Skip to main content

Privacy Statement

Your information – Your rights – What you need to know 

This page explains why NHS Wales collects information about you and how this may be used.

Why does NHS Wales collect information about you?

To help you

Many organisations in the NHS such as, hospitals, GPs, Dentists, Opticians, and Community Pharmacists provide healthcare services to the people of Wales.

The people providing these services aim to provide you with the highest quality care. To do this they must keep records about your health and any treatment or care which they provide you. The NHS hold your information in a written or computer record, sometimes it is in both. These records help to guide and manage the care you receive.

This is to make sure that:

  • the people who are involved in your care, have accurate and up-to-date information to assess your health and decide what treatment or care you need, and when and where you will receive it. They may be part of the health care team or a support service providing your care
  • you are invited to receive routine treatment such as immunisations and relevant screening programmes
  • there is a good basis for assessing the type and quality of care you have received. This will lead to better care both for you and for other patients in the future
  • if you need to complain about the care you receive, your concerns or complaints can be properly investigated

When we collect and use your personal information, we will ensure this is processed in accordance with at least one of the legal grounds available to us under data protection legislation.  Where necessary, we may process your personal information either with your consent or where the law enables us to do so. For example, where we have a legal obligation as a public authority and/or in carrying out our functions or performing a task in the interests of the public.

You may receive care from organisations that are not part of NHS Wales, such as Social Services or private and voluntary health and social care providers. If so, there may be a need to share some information about you so that everyone involved in your treatment or care can work together for your benefit.

If you are a Welsh resident who has received treatment by an NHS care provider in England, your information will be shared back into NHS Wales in order to verify and combine with your information held in Wales. That information will be used by the Health Board/Trust to identify you and validate what care was provided.

NHS Wales handles your information in the strictest confidence whenever it is used. We will ensure that:

  • only the minimum amount of information needed will be passed on
  • anyone receiving information about you is under an obligation to keep it confidential and safe, and to only use the information for the specified purpose
  • information sharing agreements between organisations will control the way your information is shared
  • secure systems are in place to help prevent unauthorised access to your information

We will keep your personal information for as long as we need to, so that we are able to deliver our services and to make sure that we are providing you with the highest quality care. We will keep your information in line with our legal requirements and the law. When your information is no longer required, we will make sure it is disposed of in a secure manner.  Further information as to how the UHB handles and processes all records in accordance with the legal requirements, codes of practice and guidance issued by relevant authorities including, but not restricted, to the Welsh Government and the Information Commissioner’s Office is contained in our records management policy

As described in the policy, we have adopted the retention periods set out in the Records Management: NHS Code of Practice (detailed in the UHB’s Retention Schedules for Health and Non-Health Records). As retention periods vary by the type of record, a searchable schedule to help you find the information that you require.

To help NHS Wales

From time to time, your information can help to run and improve the NHS in Wales by using it to:

  • review the care given to patients to make sure it is of the highest possible standard
  • make sure services are planned to meet patients’ needs in the future
  • investigate complaints, legal claims or important incidents
  • check and report on how effectively NHS Wales has been performing
  • make sure that NHS Wales gives value for money

If your information is used, whenever possible all personal information will be removed. Where this is not possible, rules and contracts are in place to ensure that patient information is safe and its use complies with the law.

Sometimes we have to use organisations outside of NHS Wales to provide information services, for example, for audit or computer system maintenance. Where this is the case, these outside organisations must meet strict NHS rules around the safety and security of your information.

To help others

Your information may be used to help protect and improve the health of other people, and to help create new services. This will always be in line with data protection laws.

Where necessary and to comply with the law, the people involved in your care may have to give personal information to certain organisations, for example if you have an infectious disease, which may endanger the safety of others (e.g. acute meningitis, whooping cough or measles).

Some services need information to support medical research and find out how diseases develop. This will make sure that:

  • healthcare organisations can plan ahead and provide the right services to the right people
  • progress can be made in diagnosing and managing diseases
  • drugs can be made more effective, for example by reducing side effects

Whenever possible your information will anonymised, where it is required to be identifiable, strict confidentiality rules will apply.

Data protection laws and your rights

There are laws, which provide certain rights to individuals regarding the processing of their personal information. Within health these rights include, a right to:

  • be informed about the reasons why we collect and use your information. We have a duty to ensure the information we use is limited to what is necessary for that purpose and to either inform you or ask for your consent if we use it for another reason
  • either look at or receive a copy of your health records (whether held in writing or on a computer)
  • correct any inaccurate information we hold on you. We have a duty to keep information about you accurate, however it should be noted that entries in your health record cannot generally be amended, although this will be considered on a case-by-case basis
  • object to us processing your information, for example, for marketing reasons
  • ensure that your information is kept for no longer than is necessary
  • expect your information to be protected from unauthorised or unlawful processing and against accidental loss, destruction or damage

Not all individual rights under data protection law are absolute. Where possible we will look to comply with any request from you, but we may need to hold or process your personal information in connection with one or more of our legal functions.

To follow up any of these rights please see the contact details on our website or speak to a Receptionist for further information.

Sharing your information 

Many organisations in the NHS such as, hospitals, GPs, Dentists, Opticians, and Community Pharmacists provide healthcare services

The people providing these services aim to provide you with the highest quality care. To do this they must keep records about your health and any treatment or care they provide you.

