General privacy notice
This is how we collect and use your personal information.
It applies to all the information we collect about you when you come to us for care or treatment.
Parts of this notice also apply to you if you:
- visit our hospitals or clinics
- use our digital services
- apply for a job
Why we collect your personal information
The Care Act 2014 requires us to keep records of your care and treatment that you receive.
We collect your personal information to:
- provide you with the right care and treatment
- meet our statutory and regulatory obligations.
We need accurate and up-to-date information about you to:
- give you the best possible care or treatment
- make decisions, with you, about your care and treatment
- work safely and effectively
All the data we collect about you, including information about your care, are saved safely and securely in our records.
Your records are available to our clinicians to view when you:
- are referred to us
- have an appointment receive care or treatment
We may use your information to make our services better for everyone through research and planning.
This usage is sometimes referred to as secondary purposes.
Normally when we share or use data for planning or research purposes your personal information is removed (anonymised) so you can not be identified from any information provided.
Your anonymised data helps us to:
- assess our quality and performance
- investigate complaints, incidents, or claims
- collect data about public health, for example by monitoring infectious diseases
- make best use of NHS funding and other public money
- audit our accounts
- train and educate our staff
- run and manage research and development
Types of information we collect
The type of information we collect from you includes:
- your name
- date of birth
- address and postcode
- your telephone number and email address,
- relevant details about:
- your next of kin, and other family members
- carers who look after you
Information about your care
- treatments and procedures
- any advice given at referrals
- outpatient appointments or home visits
- information about the medicines you’re taking, such as:
- the type and dose
- side effects
- your allergies, or any reactions you may have
- tests and test results:
- blood or other tests
- scans or imaging tests such as x-rays, MRIs, or ultrasound scans
Your feedback about your care and experiences
(Sometimes referred to as special category information)
- your nationality and ethnicity or race
- your religious or philosophical beliefs
- your sexual orientation, sex, or gender
- your physical and mental health
- genetic data
- information that can be used to recognise you (biometric data) such as:
- iris patterns
- the shape of your face or your features
- criminal offences, cautions, or convictions
How we collect your personal information
We collect information about you if:
- we see you in clinic, in hospital, or in your own home
- someone refers you to us (or you refer yourself)
- you fill in an online or paper form
- contact us for information
- you give us feedback
- use one of our online services (such as our website or online visiting)
- you apply for a job with us
We will always process your personal information lawfully and fairly. We are governed by the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR).
Under DPA 2018, we need a legal basis to process (or use) your information.
Using data for direct patient care
We do not always rely on your prior consent to use your information because there are rules in articles six and nine of DPA 2018 that allows us to process your information:
Article 6 (1) (e)
Allows us to use your personal data as it is necessary to perform tasks in the public interest of our official functions, where a task has a clear basis in law.
Article 9 (2) (h)
Allows us to use your sensitive data for the provision of health, social care, or treatment, or the management of health or social care systems and services under the Health and Social Care Act (2015)
Using data for secondary purposes
We need your express permission to collect personal data from you for non-direct healthcare purposes.
Article 6 (1) (a)
Only allows us to process your personal data if you have given explicit consent.
Article 9 (2) (a)
Only allows us to process special category data if you have given explicit consent.
Where we share your information
We may share your information with other healthcare professionals and organisations.
This may include, but is not limited to:
We may share your information with other healthcare professionals and organisations.
This may include, but is not limited to:
- Healthcare professionals from other services
- Your friends, family, or careers including:
- Anyone with the authority to act as your power of attorney
- Someone who can give consent on your behalf
- Other healthcare providers including:
- Other NHS trusts
- Your GP
- Private care providers
- Emergency services, NHS 111, and ambulance services
- Clinical commissioning groups (CCGs)
- Multi agency safeguarding hubs (MASH)
- Regulatory and safety bodies:
- Care Quality Commission (CQC)
- Public Health England (PHE)
- NHS England
- Information Commissioner’s Office (ICO)
- Social services and local authorities
- Education providers, your school, college, or university
- Services we contract, including:
- Translation and interpretation services
- Legal services
- Our charity, or charities that support or fund further care
- Bulk mailing and text message providers
Sharing information with the police
We may also share information with the police and other law enforcement agencies where we need to:
- protect the public
- trace a missing person
- prosecute or help apprehend someone for a crime
- protect a vulnerable child or adult through safeguarding processes
- provide information about you following a court order
- investigate fraud
National data opt-out service
We may share your confidential personal information with clinical research bodies.
Each clinical research body has to get approval from the NHS Health Research Authority’s Confidentiality Advisory Group (CAG) to request and use your information.
If you’re happy for us to share your information, you don’t need to do anything.
However, if you don't want your information to be used for research purposes, you can opt out.
