General privacy notice

This is how we collect and use your personal information.

It applies to all the information we collect about you when you come to us for care or treatment.

Parts of this notice also apply to you if you:

  • visit our hospitals or clinics
  • use our digital services
  • apply for a job

Why we collect your personal information

The Care Act 2014 requires us to keep records of your care and treatment that you receive.

We collect your personal information to:

  • provide you with the right care and treatment
  • meet our statutory and regulatory obligations.

Direct care

We need accurate and up-to-date information about you to:

  • give you the best possible care or treatment
  • make decisions, with you, about your care and treatment
  • work safely and effectively

All the data we collect about you, including information about your care, are saved safely and securely in our records.

Your records are available to our clinicians to view when you:

  • are referred to us
  • have an appointment receive care or treatment

Non-direct care

We may use your information to make our services better for everyone through research and planning.

This usage is sometimes referred to as secondary purposes.

Normally when we share or use data for planning or research purposes your personal information is removed (anonymised) so you can not be identified from any information provided.

Your anonymised data helps us to:

  • assess our quality and performance
  • investigate complaints, incidents, or claims
  • collect data about public health, for example by monitoring infectious diseases
  • make best use of NHS funding and other public money
  • audit our accounts
  • train and educate our staff
  • run and manage research and development

Types of information we collect

The type of information we collect from you includes:

Basic information

  • your name
  • date of birth
  • address and postcode

Contact information

  • your telephone number and email address,
  • relevant details about:
  • your next of kin, and other family members
  • carers who look after you

Information about your care

  • treatments and procedures
  • any advice given at referrals
  • outpatient appointments or home visits
  • information about the medicines you’re taking, such as:
  • the type and dose
  • side effects
  • your allergies, or any reactions you may have
  • tests and test results:
  • blood or other tests
  • scans or imaging tests such as x-rays, MRIs, or ultrasound scans

Your feedback about your care and experiences

  • complaints
  • tribunals

Sensitive data

(Sometimes referred to as special category information)

  • your nationality and ethnicity or race
  • your religious or philosophical beliefs
  • your sexual orientation, sex, or gender
  • your physical and mental health
  • genetic data
  • information that can be used to recognise you (biometric data) such as:
  • fingerprints
  • iris patterns
  • the shape of your face or your features
  • criminal offences, cautions, or convictions

How we collect your personal information

We collect information about you if:

  • we see you in clinic, in hospital, or in your own home
  • someone refers you to us (or you refer yourself)
  • you fill in an online or paper form
  • contact us for information
  • you give us feedback
  • use one of our online services (such as our website or online visiting)
  • you apply for a job with us

Lawful processing

We will always process your personal information lawfully and fairly. We are governed by the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR).

Under DPA 2018, we need a legal basis to process (or use) your information.

Using data for direct patient care

We do not always rely on your prior consent to use your information because there are rules in articles six and nine of DPA 2018 that allows us to process your information:

Article 6 (1) (e)

Allows us to use your personal data as it is necessary to perform tasks in the public interest of our official functions, where a task has a clear basis in law.

Article 9 (2) (h)

Allows us to use your sensitive data for the provision of health, social care, or treatment, or the management of health or social care systems and services under the Health and Social Care Act (2015)

Using data for secondary purposes

We need your express permission to collect personal data from you for non-direct healthcare purposes.

Article 6 (1) (a)

Only allows us to process your personal data if you have given explicit consent.

Article 9 (2) (a)

Only allows us to process special category data if you have given explicit consent.

Where we share your information

We may share your information with other healthcare professionals and organisations.

This may include, but is not limited to:

  • Healthcare professionals from other services
  • Your friends, family, or careers including:
    • Anyone with the authority to act as your power of attorney
    • Someone who can give consent on your behalf
  • Other healthcare providers including:
    • Other NHS trusts
    • Your GP
    • Private care providers
    • Emergency services, NHS 111, and ambulance services
    • Clinical commissioning groups (CCGs)
    • Multi agency safeguarding hubs (MASH)
  • Regulatory and safety bodies:
    • Care Quality Commission (CQC)
    • Public Health England (PHE)
    • NHS England
    • Information Commissioner’s Office (ICO)
  • Social services and local authorities
  • Education providers, your school, college, or university
  • Services we contract, including:
    • Translation and interpretation services
    • Legal services
    • Our charity, or charities that support or fund further care
    • Bulk mailing and text message providers

Sharing information with the police

We may also share information with the police and other law enforcement agencies where we need to:

  • protect the public
  • trace a missing person
  • prosecute or help apprehend someone for a crime
  • protect a vulnerable child or adult through safeguarding processes
  • provide information about you following a court order
  • investigate fraud

National data opt-out service

We may share your confidential personal information with clinical research bodies.

Each clinical research body has to get approval from the NHS Health Research Authority’s Confidentiality Advisory Group (CAG) to request and use your information.

