Skip to main content

Privacy Policy


The NHS Wales Finance Academy is a voluntary collaboration of all NHS Wales organisation’s Finance Directors whose collective ambition was to develop an NHS Finance function that is “best suited to Wales but comparable with the best anywhere”.

This collaboration is delivered through the Finance Academy Board, with membership drawn from every Director of Finance in NHS Wales plus key partner organisations. The Board is supported by a Director and small programme team.

This privacy notice applies to all information collected or submitted on the website of NHS Wales Finance Academy and any other information collected by individual initiatives as part of the objectives or strategy of the Academy for legitimate, lawful bases and in various formats.  

This notice details what information we collect, how and why we collect it. 

Any following references to ‘We’ and ‘us’ refers to the NHS Wales Finance Academy as a “hosted” body under Velindre University NHS Trust and as part of the NHS Wales Shared Services Partnership (NWSSP).

As described within the provisions of the UK General Data Protection Regulation (GDPR) 2018, we take appropriate measures to maintain the security of your data. Information collected is governed by this privacy statement and use of this website or correspondence and work with you through forms or other methods signifies your agreement and will be explained to you at the time.

We are committed to respecting your privacy and protecting your personal data. Personal data, or personal information, means any information about an individual from which that person can be identified.

Please read the following to understand how we use and protect the personal information that you provide to us, or that we obtain or hold about you and to understand what your rights are in relation to the personal information that we hold.

This privacy notice is designed to be as clear and informative as possible, but do not hesitate to let us know if you have any questions about the ways in which we use your personal information. We may review and update this privacy notice from time to time and will notify you of any material changes.



Who is primarily responsible for your personal information?

NHS Wales Shared Services Partnership (NWSSP) is primarily responsible for their personal information we collect about you.  The NWSSP is therefore termed the ‘Data Controller’ under the UK General Data Protection Regulation (GDPR) for these processes.


Your Rights


In certain circumstances, you have a number of rights in relation to your personal information under current Data Protection legislation. These are described in the sections below. To exercise any of your rights, please contact the NWSSP Information Governance Manager at

We will respond to your request (including providing information on whether the rights apply in the particular circumstances) within the applicable statutory time period.  This is currently one calendar month for subject access requests for your own personal data. 

If we are not sure of your identity, we may require you to provide further information in order for us to confirm who you are. If we are unable to comply with your request, we will always explain why.

Your rights are as follows:

Right of access to personal data - You have a right to request a copy of the personal data we hold about you.

Right to rectification - If you believe the personal data we hold about you is incorrect, you can contact us to request for any incomplete or inaccurate data that we hold about you to be corrected. However, we may need to verify the accuracy of the new information you provide to us.

Right to erasure - You have the right to request the deletion or removal of personal data we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to us holding your information, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with law. Although we will consider every request for erasure on its merits, we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at that time of your request.

Right to object to processing - You have a right to object to the processing of your personal data where we are using it for the purpose of our legitimate interests. If we agree that your objection is justified we will stop using your information for those purposes. Alternatively, we will explain why we still need to use your information.

Right to restrict processing of your personal data - You have a right to request us to suspend the processing of your personal data in the following situations:

  • for the period it takes us to rectify any inaccurate data about you;
  • where our use of the data is unlawful but you do not want us to erase it;
  • where you want to prevent us from deleting your data at the end of the retention period in the event that you need it to establish, exercise or defend a legal claim;
  • where you have objected to our use of your data, but we need to verify whether we (or a third party) have overriding legitimate grounds to use it.

Right to request the transfer of your personal data to you or to a third party – You have the right to ask us to transfer certain information we hold about you to a third party you have chosen, or directly to you. Where your request is valid, we will provide you with your personal data in a structured, commonly used, machine-readable format.


Your right to lodge a complaint

If you should ever be dissatisfied with the way we have handled or shared your personal data, please contact us on and we will do our best to assist.

You also have a right to make a complaint to the supervisory authority if the complaint is not resolved in the first instance. The Information Commissioner’s Office (“ICO”) is the UK supervisory authority for data protection issues. You can contact the ICO:

Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
CF10 2HH

Tel: 0330 414 6421


How we protect your information

We have in place appropriate technical and physical security measures to prevent your personal data from being lost, misused, and used or disclosed in an unauthorised manner. This includes using encryption and authentication tools to keep your data safe and secure.

Where we transfer information to third parties (as explained in the section below), we require that they also put in place appropriate security requirements to keep your personal information safe.

