To: ‘Women in Wales’ Survey Participants who provided email addresses (included as Bcc recipients)

Dear Madam

I am writing to you by email as you recently took part in a survey entitled ‘Women in Wales’ and provided much needed data to inform the new plan for Women’s Health in Wales. Work on the survey is being undertaken by the NHS Wales Health Collaborative (hosted by Public Health Wales). I am Director of the Collaborative.

During the survey you answered a range of questions and provided your email address to allow us to contact you if we decided to invite you to participate in a focus group to follow up on the survey. In order to analyse the survey data that you and others provided, we shared it with an expert data analyst, working under contract for NHS England, whom we had commissioned to run the survey on our behalf.

The data from you and other survey respondents was provided to the data expert in a single spreadsheet. The intention was that the data would be anonymised, by removing all email addresses from the spreadsheet, before it was transferred to the analyst. Unfortunately, this was not done and your responses were shared, together with your email address, making all of your survey answers identifiable to you. Identifiable data should be sent by a secure method, but because we had not intended to transfer identifiable data, the spreadsheet was sent to the analyst over a public email service, which cannot be guaranteed as being secure.

In summary, we have done two things with your identifiable personal data (your survey responses linked to your email address) that we should not have done:

1. We have sent your identifiable personal data to an analyst outside NHS Wales, with whom we did not have an appropriate data sharing agreement covering such identifiable data, and in a situation where indefinable data did not need to be shared
2. We have sent your identifiable personal data over an email service that is not as secure as is required for this purpose

The analyst who received it is a trusted partner with NHS England and, as soon as the error was identified, he deleted the email addresses from the spreadsheet, thus ensuring that your answers could no longer be linked to you.

I need to advise you to advise you that there is a small possibility that your personal data (your email address, linked to your responses to other survey questions) may have been intercepted at some point between our sending it and the analyst receiving it. If intercepted, that data may now be in the public domain. Whilst I believe that the likelihood of your data having been intercepted is extremely low, I have no way of being certain. The risk is no greater than you face when you use your personal emails addresses every day – most of these services are insecure unless further protection such as encryption is applied by the user. Nevertheless, I am duty bound to advise you of the possibility of your data having escaped into the public domain.

The purpose of me writing to you is to apologise for this situation and to enable you to take any steps you may feel necessary to protect yourself online. I would, however, not suggest that you need to take any steps beyond what would be considered normal good online security and housekeeping. In the main, this means that you should be vigilant for any unusual activity, particularly with regards to any financial affairs you may conduct online and you should always be on your guard against spam emails, particularly any that suggest you follow links and reset passwords etc.

For more detailed advice on how to protect yourself online, can I recommend the following resources:

Information Commissioner's Office (ICO)

National Cyber Security Centre - NCSC.GOV.UK

Action Fraud

I would like to assure you that in the NHS Wales Health Collaborative, and Public Health Wales more widely, we recognise how important your personal information and your privacy is to you and we take our responsibilities in relation to the handling of your personal information extremely seriously. An investigation into this incident has been launched to establish how it happened and we have also referred the matter to the Information Commissioner.

Please accept my apologies for any distress that this may cause. If you would like to discuss the matter further please contact the Data Protection Officer for Public Health Wales at phw.informationgovernance@wales.nhs.uk

At: Cyfranogwyr Arolwg ‘Menywod yng Nghymru’ a ddarparodd gyfeiriadau e-bost (wedi'u cynnwys fel derbynwyr Bcc)

Annwyl Fadam

Rwy'n ysgrifennu atoch drwy e-bost am eich bod wedi cymryd rhan mewn arolwg o'r enw ‘Menywod yng Nghymru’ yn ddiweddar a gwnaethoch roi data sy'n werthfawr iawn i lywio'r cynllun newydd ar gyfer Iechyd Menywod. Mae Cydweithrediaeth Iechyd GIG Cymru eisoes yn gweithio ar yr arolwg (a gynhelir gan Iechyd Cyhoeddus Cymru). Fi yw Cyfarwyddwr y Gydweithrediaeth.

Yn ystod yr arolwg, gwnaethoch ateb amrywiaeth o gwestiynau a rhoi eich cyfeiriad e-bost er mwyn i ni allu cysylltu â chi pe baem yn penderfynu eich gwahodd i gymryd rhan mewn grŵp ffocws i ddilyn hynt yr arolwg. Er mwyn dadansoddi data a roddwyd gennych chi ac eraill yn yr arolwg, gwnaethom eu rhannu â dadansoddwr data arbenigol a oedd yn gweithio dan gontract i NHS England, yr oeddem wedi'i gomisiynu i gynnal yr arolwg ar ein rhan.

