Keeping your Data Safe
Thank you for taking the time to consider registering with HealthWise Wales.
The pages within this "About" section contain all of the essential information that you need before you register.
If you'd like more information on our security controls, watch this short film.
On this page, we answer questions about how we will keep your information safe.
Click on the question to show the answer.
General Data Protection Regulation (GDPR)
HealthWise Wales has always taken data protection very seriously. This means that we already comply with the General Data Protection Regulations. Information is already available across our website on how we comply.
For clarity, please find below our transparency statement on how we will hold and use your data.
Cardiff University is the sponsor for this study and is based in the United Kingdom. We will be using information from you and your medical records in order to undertake this study and Cardiff University will act as the data controller for HealthWise Wales. This means that we are responsible for looking after your information and using it properly. HealthWise Wales is an ongoing longitudinal study (collects data throughout people's lives) and as such the end date of the study is unknown at this time.
The lawful basis for processing your data is to undertake health research in the public interest for scientific and historical research purposes in accordance with our public task as a research institution, for which participants give consent when they register to take part. Ethical review of the processes and procedures has been undertaken (Wales REC3) and is reviewed every five years.
Your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. For more information about your participation, please visit: https://www.healthwisewales.gov.wales/participation/
To safeguard your rights, we will use the minimum personally-identifiable information possible. The personal data collected for research via HealthWise Wales is pseudo anonymised or anonymised wherever possible.
When you consent to take part in HealthWise Wales, you consent for access to / or use of your routinely collected NHS data. You can find out more about how we use your information at: https://www.healthwisewales.gov.wales/using-data/ or by contacting firstname.lastname@example.org
HealthWise Wales will use your contact details to notify you about relevant study information, and other research projects that may be of interest to you. Individuals from Cardiff University and regulatory organisations may look at HealthWise Wales data to check the accuracy and compliance of the research study against published standards.
The only people in Cardiff University who will have access to information that identifies you will be people who need to contact you to about HealthWise Wales, other research you may be interested in via HealthWise Wales, or audit the data collection process.
The people who analyse the information will not be able to identify you and will not be able to find out your name, or contact details.
Cardiff University will collect information about you for this research study from the SAIL NHS routinely collected database at Swansea University. Swansea University (SAIL) will not provide any identifying information about you to Cardiff University. We will use this information to answer relevant research questions through the HealthWise Wales Platform.
This information will not identify you and will not be combined with other information in a way that could identify you. The information will only be used for the purpose of health and care research, and cannot be used to contact you or to affect your care. It will not be used to make decisions about future services available to you, such as insurance.
An IP address is an address which is unique to each device connected to a network (i.e. a PC, tablet or smartphone). It is standard practise to record each IP address which connects to a CTR server and this record is stored in the server log files which record all server-level activity. We do not link this address to other data which we are collecting. Nor do we analyse the data unless we have specific reason to look at an individual IP address. We collect it in the spirit of recital 49 of EU GDPR ( http://www.privacy-regulation.eu/en/recital-49-GDPR.htm) which allows us to process personal data to ensure network and information security.
If you have any questions or concerns please contact us.
We are delighted to have over 40,000 participants in the HealthWise Wales cohort. In 2019 we informed you of our plans to start using a mailing system to enable us to communicate with you and manage your subscription preferences, more effectively.
We have recently started using the new system. You may notice some changes in the way our emails look, but rest assured that your data is still being stored securely and is not being shared with any third parties. We still comply with the General Data Protection Regulations, and authorised HealthWise Wales team members remain the only people who have access to your contact details. Our use of the mailing system has been approved by Cardiff University GDPR Services, Cardiff University IT Services, and the Wales Ethics Committee (Rec 3).
To find out more about the mailing system, Send in Blue, please click here https://www.sendinblue.com
Will my information be safe?
It's important to us that all your information is safe. It will be held securely, and we will follow the standards set out by the General Data Protection Regulation (GDPR), the Caldicott Review and Good Clinical Practice Guidelines.
To follow these standards, we have tight security controls including:
- All personal information that could identify you (such as name and address) are encrypted and stored separately from other information (from the questionnaires).
- Access to personal information is restricted to specific members of staff who have the appropriate training and authorisation. Such training and authorisation is reviewed regularly.
- When the information is linked with NHS data, all details that could be used to identify you are removed. If you would like more details on how this works, you can find them on the website of the Secure Anonymised Information Linkage system (SAIL, see here for their website).
Participant data will only be used to support the research objectives of the project. Our rigorous security controls are always under review to ensure that identifiable information is not accessed for any other purpose.
Cardiff University is the data controller for all HealthWise Wales collected data. If you wish to make a complaint with regards to the processing of personal data, please contact the Cardiff University Data Protection team at:
Data Protection Officer
Department of Strategic Planning and Governance
Tel: 02920 875466
For further information about the University's data protection policy, please visit:
Who will have access to my information?
The study team will control access to your contact details, and only the study team will contact you directly. We will use your contact details to get information about you from your health records held by your doctor or by the NHS.
The answers you give to the questions and the information from your health records will be held separately from your contact details, to create an anonymous database of information for research.
Any researcher who wants to use information from the anonymous database will have to apply for approval from the Scientific Steering Committee, which is overseen by the Public Involvement Delivery Board (PIDB). This could include researchers from public, private or third sector institutions or researchers from other countries wanting to answer questions about health and wellbeing and find new treatments. There will be an application procedure, where the researchers will have to explain why they want the information and what they will do with it. You will not be asked to consent again. Requests to use the information will only be agreed if they fit the overall purpose of HealthWise Wales (to find better treatments, improve health and social services, and increase health and wellbeing).
The final decision about approvals will be made by the Public Involvement Delivery Board (PIDB). If approved, the researchers will sign an agreement, which will explain what they will do with the information and the security procedures that they will have to stick to if they are given access to the information.
All researchers who want to access the study information will have to do 'Safe Researcher' training before they can access the information. We will not share any of your personal information such as your name or address with these researchers.
There will be a charge for researchers to use the information from the study. This will be used to help cover the costs of running the study.