Your Rights and Privacy: NHS Wales


Why Does NHS Wales Collect Information About You?

This page explains why NHS Wales collects information about you and how it may be used.


To Help You

Many parts of the NHS such as hospitals, GPs, Dentists, Opticians, and Community Pharmacists provide health and care services to the people of Wales.

The people and organisations providing these services aim to provide you with the highest quality care. To do this we must keep records about your health and any treatment or care we provide to you. We may hold information about you electronically or in paper format.

This type of information is needed to make sure:

  • the people who are involved in your care, have accurate and up-to-date information to assess your health, decide what treatment or care you need, and when and where you will receive it. They may be part of the healthcare team or a support service; • you are invited to receive routine treatment such as immunisations and relevant screening programmes;
  • the type and quality of care you have received can be reviewed and assessed to ensure you and others receive good quality and effective care in the future; and
  • any concerns or complaints can be properly investigated.

You may receive care from organisations that are not part of NHS Wales, such as Social Services or private and voluntary healthcare providers. If so, we will need to share some information about you so that everyone involved in your treatment or care can work together for your benefit.


To Help NHS Wales

From time to time, information about you is used help to run and improve the NHS in Wales.

This includes:

  • reviewing the care given to patients to make sure it is of the highest possible standard;
  • planning services to meet future needs;
  • investigating complaints, legal claims, incidents and inquiries;
  • reviewing and reporting on the performance of the NHS in Wales; and
  • making sure that NHS Wales demonstrates value for money.

When we use information about you for the above purposes we will, whenever possible, reduce or remove information that identifies you. For example, items such as name, address and date of birth will be removed. The process of removing the information that identifies you is called anonymisation. When large amounts of data need to be analysed – for example, to plan services – we sometimes use a process called psuedonymisation. This involves replacing key identifiers with codes or ‘keys’. This means that the people undertaking analysis do not see information that easily identifies individuals but we can, if necessary, reconstruct the data to identify individuals. Where this is not possible, rules and contracts are in place to ensure that patient information is safe and its use complies with the law.

Sometimes we use organisations outside of NHS Wales to provide services on our behalf. For example, we may use audit or computer system maintenance when large volumes of information are stored electronically. Where this is the case, these outside organisations must meet strict NHS rules set out in contracts or in law around safety and security.


To Help Others

Information about you may be used to help protect and improve the health of other people, and to help create new services. This will always be in line with data protection and privacy law.

Where necessary and to comply with the law, people involved in your care may have to give personal information about you to certain organisations, for example if you have an infectious disease, which may endanger the safety of others (e.g. COVID-19, acute meningitis, whooping cough or measles). Some services need information to support health research.

This will make sure that:

  • organisations can plan ahead and provide the right services to the right people;
  • progress can be made in diagnosing and managing diseases; and
  • drugs can be made more effective, for example by reducing side effects.

NHS Wales may also use identifiable information for other purposes, such as to support NHS Wales Quality Improvement Initiatives and National Patient Surveys.

Whenever possible we will anonymise information about you and, where we have to use identifiable information, strict confidentiality rules will apply and may be subject to rigorous approval processes where identifiable information is used for research.

Information about you may also be shared where we are required to by law including, where required by a court order or to prevent a crime or fraud.


Assurances & Controls

When considering whether to share information about you with others involved in your care, NHS Wales organisations will:

  • share only the minimum amount of information needed;
  • ensure anyone receiving information is under an obligation to keep it confidential and safe, and to only use the information for the specified purpose(s);
  • use secure systems to help prevent unauthorised access to information;
  • where required, put in place information sharing agreements, arrangements and contracts to control the way information is shared;
  • ensure any secondary use of identifiable information is authorised through appropriate research ethics and confidentiality boards; and
  • complete Information Governance training. This training makes staff aware of the importance of the confidentiality and security of personal data as well as comply with All Wales Policies in addition to any local polices or procedures.

We will retain personal information about you for as long as we need to, so that we are able to deliver our services and to make sure that we are providing you with the highest quality care. It will be kept in line with our legal requirements and the law. When information about you is no longer required, we will make sure it is disposed of in a secure manner.


Data Protection Laws & Your Rights

When we collect and use personal information about you, we have a responsibility to ensure this is processed in accordance with at least one of the lawful basis available under data protection legislation.

We will process personal information about you when it is necessary and where we have legal basis to do so; for example, where we are carrying out our public functions and powers that are set out in law and/or in carrying out a task in the interests of the public that is set out in law.

Sometimes we may ask for your consent. However, we don’t usually need it to process your information for example, to provide you with care or treatment or to share it with others involved in your care.

There are laws, which provide certain rights to individuals regarding the processing of personal information about them. These include, a right to request to:

  • be informed about the reasons why we collect and use information;
  • either look at or receive a copy of your health records (whether held in writing or electronically); and
  • ask that any inaccurate personal information is rectified; however, it should be noted that entries in your health record cannot generally be deleted as they should reflect the professional opinion of the clinician the time the record was made. Although requests will be considered on a case-by-case basis.

Not all individual rights under data protection law are absolute. For example, you have the right to object to processing but we may need to continue to use information about you to meet a legal duty. Data protection legislation allows us to do this. Further information about your rights can be obtained using the contact details found on the website of the organisation providing your treatment or care. Alternatively, please speak to a member of staff.


Further Information

If you would like to know more about how information about you is used, please visit the website of the organisation providing your treatment or care. Alternatively, please speak to a member of staff.

If you have any concerns about the way information about you is used, you may wish to discuss these with the healthcare professional responsible for your care or the organisation’s Data Protection Officer.

Understanding Patient Data provide further detail about how patient data is managed including resources and case studies on how patient data is used in the NHS. Further information can be found on the Understanding Patient Data Website

If you have any queries or complaints about the way the NHS in Wales uses and manages information about you, and are not satisfied with the response you receive, you have the right to complain to the Information Commissioner.

To register your concern with the Information Commissioner’s Office (ICO), please use the complaints portal found on their website. Please note, the ICO will require you to provide evidence of first having raised your complaint with the relevant NHS Wales organisation you are complaining about. You can also contact the ICO via telephone, if you would like advice on your rights or how to raise a complaint - 0330 414 6421