Life Sciences Hub Wales (LSHW) is strongly committed to protecting personal data. This Privacy Notice explains the following:

  • Who we are
  • What information we collect
  • How we collect your information, why we need it and how we use it
  • What legal basis we have for processing your personal data
  • When do we share personal data
  • Where do we store and process personal data
  • How we secure personal data
  • How long we keep personal data for
  • Your rights in relation to personal data including your rights to withdraw consent
  • The use of automated decision making and profiling 
  • How to contact us including how to make a complaint with a supervisory authority
  • The use of cookies and other technology
  • Links to other websites and third-party contact
  • How and when we review our privacy notice

We recommend you read this privacy notice thoroughly. Please contact us with any questions or concerns regarding our privacy practices. Our contact details are on our website and also contained within this Privacy Notice.

Who we are

LSHW is a Limited Company (08719645) which is wholly owned by the Welsh Government. We act as both a Data Controller and Data Processor in the following circumstances:

  • Data Controller - data collected to enable us to conduct normal business as Life Sciences Hub Wales
  • Data Processor - data collected as part of the Accelerate Programme where the Welsh European Funding Office (WEFO) is designated as the Data Controller

Our Data Protection Officer is the Programme and Compliance Manager Mr Ian Bevan who may be contacted either by telephone, email or in writing.

3 Assembly Square, Cardiff Bay, CF10 4PL

02920 467 030

What information do we collect?

When we talk about personal information, we are only referring to information from which an individual person can be identified. 

Our engagement activities across Wales, the UK and internationally, are fundamental to our success. We collect and process information with key strategic partners across the health and care sector, the life sciences industry, academia, professional services and other funded initiatives and projects. This includes the following categories of information:

  • Identify data which includes your name, date of birth, passport number, photo driving license number, business interests and gender.
  • Financial data including billing address, account details, bank account holder details and bank card details.
  • Contact information (email address, telephone number)

To put this in to context, it includes personal information collected as a result of:

  • Data held for delivery of the Accelerate Programme
  • Data held for delivery of the Digital Health Ecosystem Wales Programme
  • Data submitted as part of the Bid Development Programme
  • If you contact us
  • If you attend an event organised by us either externally or at our venue
  • If you are a stakeholder or a member of a special interest group
  • If you apply for a job with us
  • If you supply goods or services to us
  • If you book an event or meeting at Life Sciences Hub Wales
  • If you have entered in to an agreement to utilise office space at Life Sciences Hub Wales
  • All forms of communication with us, including e-mail, verbal and telephone communication

How we collect your information, why we need it and how we use it

When you contact us regarding the work we do, we will handle your data with the utmost care and are sensitive to the need to handle all data lawfully, fairly and transparently.

The methodology of collection varies but includes and is not exclusive to:

  • Information gathered from e-mail or written contact
  • Information gathered from telephone contact
  • Information gathered verbally or in writing at or in relation to events held by Life Sciences Hub Wales or others; and
  • Information gathered in support of special interest groups, programmes and projects.
  • Information gathered via social media e.g. twitter and Linkedin
  • Information supplied by third parties, e.g. Companies House, Credit Safe as part of our due diligence checks

Sponsored business support by LSHW entails the collection and retention of Accelerate partners’ information.  The requirement to retain such data is governed under contractual arrangements from Welsh Government and WEFO.  In these circumstances we act as the processors for the information, we will only use the information as instructed by the parties. 

You should also be aware of our responsibilities under Freedom of Information legislation, our remit to provide information to meet internal and external audit requirements and our legal obligations (e.g. fraud prevention).

Use of Automated decision making and Profiling 

As part of its day to day business activity, LSHW utilises computer automated decision making and profiling to meet its legal obligations.  This includes such checks are required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“New Regulations”). Consent will always be obtained from you prior to these checks being conducted.

LSHW does not conduct marketing profiling.

Use of cookies and other technologies

This Notice lays out how and why we use cookies on the LSHW site and offers resources that will allow you to make an informed decision regarding the acceptance, rejection or deletion of any cookies that we use.

