Skip to main content

Privacy notice - Full

A privacy notice is a statement that describes how Hywel Dda University Health Board collects, uses, retains and discloses personal information. Different organisations sometimes use different terms and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

The Hywel Dda University Health Board is a Data Controller and we are responsible for collecting and processing your personal information.

Click here to view the Register of Data Controllers (opens in new tab)

For specific enquiries regarding personal data which we process you can contact the Data Protection Officer:

Address: Hywel Dda University Health Board, Information Governance, IT Building, Bronglais General Hospital, Caradoc Road, Aberystwyth, SY23 1ER


Your Personal Data – what is it?

Personal data is any information that relates to a person who can be directly or indirectly identified from the information. The terms “personal information” and “personal data” are used throughout this privacy notice and have the same meaning.

To ensure that the Health Board treats personal information correctly, we seek to adhere in full to the requirements of Data Protection legislation.

This privacy notice has therefore been produced to explain as clearly as possible what we do with your personal data

Why we collect, use and keep your personal information


Why we need your Personal Data?

Hywel Dda University Health Board collects, processes and holds personal data relating to you to:

  • provide services regarding your individual healthcare, including assessment, diagnosis and treatment of physical and mental ill-health
  • to update and correct your records
  • to contact you about your appointments and changes to our services
  • monitor and get feedback on how we provide our services to you to identify areas of improvement
  • fulfil reporting obligations with regulatory bodies, such as Welsh Government, Wales Audit Office and NHS Wales
  • undertake research and statistical analysis to help improve future healthcare treatment and services

Hywel Dda University Health Board has a legal obligation to safeguard public funds and we reserve the right to check information you have provided for accuracy, in order to detect fraud. We participate in anti-fraud data matching exercises carried out by other agencies such as the National Fraud Initiative.

What is the lawful basis for processing your personal data?

When we collect and use your personal information, we will ensure this is processed in accordance with at least one of the legal grounds available to us under data protection legislation:

  • The performance of tasks under our official authority to provide you with healthcare services under National Health Service (Wales) Act 2006 and Local Health Boards (Directed Functions) (Wales) Regulations 2009.
  • It is necessary for the performance of a contract we hold with you.
  • It is necessary to protect the vital interests of a data subject or another person.
  • We have a legal obligation under an Act of law, including the planning and commissioning of health and wellbeing services, for the purposes of preventing and detecting crime and/or fraudulent activity, safeguarding people or to fulfil our duties in regard to protecting public health.
  • We will sometimes process personal information based on your consent.  We will always tell you where this is the case and ask you to agree before we process it.  Where we have used consent as the lawful basis for processing your information, you have the right to withdraw your consent at any time.
  • Finally, sometimes it is necessary to process your personal information for the purposes of our own legitimate interests. We will only do so where these interests are not overridden by the interests and fundamental rights or the freedoms of the individuals concerned.

Data protection law recognises certain "special categories" of personal information, which is information revealing racial or ethnic origin, political opinions, religious or philosophic beliefs, trade union membership, genetic information, biometric information for uniquely identifying a person, information concerning health, and information concerning a person's sex life or sexual orientation. These special categories are considered particularly sensitive and so we will only collect and use this information where one or more of the following conditions applies:

  • You have given us your explicit consent.
  • It is necessary for the purpose of carrying out obligations in respect of employment purposes such as safeguarding vulnerable groups and assessments of fitness for practice.
  • It is necessary for the purpose of social protection where we have concerns about your wellbeing and wish to put safeguarding measures in place.
  • In relation to the establishment, exercise or defence of legal claims
  • Processing must be necessary for reasons of public interest in the area of public health (such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices)
  • Provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems.
  • It is necessary for research or statistical purposes.

Automated decision-making including profiling

Solely automated individual decision-making - including profiling - with legal or similarly significant effects is restricted, although this restriction can be lifted in certain circumstances. You can only carry out solely automated decision-making with legal or similarly significant effects if the decision is:

  • necessary for entering into or performance of a contract between an organisation and the individual;
  • authorised by law (for example, for the purposes of fraud or tax evasion); or
  • based on the individual’s explicit consent.

If you’re using special category personal data you can only carry out processing described in Article 22(1) if:

  • you have the individual’s explicit consent; or
  • the processing is necessary for reasons of substantial public interest.


Complaints and Enquiries

You have the right to make a complaint about the way we have processed your personal information.  To do this, contact the Information Commissioner’s Office which is the statutory body that oversees data protection law:

Email to:

Telephone: 0303 123 1113

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF


You can also contact our Data Protection Officer:


Telephone: 01970 635442

Post: Data Protection Officer, Information Governance, IT Building, Bronglais General Hospital, Caradoc Road, Aberystwyth, SY23 1ER


Our privacy notice is not exhaustive in regard to all aspects of how we collect and use personal information, however we are able to provide any additional information or explanation needed.  Please contact the Data Protection Officer, who is the organisation’s primary point of contact, for any queries in relation to how we use your information.