The purpose of this notice is to inform you of why and how we process your personal data.
Public Health Wales NHS Trust is the national public health agency for Wales. We exist with the aim of protecting and improving health and well-being and reducing health inequalities for people in Wales. We were established in 2009 by an Act of Parliament which means that we are legally required to carry out certain functions. We call these our statutory functions. To enable us to carry out these functions, we need to process elements of your personal data, and the purpose of this notice is to inform you what data we process, how we process it and why. Because we process your personal data, we are a Data Controller and so are required to comply with relevant Data Protection law.
Your personal data means any information relating to you, and by which you can be identified. In order to carry out our functions, we will process a wide variety of your personal data, including (but not limited to) the following:
We do not collect or process all of this personal data for all people all of the time. We only collect and process the personal data that is necessary for the particular task that we are carrying out.
We collect your personal data from a variety of sources, including
We want you and your family to enjoy the best possible healthcare in Wales and we process the personal data that we require to help us achieve this. We only process the minimum amount of personal data that we need to perform the task that we are carrying out.
In the main, we process your personal data for purposes directly connected with ensuring that you receive high quality healthcare through the NHS. We do however process it for other general reasons, such as:
In the majority of cases, we process your personal data to directly carry out our statutory functions. This means that because we are established by Act of Parliament and are required by law to carry out these functions, under Data Protection law we are allowed to process your personal data because the processing is ‘necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’
We have to be able to process your personal data in order to deliver the service you require. We do not ask for your consent to process your information to enable us to carry out our statutory functions because if you refused we would be unable to provide you with a proper healthcare service.
In some cases we will want to process your personal data for reasons beyond our statutory functions. When we want to do this, we will ask for your consent to process the personal data that we need (e.g. if we want to take and use your photograph in our marketing materials, or you wish to subscribe to a newsletter). In these cases when you give your consent you will be told how your personal data will be processed. You will also be told how you can withdraw that consent and opt out of further processing.
Under the Data Protection Act, you have the right to know if we hold personal data relating to you, and if so what personal data we hold and why. You also have the right (with certain exceptions) to a copy of any personal data that we hold in order that you can be sure that it is accurate and up to date. You can get more information on what personal data we hold about you by contacting the Data Protection Officer (details shown at the end of this notice).
We sometimes share your personal data with other organisations. We only do this when there is a clear legal basis for doing so. Sometimes we share your personal data because it is in your best interests that we do, and on other occasions we will share your personal data because we are legally obliged to do so. We do not share your personal data for marketing or commercial purposes.
When we decide it is necessary to share personal data, we will enter into a ‘Data Sharing Agreement’ (DSA) with the people we are going to share it with. DSAs are drawn up in line with the Wales Accord on Sharing of Personal Information (WASPI). More details about DSAs can be found at the WASPI website,
We also share your personal data from time to time with third party contractors, who we engage to undertake certain processing activities for us. We do this because it is often more efficient and cost effective to use a contractor and we have judged it to be the best value. When we engage a contractor they become a Data Processor, and they are then bound by the law in the same way that we are and so are subject to strict rules on processing. They can only process your personal data in the manner that we specifically tell them to and must not share your personal data with anyone else without our express permission. Before engaging a contractor we make sure that they have appropriate measures in place to secure your personal data.
Public Health Wales recognises that your personal data is very valuable, and so we take its security very seriously.
We employ robust technical measures to secure your personal data and access to it is restricted to people who have a need to process it in line with their work.
All Public Health Wales staff are bound by contracts which include clear responsibilities in relation to confidentiality. All of our non-medical staff have the same duty of confidentiality as healthcare professionals such as Doctors and Nurses.
All of our staff must attend training in what we call Information Governance. Amongst other things, this training makes them understand the importance of confidentiality and security of your personal data and makes clear that they are personally responsible for the security of any information which they are processing. They must attend this training at least once every two years and must pass a test to demonstrate that they have understood it. The expectations we have on our staff are set out in the Information Governance Policy. Failing to comply with this policy is a disciplinary offence.
We regularly audit access to personal data to ensure that it is being processed appropriately.
NHS Wales Informatics Service (NWIS) provides some of the IT services within NHS Wales including our website. IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected by NWIS so that data (such as the web pages you request) can be sent to you. NWIS will collect other anonymised statistical information about use of the website so that the service can be maintained and improved.
Cookies are small files that websites put on your computer hard disk drive when you visit. Cookies pass information back to websites each time you visit. They are used to uniquely identify web browsers, track user trends and store information about user preferences. You can restrict/disable cookies on your browser; please note that some website features may not function properly without cookies.
To change your cookie settings:
Internet Explorer: Please follow this link http://windows.microsoft.com/en-gb/internet-explorer/delete-manage-cookies (external website) for instruction on how to disable cookies.
Firefox: Please follow this link http://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (external website) or instruction on how to disable cookies
Chrome: Please follow this link https://support.google.com/chrome/answer/95647?hl=en&ref_topic=14666 (external website) for instruction on how to disable cookies.
Help Me Quit is the NHS stop smoking system for Wales. It is also a programme of work within Public Health Wales. Help Me Quit can use your personal data for marketing campaigns through targeted adverts and service promotion. We will also use your personal data if you request a call back on our website for a member of our team to contact you.
Our website and marketing campaigns are hosted and managed by third party providers; S3 advertising and Golley Slater. The data from our website are stored on a Cloud server through Siteground.
If you have any queries about this notice, or the processing of your personal data you should contact me as per the details below.
Please note that mail to either of these addresses may not be opened by me and so are not appropriate for confidential communications. If you have something that you need to discuss personally with me in confidence, please contact me in the first instance by telephone.
The Data Protection Officer
Public Health Wales NHS Trust,
Capital Quarter 2,
Tel: 02920 104307
Alternatively you can email me at PHW.InformationGovernance@wales.nhs.uk
John Lawson MSc MBCS
Data Protection Officer