Privacy Policy

Outdated browser detected

You are currently using an outdated browser. Although this site will work on IE11 it will not provide the best usability experience. We recommend using a modern browser such as the latest version of Chrome, Edge or FireFox. If you don't have this on your machine, please contact your IT department and ask them to install it for you.

Health Education and Improvement Wales (HEIW) privacy notice for Orbit360

NHS Wales is made up of several health organisations that include Health Education and Improvement Wales (HEIW) who have a leading role in the education, training, development, and shaping of the healthcare workforce in Wales, in order to ensure high-quality care for the people of Wales.

HEIW key functions include:

  • Working closely with partners and key stakeholders, and planning ahead to ensure the health and care workforce meets the needs of the NHS and people of Wales, now and in the future;
  • Being a reputable source of information and intelligence on the Welsh health and care workforce;
  • Commissioning, designing, and delivering high quality, value for money education and training, in line with standards;
  • Using education, training, and development to encourage and facilitate career progression;
  • Supporting education, training, and service regulation by playing a key role in representing Wales, and working closely with regulators;
  • Developing the healthcare leaders of today and the future;
  • Providing opportunities for the health and care workforce to develop new skills;
  • Promoting health and care careers in Wales, and Wales as a place to live;
  • Supporting the professional workforce and organisation development profession with Wales; and
  • Continuously improving what we do and how we do it.

If you have any questions regarding how your information is used you must contact the person shown at the bottom of this notice.

What is Orbit360?

Orbit360 is a patient and colleague feedback system that will be available to all doctors with a prescribed connection to a designated body in Wales. Licensed doctors must complete a verified feedback exercise at least once per revalidation cycle in order to satisfy the requirements of revalidation.

Orbit360 has been developed by the Revalidation Support Unit (RSU) and HEIW Digital Team.

Your rights

This privacy notice is intended to provide transparency and accountability regarding what personal data, via Orbit360, Health Education and Improvement Wales (HEIW) will collect about you, how it will be processed and stored, how long it will be retained, who will have access to your data and your rights.

The information we give you about our use of your information will be:

  • Brief, easy to read and easily accessible;
  • Written in clear, plain language; and
  • Free of charge.

What personal data is collected?

Personal data is information from which an individual can be identified either directly or indirectly when the information is read in conjunction with other data that a data controller holds.

The only data items collected are as follows:

  • Email
  • First name
  • Last name
  • Designated Body
  • GMC Number
  • Primary/secondary specialties
  • Revalidation Date

What laws do we use?

The law determines how we can use information. The laws we follow that allow us to use identifiable information are listed below:

  • General Data Protection Regulation
  • UK Data Protection Bill
  • Human Rights Act
  • Freedom of Information Act
  • Common Law Duty of Confidence - Confidentiality
  • Computer Misuse Act
  • Audit Commission Act
  • Regulation of Investigatory Powers Act

Health Education and Improvement Wales (HEIW) is the organisation that administrates the processes that involves the collection of specific data through the work of many areas including Orbit 360. HEIW is the holder and user of your information for these processes.

Why your personal data is collected

Your personal data is collected as part of the core service to users of our patient and colleague feedback system. HEIW provides this service to support licensed doctors to complete a verified feedback exercise at least once per revalidation cycle to comply with legal and regulatory responsibilities. Further information can be found on the GMC website.

HEIW’s legal basis for the processing of personal data for these purposes is our legitimate business interests, described in more detail above, although we will also rely on contract, legal obligation and consent for specific uses of data where applicable.

We will rely on legal obligation if we are required to hold information on you to fulfil our legal obligations.

We will in some circumstances rely on consent for particular uses of your data and you will be asked for your express consent, if legally required.

How your personal data is collected

Personal data is collected from the point of registration on Orbit360.


How your personal data is kept secure

Access to your personal data is restricted to the authorised team within HEIW that support and manage the Orbit360 system. Access is also granted on a limited basis to users with specific authorised roles such as the Online Applications Developer (HEIW) or Revalidation Teams in Designated Bodies, but only where necessary for a specified and legitimate purpose that has been assessed for fairness and legal processing.

