Skip to main content

Privacy notice

The purpose of this notice is to inform you of why and how the NHS Wales Executive processes your personal data.

The personal data processed by NHSWE
How NHSWE collects your personal data
How we use your personal data
The legal basis for processing your personal data
Confidentiality and your rights
Your rights under Data Protection Regulations
Sharing your personal data with others
Digital Health and Care Wales
Security of your personal data
How long do we keep your personal data?
What are cookies?
How to disable cookies



The NHS Wales Executive (NHSWE) was established in 2023 with the mandate from Welsh Government to:

Drive improvements in the quality and safety of care - resulting in better and more equitable outcomes, access, and patient experience, reduced unwarranted variation, and improvements in population health.

NHSWE is not a public body in its own right, but is a hosted body within Public Health Wales NHS Trust (PHW). Public Health Wales NHS Trust is the national public health agency for Wales. It exists with the aim of protecting and improving health and wellbeing and reducing health inequalities for people in Wales. It was established in on 1st August 2009 under The Public Health Wales National Health Service Trust (Establishment ) Order 2009 (S.I.2009/2058 (W.177))(’the Establishment Order’),which means that it is legally required to carry out certain functions. These are called its statutory functions. One of the reasons why NHSWE is hosted by PHW is because the work it is required to do fits within one or more of the PHW statutory functions.

This means that for the purposes of data protection law, PHW is a Data Controller for the personal data processed by NHSWE. However, as the management and the direction for NHSWE comes jointly from PHW and Welsh Government, both organisations are said to be Joint Data Controllers. This is because jointly, Welsh Government and PHW determine why and how your personal data is processed. Welsh Government and PHW then are jointly responsible and accountable in law for the data processing carried out by NHSWE

It is important to note however, that none of your personal data is shared with Welsh Government by NHSWE and it all remains within the systems and IT infrastructure of NHS Wales.

The purpose of this Privacy Notice is to provide you with information on how the NHS Executive processes your personal data. It is important to note that this notice is part of a layered approach to providing you with privacy information from NHS Wales and so should be read in conjunction with the Public Health Wales and Welsh Government Privacy Notices and the leaflet ‘Your Privacy, your rights’ as published by NHS Wales.

The personal data processed by NHSWE

Your personal data means any information relating to you, and by which you can be identified. In order to deliver it’s mandate, NHSWE processes a wide variety of your personal data, including (but not limited to) the following:

  • Name, address and contact details (including email and telephone numbers)
  • Date of birth
  • Personal details such as your race/ethnicity or gender
  • Information regarding your physical and mental health (for example, records of any visits to hospital or care pathways advised by your GP).

NHSWE does not collect or process all of this personal data for all people all of the time. We only collect and process the personal data that is necessary for the particular task that we are carrying out.

How NHSWE collects your personal data

In the majority of cases, NHSWE uses personal data that has been collected from you by other NHS Wales organisations. You will have provided this in your day to day involvement with the NHS and will include information about where you live, your health, treatments you receive or medications you are taking.

We also collect your personal data directly from you when we carry out research or surveys that you participate in.

How we use your personal data

We want you and your family to enjoy the best possible healthcare in Wales and we process the personal data that we require to help us achieve this. We only process the minimum amount of personal data that we need to perform the task that we are carrying out.

In the main, we process your personal data for purposes directly connected with ensuring that you receive high quality healthcare through the NHS. We do however process it for other general reasons, such as:

  • Driving improvements in healthcare in Wales
  • Auditing our systems and processes
  • Providing access to certain areas of our websites
  • Informing you of services which may be relevant to you
  • If you apply to work for us
  • Handling of complaints and concerns
The legal basis for processing your personal data

We only process your personal data when it is necessary for the purpose that we are trying to achieve and even then, we only use the minimum amount of data that we need to. In the majority of cases, we process your personal data to directly carry out our Welsh Government mandate. As we are part of Public Health Wales which is an NHS Body established by Act of Parliament, we are required by law to carry out these functions and deliver on this mandate.

Therefore under the General Data Protection Regulation (GDPR) we are allowed to process your personal data because the processing is ‘necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’ We have to be able to process your personal data in order to deliver the service you require. We do not ask for your consent to process your information to enable us to carry out our statutory functions because if you refused we would be unable to provide you with a proper healthcare service.

In some cases we will want to process your personal data for reasons beyond our statutory functions. When we want to do this, we will ask for your specific consent to process the personal data that we need (e.g. if we want to take and use your photograph in our marketing materials, or you wish to subscribe to a newsletter). In these cases when you give your consent you will be told how your personal data will be processed. You will also be told how you can withdraw that consent and opt out of further processing.

Confidentiality and your rights

In addition to data protection law, we are also conscious that when you provide your personal data to your GP or to other NHS organisations, you are entitled to the expectation that this will be held in confidence. From time to time however we do request your personal data from those who hold it to help us deliver on our mandate We also carry out processing on your personal data for other reasons however, which while they may not have a direct and immediate effect on you personally, will benefit the wider healthcare system and the population as a whole. This may happen when we are required by law to do so, or when we have specific approval from the Secretary of State. In these cases, we do not require your consent.