If you’re happy for us to share your information, you don’t need to do anything.

However, if you don't want your information to be used for research purposes, you can opt out.

Opting out

To opt-out:

We’ll record your decision in your files, so your information won’t be shared for other purposes unless we’re legally obliged to do so.

You can change your mind at any time.

Cross-border data transfers

We don’t routinely send data out of the UK.

However, if we ever need to transfer your personal data to an organisation based overseas, we will tell you first.

To keep your data safe, we will consider if we can make the transfer without including your personal information.

Calls and video recording

Everyone has the right to access care and treatment without fear of violence or abuse, including our staff.

Call recording

We may record your calls for the purposes of:

  • quality and training
  • the prevention and discovery of crime, including staff abuse.

As per your subject access rights, you’re entitled to a copy of the recordings.

CCTV and body warn cameras

We use CCTV and body warn cameras to prevent and detect crime.

You’ll see signs and posters in the areas we use CCTV.

As per your subject access rights, you’re entitled to request recordings of yourself subject to exemptions.

You are not entitled to data that includes third party information.

Car park management

Our car parks are managed by APCOA.

APCOA will collect information about your vehicle on our behalf. We use this information to improve our car parks, and improve traffic flow through our sites.

Find out about our car parks

How we stay in touch with you

We can stay keep you up-to-date about your care or treatment in various ways:

  • by phone
  • by post
  • by text message
  • by email

You can choose how you’d like to be contacted, and we’ll record your preference. Not all methods will be available for all purposes.

Please keep your contact details up-to-date.

Data protection by design

We carry out data impact assessments (DPIA) when planning new systems and processes that involve:

  • the use of your personal data
  • a change in the way we process your personal data

Email our data protection officer to request copies of our DPIAs.

Information security

Our information security and data protection policies are in place to protect your privacy and confidentiality.

Our networks and digital storage are encrypted to stop unauthorised access, hacks, cracks, and loss.

Access to our systems is restricted to roles who have specific duties and responsibilities to use these systems and we regularly undertake system audits to ensure our controls are fit for purpose.

Any third parties we use to support our services with access to your data, will be defined as a data processor, and are legally and contractually bound to operate in a safe and secure manner.

Data retention

We keep all data in accordance with our health records policy and retention schedule.

These documents conform to the Record Management Code of Practice 2020

Typically, the retention periods are:

  • 20 years from the closure date for health records
  • 8 years from date of death for patients in mental healthcare settings
  • Child records are kept until either their 25th or 26th birthday, depending on their age at the end of their treatment

Data subject rights

Under the Data Protection Act 2018 you have a range of legal rights.

They are: 

A right to be informed

You have the right to be provided with information about the way your data is handled in a way that is easy to use and understand. 

You have the right to be informed about a data breach which is likely to result in a high risk to your rights and privacy.

The right to access your information

You have a right to access information held about you.

This is known as a Subject Access Request (SAR).

Subject access requests are free, but if your request is large or complex we have the right to charge an administration fee.

Find out how to access your medical records

The right to be forgotten

You have a right to request the erasure of your personal data if:

  • personal data is no longer needed and has reached the end of its retention period
  • there are no legitimate reasons for us to keep the data
  • the personal data has been unlawfully processed.
  • you withdraw your consent for the processing of your data

The right to rectification

You have a right to request, without any undue delay, to change, correct, or update any data we hold about you.

We have a month (30 days) from the date we receive your request to make any changes.

The right to restrict processing

You have a right to temporarily restrict the way we use your data, where the accuracy of the data is questioned.

This means that we will only store your data while considering a request under your rights to object, rectify or erasure your data.

The right to object

You have a right to object to how your data is used for different purposes, including direct marketing.

This right applies to all processing involving scientific, historical research or statistical purposes (although processing may still be carried out for reasons of public interest.)

The right to portability

You have a right to request that a copy of your data can be moved from one organisation to another organisation acting as a data controller.

This right only applies where your consent is required or where there is a contractual reason to do so. The transfer must be technically possible through an automated process.

The right to not be subject to automated decision making

We do not make decisions based solely on automated processing or profiling.

Complaints and concerns about your information

If you have any concerns or complaints about the way your data is used, speak to our data protection officer.

The data protection officer deals with:

  • Any queries about information and information governance
  • Investigations received from the Information Commissioner’s Office (ICO).

You can email our data protection officer at

For all other complaints and concerns, tell us about your care.

Information Commissioner’s Office (ICO)

If you’re not happy with our response to your complaint about the way we deal with your data, you can contact the ICO.

The ICO oversees all data protection matters in the UK.

You can contact the ICO via their website.

Our data protection registration

For the purposes of our privacy notice, we’re registered as a data controller. Our registration number is ZA083643.

View our registration on the ICO’s website.

Changes to this privacy notice

This notice was last updated 24 April 2021