By using our website, you consent to our use of cookies, so we recommend that you read through the information below. This cookies policy may change at any time, so please check it regularly.

A cookie is a small file of letters and numbers which often includes an anonymised, unique identifier. This means that it can be used to identify you without revealing your personal information. When you visit a website, it asks permission to store a cookie in the cookies section of your hard drive. Cookies are widely used on the internet to make websites work, to make them work more efficiently, or to provide information about your usage of the site to the site owner or other third parties. For example, if you add items to a shopping basket, a cookie allows the website to remember what items you’re buying, or if you log in to a website, a cookie may recognise you later on so that you do not have to put in your password again.

How do we use cookies?

We use cookies to improve the way our website works. We also use third-party cookies set by Google Analytics to review our site functionality, and by Google AdWords to improve our online marketing efforts.

Third-party cookies

A third-party cookie is one that is associated with a different domain or website than the one that you visit. For example, on this site, we use third-party cookies built by Google to enable website analytics, but as our site is not on the Google domain, this makes their cookies “third-party” cookies. The Google Analytics cookie will recognise and count the number of people who visit our site, as well as providing other information such as how long visitors stay, where they move to on our site, and what pages receive the most visits. We cannot directly control how Google cookies behave.

What legal basis we have for processing your personal data

As part of our normal business we collect specific data for contractual and legitimate interest to provide you with the appropriate support. 

We will use the personal information we collect for the following purposes:

  • To reply to any general enquiry you make and to provide you with information regarding the services we provide
  • To deliver on any of our programmes and other services we offer.
  • To make a payment to you including a transfer of funds on completion of a transaction on which you have provided services to u
  • To manage our relationship with you.
  • To comply with our legal and regulatory obligations.
  • To undertake credit checks and any checks we deem necessary to confirm your identity.
  • To deal with any client feedback or complaint you may make.
  • To administer, develop and improve our business.
  • To protect our business e.g. should it be necessary to commence debt recovery actions or defend any legal claim.
  • To make suggestions and recommendation to you about the services we undertake and which may be of interest to you.
  • To invite you to any hospitality or networking events we may hold or of which we may be a party and which may be of interest to you.
  • To facilitate an introduction of a partner to a business connection where the partner requires the services of the relevant business connection.

We must have a lawful reason for processing your personal information. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to deliver the programme or perform the contract for services we are about to enter into or have entered into with you
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we need to comply with a legal or regulatory obligation
  • Where you have given your consent to process your personal information

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to obtain an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

When do we share personal data

Disclosure of information for legal or regulatory purposes

We may need to disclose your information to a third party as part of ongoing programme management and audit requirements.

Additionally, as part of our remit to conduct due diligence we may also need to release information to progress governance checks for specific requirements, programmes, other parties (or projects. We will carry out this process lawfully, proportionately and securely.

Third parties include:

  • External advisors and consultants directly engaged with programme/project delivery (please note that all advisors/consultants are bound by confidentiality requirements in their contracts);
  • The Welsh European Funding Office and the European Commission;
  • Welsh Government; and
  • Organisations who provide funding and/or support for innovation
  • Our professional advisers e.g. lawyers, bankers, accountants>
  • hird party service providers who provide administrative and support services to us
  • HMRC

We will ensure that if information is required to be shared, then it will be shared securely, and you will be informed that we have shared it, who we have shared it with and how we shared it.

Where do we store and process personal data?

LSHW data is stored within Microsoft 365, Mailchimp, Cloudbooking, Xero financial support tool and Wrike project management software all which adheres to the European Union directive on the storage of data within a member state of the EEA.

The database system used for the Accelerate programme is Smartsheet.  Smartsheet is based in the United States therefore the data you provide will be transferred out of the European Union. Electronic information is held in a secure, dedicated Accelerate database that meets EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. View the Smartsheet privacy policy.

Huddle is utilised within LSHW as a document storage system for the ACCELERATE program with access to the system for personnel seconded to the Program.  Huddle is fully DPA 2018 compliant. View the Huddle privacy policy.