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any relevant regulator of a breach where we are legally required to do so.


Sharing your information with third parties

We do not collect personal information about site users. When you voluntarily submit identifiable data on this website (this includes submission of feedback forms, subscriptions or questionnaires), the information submitted is used solely to respond to your queries and for its intended purpose. We do not share web user information with third parties.


How is your personal data collected?  User Tracking


  • We monitor user activity to enhance content provided on the site. Google Analytics (external website) is a free service provided Google (external website) that generates detailed statistics about the visitors to a website.
  • Information collected includes referring / exit web pages, click patterns, most / least viewed web pages, session duration, number of visitors, browser type, operating system, etc. Information is collected by using cookies.


Google Analytics


  • This website uses Google Analytics (external website), a web analytics service provided by Google Inc. ('Google'). Google Analytics uses 'cookies' and JavaScript code to help analyse user activity on websites. The information generated about your use of the website (including your IP address) will be transmitted to and stored on Google servers in the United States.
  • Google will use this information to produce user activity reports for this website. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.
  • Google will not associate your IP address with any other data previously held. You may refuse the use of cookies by selecting the appropriate settings on your browser (see How to Disable Cookies below). Please note that if cookies are disabled, you may not be able to use the full functionality of this website.
  • Read Google's Full Privacy Policy (external website) and Terms of Service (external website) for detailed information.


What are Cookies?

Cookies are small files that websites put on your computer hard disk drive when you visit. Cookies pass information back to websites each time you visit. They are used to uniquely identify web browsers, track user trends and store information about user preferences. You can restrict/disable cookies on your browser; please note that some website features may not function properly without cookies.


How to disable cookies


To change your cookie settings:


Why we collect user statistics

By understanding user behaviour and preferences, we are able to improve our website content to meet user expectations and needs.


External Websites

This privacy notice does not apply to external links; collection of information by such sites is subject to relevant privacy policies. We are not responsible or liable for the privacy practices of external websites and use of such websites is at your discretion.


How we use your personal data and how long we keep it for

We will only use your personal data when the law allows it and only to the extent necessary in order to fulfil the purpose for which we need to collect it. Below we set out these purposes, the lawful basis we rely on in order to do so, and how long we keep your personal information for.


Purpose for which we use your personal data

What type of personal data are we using?

What lawful basis do we rely on to use your personal data?

Surveys and research

Information such as:

  • Name
  • Contact details including email address and mobile number.

To conduct research to gather information in a measured and systematic manner to ensure accuracy and facilitate data analysis

When you ask about our activities

Information such as:

  • Name
  • Contact details, including email address, home address, and telephone
  • Communication preferences
  • Any additional personal information you provide to us when contacting us.

To provide you with information you have requested, and as appropriate by your chosen preferred method of communication.

Informing you of services which may be relevant to you.



Information provided directly by yourself

Information such as:

  • Name
  • Contact details, including email address, home address, and telephone
  • Communication preferences
  • Any additional personal information you provide to us when contacting us.

To provide you with information you have requested, and as appropriate by your chosen preferred method of communication

To handle your enquiry in an efficient manner.


To sign up for publications and newsletters

Information such as:

  • Name
  • Contact details, including email address, home address, and telephone
  • Communication preferences.

Our purpose for collecting the information is so we can provide you with timely and relevant information regarding the services and activities of the NHS Wales Finance Academy.
For the purpose of external communications the lawful basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR.

To deal with your feedback, query or complaint.

  • Name,
  • Contact details, including email address, home address, and telephone
  • Any additional personal information you provide to us when contacting us

We rely on our legitimate interests in ensuring we are providing an effective service, and appropriately handling any complaints. Our legitimate interest is the proper handling of any complaints regarding our service.

 If you decide to bring a claim against us, we rely on our right to process your information in the context of a legal claim.



Change of Purpose

We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that we need to use it for another reason, and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so. However, we may process your personal data without your knowledge or consent where this is required or permitted by law.


How long do we keep your details for?

We will only retain your personal information for as long as is necessary for the purpose for which it was collected, including for the purposes of complying with any legal, regulatory, accounting or reporting requirements.

Personal information processed in connection with our legitimate business processes will be retained in accordance with our Retention and destruction policy unless we agree otherwise with you, in writing.

If you wish to know more about the criteria which governs how long we keep your personal information for, our Retention and Destruction Policy, or any of our different retention periods, please contact: