Privacy Policy

Personal data is any information that relates to a person who can be directly or indirectly identified from the information. The terms “personal information” and “personal data” are used throughout this privacy notice and have the same meaning.

To ensure that the Health Board treats personal information correctly, we seek to adhere in full to the requirements of Data Protection legislation.

This privacy notice has therefore been produced to explain as clearly as possible what we do with your personal data.

Why we need your Personal Data?

Hywel Dda University Health Board collects, processes and holds personal data relating to you to:

• provide services regarding your individual healthcare, including assessment, diagnosis and treatment of physical and mental ill-health
• to update and correct your records
• to contact you about your appointments and changes to our services
• monitor and get feedback on how we provide our services to you to identify areas of improvement
• fulfil reporting obligations with regulatory bodies, such as Welsh Government, Wales Audit Office and NHS Wales
• undertake research and statistical analysis to help improve future healthcare treatment and services

Hywel Dda University Health Board has a legal obligation to safeguard public funds and we reserve the right to check information you have provided for accuracy, in order to detect fraud. We participate in anti-fraud data matching exercises carried out by other agencies such as the National Fraud Initiative.

When we collect and use your personal information, we will ensure this is processed in accordance with at least one of the legal grounds available to us under data protection legislation:

• The performance of tasks under our official authority to provide you with healthcare services under National Health Service (Wales) Act 2006 and Local Health Boards (Directed Functions) (Wales) Regulations 2009.
• It is necessary for the performance of a contract we hold with you.
• It is necessary to protect the vital interests of a data subject or another person.
• We have a legal obligation under an Act of law, including the planning and commissioning of health and wellbeing services, for the purposes of preventing and detecting crime and/or fraudulent activity, safeguarding people or to fulfil our duties in regard to protecting public health.
• We will sometimes process personal information based on your consent.  We will always tell you where this is the case and ask you to agree before we process it.  Where we have used consent as the lawful basis for processing your information, you have the right to withdraw your consent at any time.
• Finally, sometimes it is necessary to process your personal information for the purposes of our own legitimate interests. We will only do so where these interests are not overridden by the interests and fundamental rights or the freedoms of the individuals concerned.

Data protection law recognises certain “special categories” of personal information, which is information revealing racial or ethnic origin, political opinions, religious or philosophic beliefs, trade union membership, genetic information, biometric information for uniquely identifying a person, information concerning health, and information concerning a person’s sex life or sexual orientation. These special categories are considered particularly sensitive and so we will only collect and use this information where one or more of the following conditions applies:

• You have given us your explicit consent.
• It is necessary for the purpose of carrying out obligations in respect of employment purposes such as safeguarding vulnerable groups and assessments of fitness for practice.
• It is necessary for the purpose of social protection where we have concerns about your wellbeing and wish to put safeguarding measures in place.
• In relation to the establishment, exercise or defence of legal claims
• Processing must be necessary for reasons of public interest in the area of public health (such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices)
• Provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems.
• It is necessary for research or statistical purposes.

Automated decision-making including profiling

Solely automated individual decision-making – including profiling – with legal or similarly significant effects is restricted, although this restriction can be lifted in certain circumstances. We can only carry out solely automated decision-making with legal or similarly significant effects if the decision is:

• necessary for entering into or performance of a contract between an organisation and the individual;
• authorised by law (for example, for the purposes of fraud or tax evasion); or
• based on the individual’s explicit consent.

If we’re using special category personal data we can only carry out processing described in Article 22(1) if:

• you have the individual’s explicit consent; or
• the processing is necessary for reasons of substantial public interest.

Requests to access your information can be made orally or in writing, but you must provide enough information to identify yourself and enough details in order for us to find the information you require.

We will process your request without undue delay and aim to respond within one month.  We will not charge a fee for dealing with your request, unless considered manifestly unfounded or excessive and repetitive in nature.

Details of how you can exercise your information rights or make a request to access any personal information we hold about is listed below/overleaf. 

Request for access to your Medical Records:

Email: access.healthrecords.hdd@wales.nhs.uk

Post: Access to Health Records, Hywel Dda University Health Board, Amman Valley Hospital, Folland Road, Glanamman, Ammanford, Carmarthenshire, SA18 2BQ

Request for access to any other Personal Information (non-Medical Records) or exercise another Information Right:

Email: information.governance.hdd@wales.nhs.uk

Telephone: 01437 773969 / 70

Post: Information Governance, IT Building, Withybush General Hospital, Haverfordwest, Pembrokeshire, SA61 2PZ

Your information is important to us and will be processed in accordance with relevant privacy law and standards, such as the:

• General Data Protection Regulations EU 679/2016
• Data Protection Act 2018
• Common Law Duty of Confidentiality
• Human Rights Act 1998
• Freedom of Information Act 2000
• The Code of Practice for Health and Social Care in Wales 2005.

The Hywel Dda University Health Board makes sure that your Personal Data is:

• processed lawfully, fairly and in a transparent way
• collected for specified, explicit and legitimate reasons
• adequate, relevant and limited to what is necessary
• accurate and where necessary kept up to date,
• kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which those data are processed, and
• processed in a manner that ensures appropriate security of personal data.