The Mailchimp system is used for recording the contact details of LSHW partners, it is fully DPA 2018 compliant. The Mailchimp privacy policy.

Cloudbooking is used to book rooms for use by partners and clients externally through the internet, it is fully DPA 2018 compliant. The Cloudbooking privacy policy.

Xero financial system is used to pay suppliers and customers and is fully DPA 2018 compliant. The Xero privacy policy.

Wrike Project Management system is used to project manage our programmes and projects, it is fully DPA 2018 complaint. The Wrike privacy policy.

Microsoft 365 is used to store information for normal business functionality, access is on a need to know basis, Microsoft 365 is fully DPA 2018 compliant. Then Microsoft 365 privacy policy.

How do we secure personal data?

We have in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised manner or otherwise used or disclosed.

To achieve this, we use encrypted secure technology to protect all personal information stored by us. We operate up to date and regularly review policies for Data Protection, Password Policy, Information Security and Business Continuity (including Risk Assessment) to support our business processes and to ensure that all personnel are aware of the importance of data security.

Access to information is permitted on a need to know basis.

How long do we keep your personal data for?

We only keep and process data for as long as there is a contractual business requirement to do so or we are otherwise obliged to keep the same under any regulatory or legal requirement. Once the requirement has expired, the information is deleted from our systems.

Information which is deleted is done so in accordance with current security regulations.

Keeping us up to date

As part of our responsibility to ensure that information we hold about you is up to date, we rely on you to keep us updated. We request that where any of your details change, that you inform us so that we may update out records accordingly

Your rights in relation to personal data including your rights to withdraw consent

As a data subject, you have rights in relation to your Personal data. You have a right to access your personal information, to object to the processing of your personal information, to rectify, to erase, to restrict and to transport your personal information.

You also have the right to make a Subject Access Request. As part of this process you will be able to ascertain

  • Whether or not your data is processed, and if so why.
  • The categories of personal data concerned.
  • The source of the data if you have not provided the original data.
  • To whom your data may be disclosed, including outside the EEA and the safeguards that apply to such transfers.

We reserve the right to validate your identity prior to release of information.

We will not make any charges for such requests, unless the requests made repeatedly and are considered excessive.  We will respond to you request within 28 days.

We provide a form for you to fill in which we use to ensure that your rights are addressed in full.

If you have provided consent to LSHW to process any of your data, then you also have a right to withdraw that consent unless we are contractually or legally obligated to retain data. Withdrawal of consent will also result in withdrawal of support from the LSHW services or programme(s) to which you are signed up to. In cases where we do not need to retain data for contractual or legal reasons, we will delete the data as soon as possible and at the very least within 28 days.

Links to other websites and third party contact

LSHW does link to external sites and resources as part of our normal business activity. This includes news stories and links to other websites as part of the information being shared on our website (e.g. stories about health products backed by supporting factual information from Welsh Government). Use of those links may allow third parties to collect or share your personal information. As we have no control over how such third parties may collect and share your information we do not take any responsibility for their use of your information.

How to contact us, including how to make a complaint with a supervisory authority

You can contact the Life Sciences Hub Wales via a number of different routes. We will deal with your enquiry in the same way regardless of how you choose to contact us. For further information on how LSHW process your data, please contact us in writing at:

Life Sciences Hub Wales

3 Assembly Square

Cardiff, CF10 4PL


or via e-mail to

If you are unhappy with the way in which your personal data has been processed and wish to raise a complaint.  Please do so by one of the methods described above.  We will handle your complaint sensitively, and confidentially and will write to you with a response within 10 working days. A copy of our complaint policy is here.

If you are dissatisfied, you have the right to communicate directly to the Information Commissioner (ICO). The Information Commissioner can be contacted at:

Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF


We would appreciate if you would let us try and resolve the matter first before referring it to the ICO.


Review of the Privacy Notice

We regularly review all of our policies and procedures, we will post updates on our documentation and webpage, this Privacy Notice was last reviewed and amended on 12 December 2018.