Patient Feedback responses – Paper feedback forms will be retained for up to 14 days before they are disposed of via confidential waste. Electronic copies of these patient feedback forms will be retained securely for a period of 12 months.

Your personal data on Orbit360 and paper surveys will be retained in accordance with the HEIW Information and Data Governance Policies including Confidentiality guidelines, Records Management and Data Quality.

How and why your personal data may be shared

Staff members employed by HEIW with specific authorised roles will have access to data entered into Orbit360 as appropriate.

Your personal data may be shared with HEIW Staff (only those who support and manage Orbit360) for legitimate purposes only.


Aggregated, anonymised reports may be produced within HEIW to provide a comparative analysis. At no point will any individuals be identified in these reports.

HEIW will not transfer your data to a third party unless it for the following:

  1. That there is a fair and lawful basis to share your personal data with the third party (this is accessed for fair and legal purposes at every eventuality).
  2. The data will be handled by the third party in accordance with their own arrangements on Data Protection legislation and will only be shared if they demonstrate their own compliance with the law.

Where the data is used for analysis and publication by a recipient or third party, any publication will be on an anonymous and aggregated basis, and will not make it possible to identify any individual. This will mean that the data ceases to become personal data.

Third parties may include the following:

  • UK health departments,
  • Colleges/Faculties,
  • other Deaneries,
  • the GMC,
  • NHS Trusts/Health Boards/Health and Social Care Trusts and
  • approved academic researchers.

Security of your information

HEIW takes responsibility to look after your personal information very seriously. This is regardless of whether it is electronic or in paper form.

We also employ someone who is responsible for managing information and its confidentiality to ensure:

  • your information is protected; and
  • inform you how it will be used.

All staff are required to undertake training on a regular basis. Comprehensive training is required to help protect the information that has been given, used, processed by HEIW.

The training makes sure that all staff working in HEIW (including the wider NHS), are aware of their responsibilities about the handling of your information regardless of the department that they work in.

Your rights and responsibilities

It is important that you work with us to ensure that the information we hold about you is accurate and up to date.

All communications from Orbit360 will normally be by email. It is therefore essential for you to maintain an effective and secure email address or you may not receive important notifications.

Where identifiable and relevant, HEIW will make sure that you are able to have access to your information. This is so that you know what we hold.

You have the right:

  • To know about details of how your information is used; and
  • Have copies of your information.

Legitimate interest

HEIW and all of its services have a “legitimate interest” in continuing to process personal data where:

  1. there is a real business interest being pursued in continuing to process the personal data;
  2. the processing is absolutely necessary in order for the business to pursue that interest (i.e. the interest cannot be pursued in another way which is proportionate); and
  3. the processing is balanced against the impact such processing will have on the fundamental rights and freedoms of data subjects.

It is important that you understand who is responsible for keeping your data safe. We collect your personal data with your express consent for purposes set out in this Privacy Notice.

The lawful basis for processing are set out in the GDPR Article 6.

For more information about Article 6, please refer to the PrivazyPlan website.

If you have any concerns in relation to how your personal data is processed, please contact the Orbit360 team, contact details in the further information section below.

Should you wish to learn further information about legislation relating to confidentiality, please visit the Information Commissioner's Office (ICO) website. The ICO deals with complaints about how data controllers have dealt with information matters and provides useful guidance.

Making a complaint

If you wish to make a complaint about any issues you have experienced regarding your information, then please contact:

Dafydd Bebb
Ysgrifennydd y Bwrdd/Board Secretary
Addysg a Gwella Iechyd Cymru/Health Education and Improvement Wales
Ffôn/Tel: 079 7130 0537

If you are still unsatisfied following your complaint and this remains unresolved, you have the right to make a complaint to the:

Information Commissioner’s Office,
2nd Floor,
Churchill House,
17 Churchill Way,
Cardiff, CF10 2HH


Further information

For more information relating to this privacy notice or questions on the content, please contact:

Addysg a Gwella Iechyd Cymru (AaGIC) / Health Education and Improvement Wales (HEIW)