We may collect the following types of personal data about you, depending on your circumstances:

• basic identifiers and demographic information, like your name, date of birth, title and gender;
• your contact details, like postal / email address and phone number;
• notes, reports and information about your health and wellbeing;
• details about your treatment and care, including medication;
• your family, spouse and partner details, where appropriate (Next of kin, dependents and emergency contact details);
• results of investigations such as laboratory tests and x-rays (including clinical imaging, whether taken by our staff or provided directly by you or someone acting on your behalf);
• relevant information from other health and social care professionals, relatives or those who care for you.

We collect information directly from you but may also receive information from the following sources:

• your family, representatives or carers
• our staff, internal departments and other Health Boards/Trusts and NHS bodies
• external organisations involved in your care, including GP Surgeries, Education Services, the Local Authority or voluntary/third sector specialist organisations

If you are a Welsh resident who has received treatment by an NHS care provider in England, your information will be shared back into NHS Wales in order to verify and combine with your information held in Wales. That information will be used by the Health Board/Trust to identify you and validate what care was provided. 

In order to work together to provide you with healthcare services, we may regularly share information within the Health Board and with other external organisations, like GPs and Social Care or with organisations concerned with education, community safety or social wellbeing.  Further information about this data sharing is provided on the Waspi website (opens in new tab).

We may also share your information with internal departments and external organisations who monitor and audit our services.

There may also be exceptional circumstances where your personal information is disclosed particularly in life or death situations or we share your information with third parties because we are under a duty to disclose in order to comply with another legal obligation, like safeguarding people or the prevention and detection of crime. 

All organisations with whom we share your personal information must comply with data protection principles to keep your information confidential and safe.

We will not share your information with third parties for marketing purposes.

We take the security of your data very seriously, whether electronic or in paper form.  We have internal policies, controls and systems in place to ensure that your information will be kept secure and confidential at all times.  This includes staff being trained to understand their duty of confidentiality and their responsibilities regarding the security of the information they process, physical and electronic access controls to personal information and audit trails of who has accessed any health record. We will use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

Your information will be kept in accordance with our Retention and Destruction of Records Policy (opens in new tab), which details the length of time we hold your records for.  Information will be disposed of securely once this period has lapsed.

Your information will be stored within the United Kingdom (UK), where we temporarily transfer or process any of your information outside of the UK, we will ensure appropriate safeguards are in place to protect it.

We will use your contact details to communicate important information to you via letter, email, text message or video calls.  Where we have contact with you via telephone or video calls, in some cases we may record calls as part of your health and care record or for staff training – these calls may be deleted after three months. 

We may also contact you to ask for feedback on the quality of the services we have provided to you to identify areas of improvement.

Closed-circuit television (CCTV) operates outside and within our buildings for security purposes. The information can be viewed by us on a live feed, or we can access the recorded footage for up to 30 days.

The purpose for processing this information is for security and safety reasons. The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

We have free Wi-Fi on site for the use of visitors and patients. We record the device address and IP address whilst on site. We also log traffic information in the form of sites visited, duration and date sent/received.

For further information on the free Wifi please visit BT Wifi terms and conditions (opens in new tab).

The purpose for processing this information is to provide you with access to the internet whilst visiting our site. The lawful basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

Under the General Data Protection Regulations 2016, you have rights as an individual that you can exercise regarding the information we hold about you:

• The right to be Informed – you have the right to be told about how your information is collected and used
• The right of Access – you are entitled to request access to and a copy of the information we hold about you
• The right to Rectification – you have the right to ask to have incorrect information about you corrected or incomplete information completed

In some circumstances you may have:

• The right to Erasure – you can ask us to delete your information
• The right to Restrict Processing – you can ask that we stop using your personal data for certain purposes, however, this may delay or prevent us from delivering a service to you 
• The right to Object – you can object to profiling or any decisions about you that are made by wholly automated means
• The right to Data Portability – data processed by automated means should be provided in a portable format.  Health information can be accessed by relevant health professionals through a central Clinical Portal to ensure continuity of your care across our services within Wales.

Many of the rights listed above are limited to certain defined circumstances.  We will seek to comply with your request, but may still need to hold or process information to fulfil our legal duties.  We will tell you if this is the case.

Rights related to automated decision making including profiling

Automated individual decision-making is a decision made by automated means without any human involvement. Automated individual decision-making does not have to involve profiling, although it often will do. Individuals have a right to object to profiling in certain circumstances.

You have the right to make a complaint about the way we have processed your personal information.  To do this, contact the Information Commissioner’s Office which is the statutory body that oversees data protection law:

ICO website (opens in new tab)

Telephone: 0330 414 6421

Email: wales@ico.org.uk

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

You can also contact Hywel Dda University Health Board’s Data Protection Officer:

Email: dpo.hdd@wales.nhs.uk

Telephone: 01970 635442

Mobile: 07790 890773

Post: Data Protection Officer, Information Governance, IT Building, Bronglais General Hospital, Caradoc Road, Aberystwyth, SY23 1ER

You can also contact Hywel Dda University Health Board’s Caldicott Guardian:

Email: caldicottguardian.hdd@wales.nhs.uk