Skip to main content

Privacy Notice

The purpose of this notice is to inform you of why and how we process your personal data.

Privacy in our response to the Covid 19-Emergency

During the current Covid-19 emergency the privacy and confidentiality of your personal information is every bit as important to us as it always has been and Public Health Wales is making every effort to ensure that your data is processed lawfully, fairly and transparently, and that it is kept safe and secure. In order to keep you fully informed however, we have some specific arrangements in place which we want to tell you about. 

Online booking process.

You may have been directed here from the Covid19 online test booking portal. This portal is managed for Public Health Wales by a third party data processor, The Server Labs Ltd (TSL). TSL process your data on our behalf and as such is under strict limitations as to what it can do with it, and can only process it with our written instructions. We have provided these instructions by way of a data processing contract as required by law. Your data will be used for the purposes of managing your test appointment. Your basic contact details may be shared with trusted partners at the testing site (if you are travelling to have your test), so that they can confirm your identity and eligibility for the test when you arrive. Your details are not kept for any longer than they are required for these purposes and are securely disposed of. 

For further information about how we process your information, please refer to the main privacy notice below.
 

Introduction

Public Health Wales NHS Trust is the national public health agency for Wales. We exist with the aim of protecting and improving health and wellbeing and reducing health inequalities for people in Wales. We were established in 2009 by an Act of Parliament which means that we are legally required to carry out certain functions. We call these our statutory functions. To enable us to carry out these functions, we need to process elements of your personal data, and the purpose of this notice is to inform you what data we process, how we process it and why. Because we process your personal data, we are a Data Controller and so are required to comply with relevant Data Protection law.

The personal data we process

Your personal data means any information relating to you, and by which you can be identified. In order to carry out our functions, we will process a wide variety of your personal data, including (but not limited to) the following:

  • Name, address and contact details (including email and telephone numbers)
  • Date of birth
  • Information regarding your physical and mental health
  • Photographs that you have consented to be taken

We do not collect or process all of this personal data for all people all of the time. We only collect and process the personal data that is necessary for the particular task that we are carrying out.

How we collect your personal data

We collect your personal data from a variety of sources, including

  • Information provided directly to us by yourself
  • Information provided by other NHS organisations (e.g. Health Boards)
  • Surveys and research

How we use your personal data

We want you and your family to enjoy the best possible healthcare in Wales and we process the personal data that we require to help us achieve this. We only process the minimum amount of personal data that we need to perform the task that we are carrying out.

In the main, we process your personal data for purposes directly connected with ensuring that you receive high quality healthcare through the NHS. We do however process it for other general reasons, such as:

  • Providing you with information you have requested
  • Handling your enquiries
  • Providing access to certain areas of our websites
  • Informing you of services which may be relevant to you
  • If you apply to work for us
  • Auditing use of our systems and websites
  • Handling of complaints and concerns

The legal basis for processing your personal data

In the majority of cases, we process your personal data to directly carry out our statutory functions. This means that because we are established by Act of Parliament and are required by law to carry out these functions, under Data Protection law we are allowed to process your personal data because the processing is ‘necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’

We have to be able to process your personal data in order to deliver the service you require. We do not ask for your consent to process your information to enable us to carry out our statutory functions because if you refused we would be unable to provide you with a proper healthcare service.

In some cases we will want to process your personal data for reasons beyond our statutory functions. When we want to do this, we will ask for your consent to process the personal data that we need (e.g. if we want to take and use your photograph in our marketing materials, or you wish to subscribe to a newsletter). In these cases when you give your consent you will be told how your personal data will be processed. You will also be told how you can withdraw that consent and opt out of further processing.

Your rights under Data Protection Regulations

Under the Data Protection Act, you have the right to know if we hold personal data relating to you, and if so what personal data we hold and why. You also have the right (with certain exceptions) to a copy of any personal data that we hold in order that you can be sure that it is accurate and up to date. You can get more information on what personal data we hold about you by contacting the Data Protection Officer (details shown at the end of this notice).

