A privacy policy is a statement or legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, financial records, credit information, medical history and intentions to acquire goods and services.
In the case of the NHS in Wales, it is often a statement that declares the policy on how it collects, stores, and releases personal information it collects. It informs the service user what specific information is collected, and whether it is kept confidential and where it is shared with partners.
Privacy policies typically represent a broader, more generalised treatment, as opposed to data use statements, which tend to be more detailed and specific.
This statement applies to all information collected or submitted on the NHS Wales Shared Services Partnership website. It details what information we collect, how and why we collect them.
As described within the provisions of the UK Data Protection Act 2018 (external website) and the UK General Data Protection Regulation (GDPR) 2018, we take appropriate measures to maintain the security of your data on our website. Information collected is governed by this privacy statement and use of this website signifies your agreement.
NHS Wales Shared Services Partnership (NWSSP) is strongly committed to protecting personal data. This Privacy Notice explains the following:
We recommend you read this privacy notice thoroughly. Please contact us with any questions or concerns regarding our privacy practices. Our contact details are on our website and also contained within this Privacy Notice.
NHS Wales Shared Services Partnership (NWSSP) is an independent mutual organisation, owned and directed by NHS Wales. It was set up on 1st April 2011 to provide a range of high quality, customer-focused professional, technical and administrative services on behalf of all Health Boards and Trusts in NHS Wales. The NWSSP is hosted by Velindre University NHS Trust.
Our Privacy Notice explains how the NWSSP uses personal data. All references to ‘we’ or ‘us’ in this notice refer to NWSSP.
You can contact us via email: shared.services@wales.nhs.uk
We do not collect personal information about site users. When you voluntarily submit identifiable data on this website (this includes submission of feedback forms, subscriptions or questionnaires), the information submitted is used solely to respond to your queries and for its intended purpose. We do not share web user information with third parties.
In respect of Personal or other identifiable confidential information, each service area within NHS Wales Shared Services Partnership (NWSSP) that processes data has its own Privacy Notice or Policy that explains the use of data provided to the organisation by specific department.
These include (as an example), Legal and Risk Services’ Privacy Notice:
Legal and Risk Services’ Privacy Notice
When we talk about personal data or personal information, we are only referring to information from which an individual person can be identified. It does not include data where the identity has been removed.
Our activities across Wales are fundamental to our success. We collect and process information to help us continue to deliver our services in Wales. It allows us to meet our statutory obligations as a Public Authority as defined in Section 18 of the National Health Service (Wales) Act 2006. This includes the following categories of information:
To put this into context, it includes personal data collected as a result of:
This can include information such as your name, communication preferences, email address, postal address, IP address, telephone number, mobile number, and date of birth.
For example, we record telephone calls you make to NWSSP employment services helplines to:
If you object to this, you will need to end the call when you are told that calls may be recorded.
Sometimes, calls may not be recorded if:
It is important that we keep your details up to date, so please stay in touch.
When you contact us regarding the work we do, we will handle your data with the utmost care and are sensitive to the need to handle all data lawfully, fairly and transparently.
You should also be aware of our responsibilities under Freedom of Information legislation, our remit to provide information to meet internal and external audit requirements, and our legal obligations (e.g. fraud prevention).
We monitor user activity to enhance content provided on the site. Google Analytics (an external website) is a free service provided by Google (an external website) that generates statistics about the visitors to a website.
Information collected includes referring/exit web pages, click patterns, most/least viewed web pages, session duration, number of visitors, browser type, operating systems etc. Information is collected by using cookies.
This Privacy Notice lays out how and why we use cookies on NWSSP websites. It will allow you to make an informed decision regarding the acceptance, rejection or deletion of any cookies that we use.
By using our websites, you consent to our use of cookies, so we recommend that you read the information below. This cookies policy may change at any time, so please check it regularly.
A cookie is a small file of letters and numbers which often includes an anonymised, unique identifier. This means that it can be used to identify you without revealing your personal information. When you visit a website, it asks permission to store a cookie in the cookies section of your hard drive. Cookies are widely used on the internet to make websites work, to make them work more efficiently, or to provide information about your usage of the site to the site owner or other third parties. For example, if you add items to a shopping basket, a cookie allows the website to remember what items you are buying, or if you log in to a website, a cookie may recognise you later on so that you do not have to put in your password again.
We use cookies to improve the way our website works. We also use third-party cookies set by Google Analytics to review our site’s functionality.
A third-party cookie is one that is associated with a different domain or website than the one that you visit. For example, on this site, we use third-party cookies built by Google to enable website analytics, but as our site is not on the Google domain, this makes their cookies “third-party” cookies. The Google Analytics cookie will recognise and count the number of people who visit our site, as well as providing other information such as how long visitors stay, where they move to on our site, and what pages receive the most visits. We cannot directly control how Google cookies behave.
