The purpose of this notice is to inform you of why and how we process your personal data.
Public Health Wales NHS Trust is the national public health agency for Wales. We exist with the aim of protecting and improving health and wellbeing and reducing health inequalities for people in Wales.
We were established in 2009 by legislation to carry out certain functions. We call these our statutory functions. To enable us to carry out these functions, we need to process elements of your personal data, and the purpose of this notice is to inform you what data we process, how we process it and why. Because we process your personal data, we are a Data Controller and so are required to comply with relevant Data Protection law.
Your personal data means any information relating to you that either alone or together with other information, identifies you. We need to process a wide variety of personal data to carry out our functions, including (but not limited to) the following:
Because we need to make sure that we are delivering to all parts of our community we also collect what are called demographic data, such as data about ethnicity, sexual orientation, gender, religious and philosophical beliefs as well as information about income and levels of wealth and deprivation. We will not use this information to make decisions about how we treat you as an individual and it is always your choice whether you give us this information.
We may match your address to publicly available data about deprivation levels of local areas to target services to those local areas which are most in need.
We do not collect or process all of this personal data for all people all of the time. We only collect and process the personal data that is necessary for the particular task that we are carrying out.
We collect your personal data from a variety of sources, including
We want you and your family to enjoy the best possible health and we process the personal data that we require to help us achieve this. We only process the minimum amount of personal data that we need to perform the task that we are carrying out.
In the main, we process your personal data for purposes directly connected with public health and that are required to ensure you receive high quality healthcare & public health services through the NHS and other relevant organisations (such as local authorities). We do however process it for other general reasons, such as:
Developments in data and technology will continue to provide new ways to understand and improve health. We will update this Privacy Notice to include any changes to processing your personal data.
We only process your personal data in connection with our statutory functions. In some cases, we have a legal obligation to process personal data, for example in connection with what are called ‘notifiable diseases’. In other cases, we are allowed to process your personal data under Data Protection legislation because the processing is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’
We do not normally rely on consent as the legal basis for processing personal data about your health because if you refused, we would not be able to provide you with an efficient health service or protect the public.
However, in some cases it may be appropriate to rely on consent as the legal ground for processing. For, example where you have agreed that we can use information about you and your experiences and perhaps a photograph or video in connection with a health promotion campaign. Where processing is based on your consent you have the right to withdraw that consent at any time.
In some cases, it may be appropriate to process your personal data on the basis of what are called legitimate interests. Public bodies do not usually rely on this ground but where we do, we will first undertake a legitimate interest test that seeks to balance our interests in processing the information with yours as a data subject.
Where we collect your personal data from you directly, we will provide you with additional information so that you understand how it will be used and to ensure that use is fair and transparent. Where we collect that information from a third party, we will make sure that information is available to you, for example by providing leaflets and posters in appropriate locations that indicate where further information can be obtained.
Where we process what is called special category personal data, such as data about health we must identify an additional lawful basis that justifies the use of that data. The grounds we rely on most commonly are:
We sometimes share your personal data with other organisations. We only do this when there is a clear legal basis for doing so or because the law requires us to share your information. We only ever share the minimum identifiable data required for the purpose. Where we use or share data for analysis and evaluation, we will look to do so in ways that do not identify you.
When we decide it is necessary to share personal data, we will enter into a ‘Data Sharing Agreement’ (DSA) with the people we are going to share it with. DSAs are drawn up in line with the Wales Accord on Sharing of Personal Information (WASPI). More details about DSAs can be found at the WASPI website.
We may share information as necessary with other parts of NHS Wales and with your doctor and hospital to provide you with care, to improve care and to prevent the spread of infection. Many of the IT services within NHS Wales are provided by Digital Health & Care Wales (DHCW), which is also part of NHS Wales.
We sometimes need to share information with local authorities because they have responsibilities for protecting environmental and public health.