Sharing your personal data with others

We sometimes share your personal data with other organisations. We only do this when there is a clear legal basis for doing so. Sometimes we share your personal data because it is in your best interests that we do, and on other occasions we will share your personal data because we are legally obliged to do so. We do not share your personal data for marketing or commercial purposes.

When we decide it is necessary to share personal data, we will enter into a ‘Data Sharing Agreement’ (DSA) with the people we are going to share it with. DSAs are drawn up in line with the Wales Accord on Sharing of Personal Information (WASPI). More details about DSAs can be found at the WASPI website, at http://www.waspi.org/home

We also share your personal data from time to time with third party contractors, who we engage to undertake certain processing activities for us. We do this because it is often more efficient and cost effective to use a contractor and we have judged it to be the best value. When we engage a contractor they become a Data Processor, and they are then bound by the law in the same way that we are and so are subject to strict rules on processing. They can only process your personal data in the manner that we specifically tell them to and must not share your personal data with anyone else without our express permission. Before engaging a contractor we make sure that they have appropriate measures in place to secure your personal data.

Security of your personal data

Public Health Wales recognises that your personal data is very valuable, and so we take its security very seriously.

We employ robust technical measures to secure your personal data and access to it is restricted to people who have a need to process it in line with their work.

All Public Health Wales staff are bound by contracts which include clear responsibilities in relation to confidentiality. All of our non-medical staff have the same duty of confidentiality as healthcare professionals such as Doctors and Nurses.

All of our staff must attend training in what we call Information Governance. Amongst other things, this training makes them understand the importance of confidentiality and security of your personal data and makes clear that they are personally responsible for the security of any information which they are processing. They must attend this training at least once every two years and must pass a test to demonstrate that they have understood it. The expectations we have on our staff are set out in the Information Governance Policy. Failing to comply with this policy is a disciplinary offence.

We regularly audit access to personal data to ensure that it is being processed appropriately.

NHS Wales Informatics Service

NHS Wales Informatics Service (NWIS) provides some of the IT services within NHS Wales including our website.  IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected by NWIS so that data (such as the web pages you request) can be sent to you.  NWIS will collect other anonymised statistical information about use of the website so that the service can be maintained and improved.

What are cookies? 

Cookies are small files that websites put on your computer hard disk drive when you visit. Cookies pass information back to websites each time you visit. They are used to uniquely identify web browsers, track user trends and store information about user preferences. You can restrict/disable cookies on your browser; please note that some website features may not function properly without cookies.

How to Disable Cookies 

To change your cookie settings:

Internet Explorer: Please follow this link http://windows.microsoft.com/en-gb/internet-explorer/delete-manage-cookies#ie=ie-9 for instruction on how to disable cookies.

Firefox: Please follow this link http://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences or instruction on how to disable cookies

Chrome: Please follow this link https://support.google.com/chrome/answer/95647?hl=en&ref_topic=14666 for instruction on how to disable cookies.

Contact

If you have any queries about this notice, or the processing of your personal data you should contact me as per the details below.

Please note that mail to either of these addresses may not be opened by me and so are not appropriate for confidential communications. If you have something that you need to discuss personally with me in confidence, please contact me in the first instance by telephone.

John Lawson MSc MBCS

The Data Protection Officer

Public Health Wales NHS Trust

2 Capital Quarter

Tyndall Street

Cardiff

CF10 4BZ

Telephone: 02920 104307

Alternatively you can email PHW.InformationGovernance@wales.nhs.uk 

Homes for Ukraine Scheme: privacy notice

Public Health Wales and their public sector partners (The Welsh Government, local authorities and Health Boards in Wales) are data controllers for any personal data it collects, and any personal data which is shared with them by UK Government under the Homes for Ukraine scheme.

For more information visit the web page below:

Homes for Ukraine Scheme: privacy notice