Skip to main content

Information governance

What is information governance?

Information Governance is a framework that brings together legal, ethical and quality standards that applies to the handling of information; it applies to all types of information. For Health Education and Improvement Wales (HEIW) in particular, personal information of delegates, trainees, learners, service users and employees. This is known as Personally Identifiable Information (PII).

Information Governance sits alongside Corporate Governance and focuses on ensuring that information is handled in a confidential and secure manner.

In the educational context it is also very much about supporting the administration and provision of high quality services to ensure that the right information is available to the right people, when and where it is needed.

Information Governance is supported by specific policies and procedures to provide assurance to those that contact HEIW that security and use of information is managed within these principles.

To find out more or to discuss any concerns in relation to Information Governance please contact:

Kelly James
Information Governance Manager

Privacy policy for consultations and surveys

Freedom of information

The Freedom of Information Act 2000 (FOIA) came into force as of the 1 January 2005, it reflects a national policy shift in public administration from a culture of confidentiality to one of openness and accountability.  The legislation entitles the public, the general right of access to information that is held by any public authority such as Health Education and Improvement Wales (HEIW), subject to certain limited exemptions.

If you would like to make a request for information, then please do so either:


Phone: 03300 585 005

Or in writing to:

Freedom of Information Office
Health Education and Improvement Wales
Tŷ Dysgu
Cefn Coed
CF15 7QQ

You have the right to request the format of the information required.

FOI documents:

Data protection rights

Every individual has certain rights in relation to their own personal data and their privacy, and in relation to the information we keep about you.

Personal data is any information related to a living person, that could be used to directly or indirectly identify that person. A data subject is the living person that the personal data is about.

Right of access (subject access requests) 

You have the right to access personal data we hold about you. This is called a subject access request. This could be electronic information in emails or databases, or paper information in files, records or archives. You can only access your own personal data. If data about other people is included within your files then it is likely that we may not provide you with this information. 

Right to erasure, right to rectification, and right to restriction 

Everyone has the right to request that we delete, correct or limit part or all of the personal information that we hold about you. 

Where we are using your personal data based on a legal power or an official authority that we have, we will only agree to do this if:

  • it is certain that the personal data we hold about you is incorrect; or
  • we no longer require your personal data for the purpose that it was collected.

In most cases we will keep a record of your request along with the rest of your information.

Every situation is different and we make decisions in response to these requests on a case-by-case basis. We take into account anything that may be relevant, to decide whether we will take action. 

Right to objection (right to object to automated decision making)

When we have used any ‘automated decision making’ software (that is, if a computer has made a decision about you without human involvement) then you have a right to ask for a human being to check the decision.

We will always tell you when we do use automated decision making and provide you with details about how you are able to appeal.

Making a data protection request

You can request a copy of the information we hold about you.

You can send your request to the Information Governance Team via email to, or post.

You will also need to send copies of documents that prove your identity and address, so that we can be certain that only you have access to your personal data.

We have up to 30 calendar days to respond to your request.

If your request is complex or very large, we may need a further 60 calendar days to deal with your request. We will write to you and let you know if this is the case.

If you are unhappy with your response, you may ask for an internal review.

Please contact: 
Information Governance Manager at