- visit nhs.uk
- call 0300 303 5678
We’ll record your decision in your files so your information won’t be shared for other purposes unless we’re legally obliged to do so.
You can change your mind at any time.
Cross-border data transfers
We don’t routinely send data out of the UK.
However, if we ever need to transfer your personal data to an organisation based overseas, we will tell you first.
To keep your data safe, we will consider if we can make the transfer without including your personal information.
Calls and video recording
Everyone has the right to access care and treatment without fear of violence or abuse, including our staff.
We may record your calls for the purposes of:
- quality and training
- the prevention and discovery of crime, including staff abuse.
As per your subject access rights, you’re entitled to a copy of the recordings.
CCTV and body warn cameras
We use CCTV and body warn cameras to prevent and detect crime.
You’ll see signs and posters in the areas we use CCTV.
As per your subject access rights, you’re entitled to request recordings of yourself subject to exemptions.
You are not entitled to data that includes third party information.
Car park management
Our car parks are managed by APCOA.
APCOA will collect information about your vehicle on our behalf. We use this information to improve our car parks, and improve traffic flow through our sites.
How we stay in touch with you
We can stay keep you up-to-date about your care or treatment in various ways:
- by phone
- by post
- by text message
- by email
You can choose how you’d like to be contacted, and we’ll record your preference. Not all methods will be available for all purposes.
Please keep your contact details up-to-date.
Data protection by design
We carry out data impact assessments (DPIA) when planning new systems and processes that involve:
- the use of your personal data
- a change in the way we process your personal data
Email our data protection officer to request copies of our DPIAs.
Our information security and data protection policies are in place to protect your privacy and confidentiality.
Our networks and digital storage are encrypted to stop unauthorised access, hacks, cracks, and loss.
Access to our systems is restricted to roles who have specific duties and responsibilities to use these systems and we regularly undertake system audits to ensure our controls are fit for purpose.
Any third parties we use to support our services with access to your data, will be defined as a data processor, and are legally and contractually bound to operate in a safe and secure manner.
We keep all data in accordance with our health records policy and retention schedule.
These documents conform to the Record Management Code of Practice 2020
Typically, the retention periods are:
- 20 years from the closure date for health records
- 8 years from date of death for patients in mental healthcare settings
- Child records are kept until either their 25th or 26th birthday, depending on their age at the end of their treatment
Data subject rights
Under the Data Protection Act 2018 you have a range of legal rights.
A right to be informed
You have the right to be provided with information about the way your data is handled in a way that is easy to use and understand.
You have the right to be informed about a data breach which is likely to result in a high risk to your rights and privacy.
The right to access your information
You have a right to access information held about you.
This is known as a Subject Access Request (SAR).
Subject access requests are free, but if your request is large or complex we have the right to charge an administration fee.
Find out how to access your medical records
The right to be forgotten
You have a right to request the erasure of your personal data if:
- personal data is no longer needed and has reached the end of its retention period
- there are no legitimate reasons for us to keep the data
- the personal data has been unlawfully processed.
- you withdraw your consent for the processing of your data
The right to rectification
You have a right to request, without any undue delay, to change, correct, or update any data we hold about you.
We have a month (30 days) from the date we receive your request to make any changes.
The right to restrict processing
You have a right to temporarily restrict the way we use your data, where the accuracy of the data is questioned.
This means that we will only store your data while considering a request under your rights to object, rectify or erasure your data.
The right to object
You have a right to object to how your data is used for different purposes, including direct marketing.
This right applies to all processing involving scientific, historical research or statistical purposes (although processing may still be carried out for reasons of public interest.)
The right to portability
You have a right to request that a copy of your data can be moved from one organisation to another organisation acting as a data controller.
This right only applies where your consent is required or where there is a contractual reason to do so. The transfer must be technically possible through an automated process.
The right to not be subject to automated decision making
We do not make decisions based solely on automated processing or profiling.
Complaints and concerns about your information
If you have any concerns or complaints about the way your data is used, speak to our data protection officer.
The data protection officer deals with:
- Any queries about information and information governance
- Investigations received from the Information Commissioner’s Office (ICO).
You can email our data protection officer at firstname.lastname@example.org.
For all other complaints and concerns, tell us about your care.
Information Commissioner’s Office (ICO)
If you’re not happy with our response to your complaint about the way we deal with your data, you can contact the ICO.
The ICO oversees all data protection matters in the UK.
Our data protection registration
For the purposes of our privacy notice, we’re registered as a data controller. Our registration number is ZA083643.
NHS Digital is responsible for ensuring patient data is protected and handled securely.
Find out how NHS Digital works to keep patient data safe
Changes to this privacy notice
This notice was last updated 24 April 2021