The purpose of this notice is to inform you of why and how we process your personal data.
Velindre University NHS Trust is responsible for the Welsh Blood Service and Cancer Services for South East Wales. We were established by an Act of Parliament which means that we are legally required to carry out certain functions. We call these our statutory functions. To enable us to carry out these functions, we need to process elements of your personal data, and the purpose of this notice is to inform you what data we process, how we process it and why. Because we process your personal data, we are a Data Controller and so are required to comply with relevant Data Protection law.
The personal data we process
Your personal data means any information relating to you, and by which you can be identified. In order to carry out our functions, we will process a wide variety of your personal data, including (but not limited to) the following:
- Name, address and contact details (including email and telephone numbers)
- Date of birth
- Information regarding your physical and mental health
- Photographs that you have consented to be taken
- We do not collect or process all of this personal data for all people all of the time. We only collect and process the personal data that is necessary for the particular task that we are carrying out.
How we collect your personal data
We collect your personal data from a variety of sources, including
- Information provided directly to us by yourself
- Information provided by other NHS organisations (e.g. Health Boards)
- Surveys and research
How we use your personal data
We want you and your family to enjoy the best possible healthcare in Wales and we process the personal data that we require to help us achieve this. We only process the minimum amount of personal data that we need to perform the task that we are carrying out.
In the main, we process your personal data for purposes directly connected with ensuring that you receive high quality healthcare through the NHS. We do however process it for other general reasons, such as:
- Providing you with information you have requested
- Handling your enquiries
- Providing access to certain areas of our websites
- Informing you of services which may be relevant to you
- If you apply to work for us
- Auditing use of our systems and websites
- Handling of complaints and concerns
The legal basis for processing your personal data
In the majority of cases, we process your personal data to directly carry out our statutory functions. This means that because we are established by Act of Parliament and are required by law to carry out these functions, under Data Protection law we are allowed to process your personal data because the processing is ‘necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’
We have to be able to process your personal data in order to deliver the service you require. We do not ask for your consent to process your information to enable us to carry out our statutory functions because if you refused we would be unable to provide you with a proper healthcare service.
In some cases we will want to process your personal data for reasons beyond our statutory functions. When we want to do this, we will ask for your consent to process the personal data that we need (e.g. if we want to take and use your photograph in our marketing materials, or you wish to subscribe to a newsletter). In these cases when you give your consent you will be told how your personal data will be processed. You will also be told how you can withdraw that consent and opt out of further processing.
Your rights under Data Protection Regulations
Under the Data Protection Act, you have the right to know if we hold personal data relating to you, and if so what personal data we hold and why. You also have the right (with certain exceptions) to a copy of any personal data that we hold in order that you can be sure that it is accurate and up to date. You can get more information on what personal data we hold about you by contacting the Data Protection Officer (details shown at the end of this notice).
Sharing your personal data with others
We sometimes share your personal data with other organisations. We only do this when there is a clear legal basis for doing so. Sometimes we share your personal data because it is in your best interests that we do, and on other occasions we will share your personal data because we are legally obliged to do so. We do not share your personal data for marketing or commercial purposes.
When we decide it is necessary to share personal data, we will enter into a ‘Data Sharing Agreement’ (DSA) with the people we are going to share it with. DSAs are drawn up in line with the Wales Accord on Sharing of Personal Information (WASPI). More details about DSAs can be found at the WASPI website, at http://www.waspi.org/home
We also share your personal data from time to time with third party contractors, who we engage to undertake certain processing activities for us. We do this because it is often more efficient and cost effective to use a contractor and we have judged it to be the best value. When we engage a contractor they become a Data Processor, and they are then bound by the law in the same way that we are and so are subject to strict rules on processing. They can only process your personal data in the manner that we specifically tell them to and must not share your personal data with anyone else without our express permission. Before engaging a contractor we make sure that they have appropriate measures in place to secure your personal data.
Security of your personal data
Velindre University NHS Trust recognises that your personal data is very valuable, and so we take its security very seriously.
We employ robust technical measures to secure your personal data and access to it is restricted to people who have a need to process it in line with their work.
All Velindre University NHS Trust staff are bound by contracts which include clear responsibilities in relation to confidentiality. All of our non-medical staff have the same duty of confidentiality as healthcare professionals such as Doctors and Nurses.
All of our staff must attend training in what we call Information Governance. Amongst other things, this training makes them understand the importance of confidentiality and security of your personal data and makes clear that they are personally responsible for the security of any information which they are processing. They must attend this training at least once every two years and must pass a test to demonstrate that they have understood it. The expectations we have on our staff are set out in the Information Governance Policy. Failing to comply with this policy is a disciplinary offence.
We regularly audit access to personal data to ensure that it is being processed appropriately.
Digital Health and Care Wales
Digital Health and Care Wales (DHCW) provides some of the IT services within NHS Wales including our website. IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected by DHCW so that data (such as the web pages you request) can be sent to you. DHCW will collect other anonymised statistical information about use of the website so that the service can be maintained and improved.
What are cookies?
Cookies are small files that websites put on your computer hard disk drive when you visit. Cookies pass information back to websites each time you visit. They are used to uniquely identify web browsers, track user trends and store information about user preferences. You can restrict/disable cookies on your browser; please note that some website features may not function properly without cookies.
How to Disable Cookies
To change your cookie settings:
Internet Explorer: Please follow this link http://windows.microsoft.com/en-gb/internet-explorer/delete-manage-cookies#ie=ie-9 for instruction on how to disable cookies.
Firefox: Please follow this link http://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences or instruction on how to disable cookies
Chrome: Please follow this link https://support.google.com/chrome/answer/95647?hl=en&ref_topic=14666 for instruction on how to disable cookies.
To exercise all relevant rights or should you have any objections or queries relating to how your personal data is being processed by Velindre University NHS Trust, please contact our Data Protection Officer at :
Velindre University NHS Trust,
Unit 2 Charnwood Court,
For independent advice about data protection, privacy and data-sharing issues, or if you should ever be dissatisfied with the way Velindre University NHS Trust has handled or shared your personal data you can contact the Information Commissioners Office (ICO) at:
Information Commissioner’s Office – Wycliffe House
Telephone: 0303 123 1113