We need to share health information across the four nations to ensure that your records can travel with you as you move between different parts of the UK and to ensure a coordinated response to health protection threats. Your information may also be shared with the World Health Organisation and other countries if you test positive for a notifiable disease and have recently travelled abroad. We only do this where the sharing is prescribed by law.
We may share your personal information with university and other formally accredited researchers who are subject to independent oversight and control.
We only share your personal information with researchers who have approval from a medical ethics committee and have obtained either your consent or special permission from the Health Research Authority’s Confidentiality Advisory Group to use your confidential information. This is known as ‘section 251’ approval and ensures that the use of information for these purposes is scrutinised by an independent third party. We also seek approval from the Committee in the limited circumstances where we need to use confidential patient information without consent.
We also share anonymised health information with the SAIL databank. The SAIL (Secure Anonymised Information Linkage) holds over 10 billion anonymised, person-based data records, making it a valuable resource for researchers. The unique advantage of the way SAIL works is that although the records are anonymised in SAIL, they are first linked together by a trusted third party who provides a key. Linked records are much more valuable for research but this is done in a way that means the researchers cannot identify individuals.
We also share your personal data from time to time with third party contractors, who we engage to undertake certain processing activities for us. We do this because it is often more efficient and cost effective to use a contractor and we have judged it to be the best value. When we engage a contractor they become a Data Processor, and they are then bound by the law in the same way that we are and so are subject to strict rules on processing. They can only process your personal data in the manner that we specifically tell them to and must not share your personal data with anyone else without our express permission. Before engaging a contractor, we make sure that they have appropriate measures in place to secure your personal data.
Some contractors may process your data outside the UK. Our strong preference is that your data is either processed within the UK or within a jurisdiction which has a UK adequacy decision. Exceptionally, where this is not the case, we will ensure that appropriate safeguards are in place.
The Data Protection Act 2018 provides you with a number of rights which are normally free of charge to exercise.
What rights apply will depend on the legal ground we rely on to process the data.
The data protection principles require that personal data will be kept in an identifiable form for no longer than necessary.
We have agreed retention periods for the types of personal data that we process. For the most part these are based on the Welsh Government Records Management Code of Practice for Health and Social Care 2022.
Public Health Wales recognises that your personal data is very valuable, and so we take its security very seriously.
We employ robust technical measures to secure your personal data and access to it is restricted to people who have a need to process it in line with their work.
All Public Health Wales staff are bound by contracts which include clear responsibilities in relation to confidentiality. All our non-medical staff have the same duty of confidentiality as healthcare professionals such as Doctors and Nurses.
All our staff must attend training in what we call Information Governance. Amongst other things, this training makes them understand the importance of confidentiality and security of your personal data and makes clear that they are personally responsible for the security of any information which they are processing. They must attend this training at least once every two years and must pass a test to demonstrate that they have understood it. The expectations we have on our staff are set out in the Information Governance Policy. Failing to comply with this policy is a disciplinary offence.
We regularly audit access to personal data to ensure that it is being processed appropriately.
IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected so that data (such as the web pages you request) can be sent to you. We also collect anonymised statistical information about use of the website so that the website can be maintained and improved.
Cookies are small files that websites put on your computer hard disk drive when you visit. Cookies pass information back to websites each time you visit. They are used to uniquely identify web browsers, track user trends and store information about user preferences. You can restrict/disable cookies on your browser; please note that some website features may not function properly without cookies.
Internet Explorer: Instructions on how to disable cookies.
Firefox: Instructions on how to disable cookies.
Chrome: Instructions on how to disable cookies.
If you have any queries about this notice, or the processing of your personal data or you wish to exercise any of your data protection rights, you should contact me as per the details below.
Please note that mail to either of these addresses may not be opened by me and so are not appropriate for confidential communications. If you have something that you need to discuss personally with me in confidence, please contact me in the first instance by telephone.
John Lawson MSc CIPP/E FIP
The Data Protection Officer
Public Health Wales NHS Trust
2 Capital Quarter
Tyndall Street
Cardiff
CF10 4BZ
Telephone: 029 2010 4307