Privacy Policy

The purpose of this notice is to inform you of why and how we process your personal data. 


NHS Wales Health Collaborative is part of Public Health Wales NHS Trust, the national public health agency for Wales. We exist with the aim of protecting and improving health and wellbeing and reducing health inequalities for people in Wales. We were established in 2009 by an Act of Parliament which means that we are legally required to carry out certain functions. We call these our statutory functions. To enable us to carry out these functions, we need to process elements of your personal data, and the purpose of this notice is to inform you what data we process, how we process it and why. Because we process your personal data, we are a Data Controller and so are required to comply with relevant Data Protection law. 

The personal data we process 

Your personal data means any information relating to you, and by which you can be identified. In order to carry out our functions, we will process a wide variety of your personal data, including (but not limited to) the following: 

  • Name, address and contact details (including email) 

We do not collect or process all of this personal data for all people all of the time. We only collect and process the personal data that is necessary for the particular task that we are carrying out. 

How we collect your personal data 

We collect your personal data from a variety of sources, including: 

  • Information provided directly to us by yourself 
  • Surveys and research 

How we use your personal data 

We want you and your family to enjoy the best possible healthcare in Wales and we process the personal data that we require to help us achieve this. We only process the minimum amount of personal data that we need to perform the task that we are carrying out. 

In the main, we process your personal data for purposes directly connected with ensuring that you receive high quality healthcare through the NHS. We do however process it for other general reasons, such as: 

  • Providing you with information you have requested 
  • Handling your enquiries 
  • Providing access to certain areas of our websites 
  • Informing you of services which may be relevant to you 
  • Auditing use of our systems and websites 
  • Handling of complaints and concerns.

The legal basis for processing your personal data 

In the majority of cases, we process your personal data to directly carry out our statutory functions. This means that because we are established by Act of Parliament and are required by law to carry out these functions, under Data Protection law we are allowed to process your personal data because the processing is ‘necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’ 

We have to be able to process your personal data in order to deliver the service you require. We do not ask for your consent to process your information to enable us to carry out our statutory functions because if you refused we would be unable to provide you with a proper healthcare service. 

In some cases we will want to process your personal data for reasons beyond our statutory functions. When we want to do this, we will ask for your consent to process the personal data that we need (e.g. if we want to take and use your photograph in our marketing materials, or you wish to subscribe to a newsletter). In these cases when you give your consent you will be told how your personal data will be processed. You will also be told how you can withdraw that consent and opt out of further processing. 

Your rights under Data Protection Regulations 

Under the Data Protection Act, you have the right to know if we hold personal data relating to you, and if so what personal data we hold and why. You also have the right (with certain exceptions) to a copy of any personal data that we hold in order that you can be sure that it is accurate and up to date. You can get more information on what personal data we hold about you by contacting the Data Protection Officer (details shown at the end of this notice). 

Sharing your personal data with others 

We sometimes share your personal data with other organisations. We only do this when there is a clear legal basis for doing so. Sometimes we share your personal data because it is in your best interests that we do, and on other occasions we will share your personal data because we are legally obliged to do so. We do not share your personal data for marketing or commercial purposes. 

When we decide it is necessary to share personal data, we will enter into a ‘Data Sharing Agreement’ (DSA) with the people we are going to share it with. DSAs are drawn up in line with the Wales Accord on Sharing of Personal Information (WASPI). More details about DSAs can be found at the WASPI website here 

We also share your personal data from time to time with third party contractors, who we engage to undertake certain processing activities for us. We do this because it is often more efficient and cost effective to use a contractor and we have judged it to be the best value. When we engage a contractor they become a Data Processor, and they are then bound by the law in the same way that we are and so are subject to strict rules on processing. They can only process your personal data in the manner that we specifically tell them to and must not share your personal data with anyone else without our express permission. Before engaging a contractor we make sure that they have appropriate measures in place to secure your personal data. 

Security of your personal data 

Public Health Wales recognises that your personal data is very valuable, and so we take its security very seriously. 

We employ robust technical measures to secure your personal data and access to it is restricted to people who have a need to process it in line with their work. 

All Public Health Wales staff are bound by contracts which include clear responsibilities in relation to confidentiality. All of our non-medical staff have the same duty of confidentiality as healthcare professionals such as Doctors and Nurses. 

All of our staff must attend training in what we call Information Governance. Amongst other things, this training makes them understand the importance of confidentiality and security of your personal data and makes clear that they are personally responsible for the security of any information which they are processing. They must attend this training at least once every two years and must pass a test to demonstrate that they have understood it. The expectations we have on our staff are set out in the Information Governance Policy. Failing to comply with this policy is a disciplinary offence. 

We regularly audit access to personal data to ensure that it is being processed appropriately. 

Service Provider 

Empyrean Digital (ED) provides this website.  IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected by ED so that data (such as the web pages you request) can be sent to you.  ED will collect other anonymised statistical information about use of the website so that the service can be maintained and improved. 

What are cookies?  

Cookies are small files that websites put on your computer hard disk drive when you visit. Cookies pass information back to websites each time you visit. They are used to uniquely identify web browsers, track user trends and store information about user preferences. You can restrict/disable cookies on your browser; please note that some website features may not function properly without cookies. 

How to Disable Cookies  

To change your cookie settings: 

Internet Explorer: Please follow this link for instructions on how to disable cookies. 

Firefox: Please follow this link for instructions on how to disable cookies 

Chrome: Please follow this link for instructions on how to disable cookies. 


If you have any queries about this notice, or the processing of your personal data you should contact me as per the details below. 

Please note that mail to either of these addresses may not be opened by me and so are not appropriate for confidential communications. If you have something that you need to discuss personally with me in confidence, please contact me in the first instance by telephone. 

John Lawson MSc MBCS
The Data Protection Officer
Public Health Wales NHS Trust

2 Capital Quarter
Tyndall Street
CF10 4BZ

Telephone: 02920 104307 

Alternatively, you can email [email protected]