Cafodd y data gennych chi ac ymatebwyr eraill yr arolwg eu rhoi i'r arbenigwr data mewn un daenlen. Y bwriad oedd y byddai'r data'n cael eu gwneud yn ddienw, drwy ddileu'r holl gyfeiriadau e-bost o'r daenlen cyn ei rhoi i'r dadansoddwr. Yn anffodus, ni wnaed hyn a chafodd eich ymatebion eu rhannu, ynghyd â'ch cyfeiriad e-bost, gan olygu bod modd eich adnabod o'ch atebion i'r arolwg. Dylid anfon data adnabyddadwy drwy ddull diogel, ond am nad oeddem wedi bwriadu trosglwyddo data adnabyddadwy, cafodd y daenlen ei hanfon at y dadansoddwr drwy wasanaeth e-bost cyhoeddus, na ellir gwarantu ei fod yn ddiogel.

I grynhoi, rydym wedi gwneud dau beth gyda'ch data personol adnabyddadwy (eich ymatebion i'r arolwg a oedd yn gysylltiedig â'ch cyfeiriad e-bost) na ddylem fod wedi'u gwneud:

1. Rydym wedi anfon eich data personol adnabyddadwy at ddadansoddwr y tu allan i GIG Cymru, nad oedd gennym gytundeb rhannu data priodol ag ef i gwmpasu data adnabyddadwy o'r fath, ac mewn sefyllfa lle nad oedd angen rhannu data adnabyddadwy
2. Rydym wedi anfon eich data personol adnabyddadwy drwy wasanaeth e-bost nad yw'n ddiogel fel sy'n ofynnol at y diben hwn

Mae'r dadansoddwr â dderbyniodd y data yn bartner a ymddiriedir ag NHS England a chyn gynted ag y cafodd y gwall ei nodi, aeth ati i ddileu'r cyfeiriadau e-bost o'r daenlen, gan sicrhau na ellid cysylltu eich atebion â chi mwyach.

Mae'n rhaid i mi eich hysbysu bod posibilrwydd bach y gall eich data personol (eich cyfeiriad e-bost, sy'n gysylltiedig â'ch ymatebion i gwestiynau arolygon eraill) fod wedi'u rhyng-gipio ar ryw bwynt rhwng yr adeg y gwnaethom eu hanfon a'r adeg y gwnaeth y dadansoddwr eu derbyn. Os bydd eich data wedi'u rhyng-gipio, gallant fod wedi'u cyhoeddi. Er fy mod yn credu ei bod yn annhebygol iawn fod eich data wedi'u rhyng-gipio, ni allaf fod yn siŵr o hynny. Nid yw'r risg yn fwy na'r risg a wynebwch wrth ddefnyddio eich cyfeiriadau e-bost personol bob dydd – mae'r rhan fwyaf o'r gwasanaethau hyn yn anniogel oni fydd y defnyddiwr yn cymhwyso diogelwch pellach fel engryptio. Er hyn, mae'n ddyletswydd arnaf i'ch hysbysu o'r posibilrwydd bod eich data wedi'u cyhoeddi.

Diben y llythyr hwn yw ymddiheuro am y sefyllfa hon a'ch galluogi i gymryd unrhyw gamau y gall fod eu hangen, yn eich barn chi, i ddiogelu eich hun ar-lein. Fodd bynnag, ni fyddwn yn awgrymu bod angen i chi gymryd unrhyw gamau y tu hwnt i'r hyn a fyddai'n cael ei ystyried yn ddiogelwch ar-lein a chymhennu arferol da. Yn bennaf, mae hyn yn golygu y dylech fod yn wyliadwrus o unrhyw weithgarwch anarferol, yn enwedig mewn perthynas ag unrhyw faterion ariannol y gallech fod yn eu cynnal ar-lein, a dylech bob amser fod yn wyliadwrus o negeseuon e-bost spam, yn enwedig y rhai sy'n awgrymu eich bod yn dilyn dolenni ac yn ailosod cyfrineiriau ac ati.

I gael rhagor o gyngor manwl ar sut i ddiogelu eich hun ar-lein, rwy'n argymell yr adnoddau canlynol:

Swyddfa'r Comisiynydd Gwybodaeth

Y Ganolfan Seiberddiogelwch Genedlaethol - NCSC.GOV.UK

Action Fraud

Hoffwn roi sicrwydd i chi, yng Nghydweithrediaeth Iechyd GIG Cymru, ac yn Iechyd Cyhoeddus Cymru yn ehangach, ein bod yn cydnabod pa mor bwysig yw eich gwybodaeth bersonol a'ch preifatrwydd i ni, a'n bod yn cymryd ein cyfrifoldebau mewn perthynas â thrin eich gwybodaeth bersonol o ddifrif. Mae ymchwiliad i'r digwyddiad hwn wedi'i lansio er mwyn canfod sut y digwyddodd ac rydym hefyd wedi cyfeirio'r mater at y Comisiynydd Gwybodaeth.

Derbyniwch fy ymddiheuriadau am unrhyw ofid y gall hyn ei achosi. Os hoffech drafod y mater ymhellach, cysylltwch â Swyddog Diogelu Data Iechyd Cyhoeddus Cymru ar phw.informationgovernance@wales.nhs.uk