Some of the processing that we do will have a direct impact upon your personal clinical care. When this happens, we rely on your implied consent to carry out the processing as it will directly benefit you.

Finally we occasionally have to carry out processing simply because there is a significant public interest in doing so (e.g. improving access to healthcare or reducing heath inequalities). We do not normally seek your consent in these circumstances as to do so across the whole population on every occasion would be impossible. In these cases we have to request specific approval from the senior clinician in Public Health Wales , known as the Caldicott Guardian, who will consider if the public interest in the matter is sufficient to warrant the processing.

Your rights under Data Protection Regulations

Under the Data Protection Act 2018, Data subjects have the right (in certain circumstances) to:

  • Request access to their personal data
  • Request correction of their personal data
  • Request erasure of their personal data
  • Object to processing of their personal data
  • Request restriction of processing their personal data
  • Request transfer of their personal data
  • Right to withdraw consent.

You have the right to know if we hold personal data relating to you, and if so what personal data we hold and why. You also have the right (with certain exceptions) to a copy of any personal data that we hold in order that you can be sure that it is accurate and up to date. You may also request, under certain circumstances that we restrict or stop processing your personal data. You can get more information on what personal data we hold about you and your rights by contacting the Data Protection Officer (details shown at the end of this notice).

Sharing your personal data with others

We sometimes share your personal data with other organisations, such as NHS organisations or other health and social care providers. We only do this when there is a clear legal basis for doing so. Sometimes we share your personal data because it is in your best interests that we do, and on other occasions we will share your personal data because we are legally obliged to do so. We do not share your personal data for marketing or commercial purposes.

When we decide it is necessary to share personal data, we will enter into a ‘Data Sharing Agreement’ (DSA) with the people we are going to share it with. DSAs are drawn up in line with the Wales Accord on Sharing of Personal Information (WASPI). More details about DSAs can be found at the WASPI website,

We also share your personal data from time to time with third party contractors, who we engage to undertake certain processing activities for us. We do this because it is often more efficient and cost effective to use a contractor and we have judged it to be the best value. When we engage a contractor they become a Data Processor, and they are then bound by the law in the same way that we are and so are subject to strict rules on processing. They can only process your personal data in the manner that we specifically tell them to and must not share your personal data with anyone else without our express permission. Before engaging a contractor we make sure that they have appropriate measures in place to secure your personal data

Digital Health and Care Wales

Digital Health and Care Wales (DHCW) provides some of the IT services within NHS Wales including our website. IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected by DHCW so that data (such as the web pages you request) can be sent to you. DHCW will collect other anonymised statistical information about use of the website so that the service can be maintained and improved.

Security of your personal data

Public Health Wales recognises that your personal data is very valuable, and so we take its security very seriously.

We employ robust technical measures to secure your personal data and access to it is restricted to people who have a need to process it in line with their work. Data Protection Impact Assessments are conducted when required to ensure that your rights and freedoms are not compromised by any of our processing operations.

All Public Health Wales staff are bound by contracts which include clear responsibilities in relation to confidentiality. All of our non-medical staff have the same duty of confidentiality as healthcare professionals such as Doctors and Nurses.

All of our staff must attend training in what we call Information Governance. Amongst other things, this training makes them understand the importance of confidentiality and security of your personal data and makes clear that they are personally responsible for the security of any information which they are processing. They must attend this training at least once every two years and must pass a test to demonstrate that they have understood it. The expectations we have on our staff are set out in the Information Governance Policy. Failing to comply with this policy is a disciplinary offence.

We regularly audit access to personal data to ensure that it is being processed appropriately.

We have systems in place to detect any breach of personal data security, and where required by law we notify the Information Commissioner and also the data subject of any breach that we detect.

How long do we keep your personal data?

We keep personal data for as long as we need to in order to fulfil the purpose(s) for which it was collected and to comply with our legal and regulatory obligations. NHS Wales has records retention schedules that identify how long data should be kept.

What are cookies?

Cookies are small files that websites put on your computer hard disk drive when you visit. Which pass information back to websites. Cookies are divided into those which are essential to allow you to access the service, and those which we use to help us improve the service that we provide through the website.

When you visit our website you will be given the option of accepting only those cookies which are essential for you to use the website, or accepting other cookies such as those that help us to improve our services that we provide to you. You can also disable cookies on your own computer but you should be aware that some website features may not function properly without them.

How to disable cookies

For instructions on how to change or disable cookie settings in different browsers, follow the links below.  

Internet Explorer



If you have any queries about this notice, or the processing of your personal data you should contact me as per the details below.

Please note that mail to either of these addresses may not be opened by me and so are not appropriate for confidential communications. If you have something that you need to discuss personally with me in confidence, please contact me in the first instance by telephone on 02920 224477.

The Data Protection Officer

Public Health Wales NHS Trust

Capital Quarter 2

Tyndall Street

Cardiff CF10 4BZ

Tel: 02920 224477

Alternatively you can email me at

John Lawson MSc CIPP/E

Data Protection Officer