To change your cookie settings:
We always have a legal basis for processing personal data. The legal basis we use are as follows:
We must have a lawful reason for processing your personal information. Most commonly, we will use your personal information in the following circumstances:
In all cases, we balance our needs against your rights as an individual and make sure we only use personal data in a way or for a purpose that you would expect in accordance with this Privacy Notice and that does not intrude on your privacy or previously expressed preferences.
Where we process special categories of personal data (as mentioned above), we will make sure that we only do so in accordance with one of the additional lawful grounds for processing. For example: where we have your explicit consent or for the performance of a task in the public interest.
We will only use your personal information for the purposes for which we collected it, unless we consider that we need to use it for another reason and that reason is compatible with the original purpose. Information is only held for as long as there is a legitimate reason to do so, information that is no longer required is destroyed in such a way that it cannot be reconstructed. If you wish to obtain an explanation as to how the processing for the new
purpose is compatible with the original purpose, please contact us.
Disclosure of Information for legal or regulatory purposes.
We may need to disclose your information to a third party as part of ongoing programme management and audit requirements.
Additionally, as part of our remit to conduct due diligence, we may also need to release information to progress governance checks for specific requirements, programmes, other parties. We will carry out this process lawfully, proportionately and securely.
Third parties include:
We will ensure that if information is required to be shared, then it will be shared securely, and you will be informed that we have shared it, who we have shared it with and how we shared it.
Personal data is stored within NHS Wales electronic systems. We undertake regular security reviews of all our platforms and conduct risk assessments as required under Article 35 of the EU GDPR and Chapter 2 of the Data Protection Act 2018 (UK GDPR) to comply with our duty as a Data Controller. Please contact our Data Protection Officer for further information should you wish to understand how your data is processed.
We have appropriate security measures in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised manner or otherwise used or disclosed.
To achieve this, we use encrypted secure technology to protect all personal information stored by us. We operate up to date and regularly review policies for Data Protection, Information Governance, Password Policy, Information Security and Business Continuity (including Risk Assessments via the Data Protection Impact Assessment (DPIA) process and individual risk assessments) to support our business processes and to ensure that all personnel are aware of the importance of data security.
Access to information is permitted on a need-to-know basis.
We retain your personal data in accordance with applicable legislation such as the Public Records Act 1958, the Health Records Act 1990, The Freedom of Information Act 2000 and the Environmental Information Regulations 2004.
NWSSP only keeps and processes personal data for as long as there is a contractual or business requirement to do so or we are otherwise obliged to keep the same under any contractual, regulatory or legal requirement. Once the requirement has expired, the information is deleted safely and securely from our systems in such a way that Information which is deleted is done so in accordance with current security regulations.
As part of our responsibility to ensure that information we hold about you is up to date, we rely on you to keep us updated. We request that where any of your details change, that you inform us so that we may update out records accordingly.
As a data subject, you have rights in relation to your Personal data. These are:
You also have the right to make a Subject Access Request. As part of this process you will be able to ascertain:
We reserve the right to validate your identity prior to release of information.
We will not make any charges for such requests unless the requests made repeatedly and are considered excessive. We will respond to you request within 1 month of the date of request.
If you have provided consent to NWSSP to process any of your data, then you also have a right to withdraw that consent unless we are contractually or legally obligated to retain data.
In cases where we do not need to retain data for contractual or legal reasons, we will delete the data as soon as possible and at the very least within 28 days.
For independent advice about data protection, privacy and data-sharing issues, or if you should ever be dissatisfied with the way we have handled your personal data you can contact the Information Commissioners Office (ICO) at:
ICO Wales contact details
Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
Cardiff
CF10 2HH
Telephone: 029 2067 8400
Fax: 029 2067 8399
Email: wales@ico.org.uk
ICO Head office details
We regularly review all of our policies and procedures. We will post updates on our documentation and webpage, this Privacy Notice was last reviewed and amended on the 27th May 2025.
Care is taken to ensure that the website content is accurate. Nevertheless, content is provided for general information only, and you use it at your own risk. We will not be held liable for damage or loss ensuing from any act or omission resulting from the use of information on this website.
We reserve the right to make changes to the web site as appropriate from time to time.
We make every effort to check and test material for viruses. However, it is recommended that you run an anti-virus program on all materials downloaded from the internet. We cannot accept responsibility for any loss, disruption or damage to your data or computer system which may occur whilst using material derived from this website.
NHS Wales Shared Services Partnership is not responsible for the content or reliability of any linked websites. We accept no liability in respect of the content or for the consequences of following any advice included on such sites.
Listing should not be taken as an endorsement of any kind.
We cannot guarantee that these links will work all of the time and have no control over the availability of the linked pages or change of website address.
NWSSP reserves the right to reject or remove links to any website.