Data Protection Officer
Cwm Taf Morgannwg University Health Board
Telephone: 01443 744800 and ask for the Data Protection Officer.