They take their responsibility to look after your information very seriously. NHS Wales staff are under a legal duty to keep your information confidential, accurate and secure at all times, and are trained to handle your information correctly and to protect your privacy.

There may be a need to share your information with people and organisations within the NHS who are responsible for providing you with treatment and care. For example, your Dentist could share your information with a doctor in a hospital, so that they can provide you with further treatment or a hospital could share information about your medication following discharge, with your community Pharmacist for them to carry out a medication review. 

Where it is relevant to do so, we may share your information with other organisations directly concerned with health, education, safety, crime prevention and social well being (including a limited number of third sector organisations). Further information about this data sharing is provided at Wales Accord on the Sharing of Personal Information.

To deliver care, we also need to share your data with organisations that provide services to us (for example our cloud-based data storage providers or computer system providers). These will all be organisations with which we have legal contracts and measures in place to safeguard your individual rights. 

We may also share your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect our rights, property, or safety of our customers, or others. 

Data protection laws: Our legal basis for collecting, holding and using your information 

As a public sector body we are here to provide you with healthcare and well being services. Data protection law sets out various lawful legal bases (or ‘conditions’) which allow us to collect, hold and use your personal information, these are 

  • To perform tasks considered to be in the public interest or in the exercise of official authority, such as providing you with health care). This authority being the National Health Service (Wales) Act 2006 and the Local Health Boards (Directed Functions) (Wales) Regulations 2009. 
  • Where we are under a legal obligation which requires us to process your personal information. For example in the planning and commissioning of health and wellbeing services and in fulfilling our public health duties. 
  • Where we have entered into a contract or contracts with you, we may need to use your information to provide you with services. 
  • We will sometimes use your personal information based upon your consent. We will always tell you where this is the case and ask you to agree before we process your information. 
  • Finally, sometimes it is necessary to process your personal information for the purposes of our own legitimate interests. We will only do so where these interests are not overridden by the interests and fundamental rights or the freedoms of the individuals concerned 

Data protection law recognises certain "special categories" of personal information, which is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric information for uniquely identifying a person, information concerning health, and information concerning a person's sex life or sexual orientation. These special categories are considered particularly sensitive 

 and so we will only collect and use this information where one or more of the following conditions applies: 

  • It is necessary for the provision of health or social care or treatment or the management of health, including clinical audit, the development of decision support tools, commissioning purposes and national collection, operational and strategic management and performance monitoring. 
  • It is necessary for the purpose of social protection where we have concerns about your wellbeing and wish to put safeguarding measures in place. 
  • It is necessary for research or statistical purposes 
  • Where we have legal obligations to share the data with third parties. An example of this is where the sharing of your medical record to your own insurance company, where they are underwriting the costs of your care. 
  • It is necessary for the purpose of carrying out obligations in respect of employment purposes such as safeguarding vulnerable groups and assessments of fitness for practice. 
  • You have given us your explicit consent 

Information we Collect 

Information we may collect about you and where it comes from? 

The Health Board holds and records information about you including: - 

  • Personal identifiers and demographic information consisting of such things as your name, date of birth, title, sex 
  • Your family, spouse and partner details 
  • Your contact details including postal addresses, email addresses and telephone numbers 
  • Any contact the Health Board has had with you such as appointments, clinic visits, emergency appointments etc 
  • Notes and reports about your health 
  • Details about your treatment and care, including medication 
  • Results of investigations such as laboratory tests and x-rays (including clinical imaging, whether taken by our staff or provided directly by you or someone acting on your behalf) 
  • Relevant information from other health and social care professionals, relatives or those who care for you 
  • Any other relevant information you give to us, including information you provide when you register to use our web services or complete an application form or private patient form. 

Information we receive from other sources 

We work closely with other organisations, such as other NHS bodies, academic institutions and social care providers, and we may receive information about you from them. We also share information with third parties who provide services for us, such as analytics providers and search information providers. 

If you are a Welsh resident who has received treatment by an NHS care provider elsewhere in the United Kingdom, your information will be shared back into NHS Wales in order to verify and combine with your information held in Wales. That information will be used by the Health Board/Trust to identify you and validate what care was provided. We Collect 

Use of this website & User Tracking 

We do not collect personal information about site users. When you voluntarily submit identifiable data on this website (this includes submission of feedback forms, subscriptions or questionnaires), the information submitted is used solely to respond to your queries and for its intended purpose. We do not share web user information with third parties. 

We monitor user activity to enhance content provided on the site. Google Analytics (external website) is a free service provided by Google (external website) that generates detailed statistics about the visitors to a website. 

Information collected includes referring / exit web pages, click patterns, most / least viewed web pages, session duration, number of visitors, browser type, operating system, etc. Information is collected by using cookies. 

Further Information

Leaflets are available which give you more details about how we manage your information and the rights you have in respect of the personal information that we hold about you. Child friendly privacy notice

Please ask a member of staff for a copy or you can download the electronic version below.

If you have any concerns about the way your information is used you may wish to discuss these with the healthcare professional responsible for your care or our Data Protection Officer. Contact details for the Data Protection Officer for Cwm Taf Morgannwg University Health Board are:

Data Protection Officer
Cwm Taf Morgannwg University Health Board
Ynysmeurig House
Navigation Park
CF45 4SN 


Telephone:  01443 744800 and ask for the Data Protection Officer.

Follow us: