Skip to main content

Privacy Notice


Powys Teaching Health Board (the Health Board) is committed to protecting your personal information in accordance with the law.  We will ensure that your information is safe and only used for the legal purposes for which we can use it.  This privacy notice explains how your personal information is processed and our purpose for processing.


What information do we hold and where does it come from?

The Health Board holds records about you which will include the following:

  • Personal identifiers and demographic information consisting of such things as your name, date of birth, title, gender, address, email address, phone number;
  • Your family, spouse and partner details;
  • Sensitive data (special category):- racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health/medical data, civil / criminal proceedings or actions, genetics and biometrics;
  • Any contact the health board has had with you such as appointments, clinic visits, emergency appointments etc;
  • Notes and reports about your health;
  • Details about your treatment and care, including medication;
  • Results of investigations, such as laboratory tests, x-rays etc;
  • Relevant information from other health and social care professionals, also from relatives or those who care for you.
  • Pseudonymised data where we may replace your personal details with a reference number for specified purposes. 


How do we keep your information confidential?

NHS records may be held on a computer, on paper or a mixture of both and we use a combination of sound working practices and technology to ensure that your information is kept confidential and secure.  We will protect your information through:

  • Training – staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of your information when on our premises and also in the community, such as, at your home.
  • Access controls – all staff using computer systems will be given their own username and password to access your information; much like you do when using your computer at home to access your bank account or online utility bills.
  • Audit trails – we will keep a record of staff who has accessed your health record or added to your record.  We use this to show who has accessed your information.
  • Records storage – all healthcare records are stored in secure locations.  Our data centres where we hold your information on computer are in secure places with very tight entry controls.


How do we use your information?

To use your personal data appropriately, Powys Teaching Health Board complies with the following Legislation and Standards:

UK General Data Protection Regulation (UK GDPR);

The Health Board processes personal information under the following legal basis:

Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Data Protection Act 2018;

Common Law Duty of Confidentiality;

Health & Social Care Act 2012;

NHS Codes of Confidentiality, Information Security and Records Management; and

European Convention on Human Rights Act 1998 

Healthcare professionals who provide you with care maintain records about your health and any treatment or care you receive.  These records help our staff to provide you with the best possible health care.  This may include your medical records, complaint files, job applicants etc.  Where required, we will use your information for Commissioned Services where treatment and services are provided by another health board or organisation, or for service improvement. We will also use your information to help us manage the NHS and for statistical purposes and at times, your information maybe used for research purposes.  There will be times when it is appropriate for us to share information about you and your healthcare with others such as, GPs, other healthcare providers, social care and others.  The need to share relevant information is to help us work together for your benefit. The health board at this time does not use automated decision making.

If you are a Welsh resident who has received treatment by an NHS care provider in England, your information will be shared back into NHS Wales in order to verify and combine with your information held in Wales. That information will be used by the Health Board/Trust to identify you and validate what care was provided.

Should you wish to know more about how the Health Board uses your information and with whom it is shared please see ‘Your Privacy, Your Rights’  leaflet which is currently available at How the health board processes your personal information - Powys Teaching Health Board (


Powys Teaching Health Board has a legal obligation to safeguard public funds and we reserve the right to check information you have provided for accuracy, in order to detect fraud. We participate in anti-fraud data matching exercises carried out by other agencies such as the National Fraud Initiative.


How long do we keep your information for?

We will hold your data in accordance with the law and the Health Board uses national guidelines to determine when your records can be destroyed.  Please refer to the: -  NHS WALES RECORDS MANAGEMENT CODE OF PRACTICE 2022 (


Your rights under UK GDPR

Under the UK GDPR, you have rights as an individual which you can exercise, and we must consider, in relation to the information we hold about you. These include:

  • a right to be informed about how your personal data is processed;
  • a right of access to a copy of your personal information;
  • a right, in certain circumstances, to have inaccurate personal data rectified or erased;
  • a right, in certain circumstances, to restrict processing;
  • a right to object to processing your personal information


Accessing or amending your information?

Under the law you have a number of rights about your information including:

  • Being able to request copies or to view what information the Health Board holds about you.  This is known as a Subject Access Request;
  • You also have the right to have information about you amended should it be inaccurate.

If you require further information about your rights please visit the Information Commissioner's website at

Information about Subject Access Requests or making a request that your record is amended can be made via our Access to Information page.


The Health Board monitors e-mail, as permitted by the relevant Telecommunications Regulations, in order to protect its technology infrastructure from "virus" infection and to ensure that relevant UK and international law is adhered to by the sender and by the Health Board.

E-mail sent from Powys Teaching Health Board is confidential and intended solely for the use of the individual(s) to whom it is addressed. If you are not an intended recipient, be advised that you will have received the e-mail message in error and that any use, dissemination, forwarding, printing, or copying of Health Board e-mail is strictly prohibited.  May we ask you to inform the sender of the incorrect delivery by way of the Reply option in the e-mail message.

Any views or opinions presented are to be understood as those of the author and do not necessarily represent those of the Health Board.

E-mail messages and any attached files will have been checked with virus detection software before transmission.  However, recipients must carry out their own virus checks before opening any attachment.  The Health Board accepts no liability for any loss or damage which may be caused by software viruses.

Please be aware also that, under the terms of the Freedom of Information Act 2000, Powys Teaching Health Board, as a public authority, may be asked to make available the content of any e-mails or correspondence received.

For further information, please follow the link to the Health Board Freedom of Information page.



Information on how we may use Cookies can be found here



Information on how we collect information through visits to our website can be found here


Links to other websites

This privacy policy does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.


SMS / Text Messages

The health board may on occasion use your mobile number to contact you via text message to provide information to you in relation to your direct care from PTHB. This may be to ask you to contact the health board to book an appointment for a particular service that you have been referred to, or to ask for your feedback for a particular service to help with service improvement.

You have the right to let us know that you do not wish to be contacted using this method. 


How to contact us

If you have any concerns about how your information is managed within the Health Board please check our website for details on how you can complain or report a concern.

To contact the Health Board’s Data Protection Officer (DPO):

telephone: 07836 505 851 


by post: Data Protection Officer - Glasbury House, Bronllys Hospital, Bronllys. Brecon, Powys LD3 0LY

Powys Teaching Health Board is classed as a Data Controller for the purposes of data protection and is required to register with the regulator, the Information Commissioner’s Office (ICO).  Our Registration number is Z781546X.

Further details can be on the Information Commissioner's Office website at

If you wish to escalate your concerns, you should contact the Information Commissioner’s Office at


Public Task Statement

Our statement of public task sets out the functions carried out by Powys Teaching Health Board for the purposes of the Re-Use of Public Sector Information Regulations 2015 and General Data Protection Regulation (GDPR).