Information for patients

This notice tells you:

• why we need to process your personal data
• who we may share your personal data with and why
• the laws under which we process your personal data
• when we may ask for your consent
• what personal data we process about you
• how long your care records are kept for
• how to keep your information up to date
• what to do if you don’t want your information used for research or planning purposes (NHS National Data Opt Out)
• your rights over your personal data
• how we protect your personal data
• how to complain

What is ‘personal data’?

Information that identifies you is called your ‘personal data’. This includes data that directly identifies you (such as your name or a unique identifier) or any number of indirect data items that when combined could enable you to be identified.

Why do you need to process my personal information?

We collect, hold and share patient information for a number of different reasons. The main reason we process information about you is to provide you with care and treatment. We also process information for research, to help us plan and improve local services, for clinical audits, for outcome reporting and other mandatory purposes. We always use the minimum personal data needed and anonymise data where personal data is not required for the purpose.

Who do you share my personal data with and why?


My Care Record

The Trust is part of My Care Record. My Care Record operates across the East of England, enabling health and care professionals who are involved in your care to access information about you. This helps to improve your care by enabling more coordinated care, quicker diagnoses and treatment, fewer unnecessary clinical tests, less paperwork and less repetition. This gives clinicians more time to spend delivering patient care.

If you have any questions or concerns about My Care Record, please speak to your clinician in the first instance.

Who else do you share my information with and why?

We may share your information with other organisations we work with to deliver your healthcare services. We will tell you if we are making a referral to one of our approved contracted providers. 

We share patient information for mandatory NHS reporting purposes, where we have a legal obligation to do so or where there is a substantial public interest, for example, to protect public health.

We must have a lawful basis to process your personal information.

The laws under which we process your personal data

The main laws governing the protection of personal data are the UK GDPR and the Data Protection Act 2018. Under these laws, the Trust is a Data Controller where our staff determine the purpose(s) of processing.

To process your personal information, we must have a lawful basis under Article 6 of the UK GDPR and, for special category data, a lawful basis under Article 9 of the UK GDPR.  Some Article 9 lawful bases must also meet a condition for processing under Schedule 1 of the Data Protection Act 2018. Most of the personal data we process about NHS patients relies on Article 6(e) ‘Public task’ as the lawful basis, and for special category data, we mostly use Article 9(2)(h) ‘Health and social care (with a basis in law)’.

Below are the main UK GDPR lawful bases we use to process your information. This list is not exhaustive and there are other reasons why we may need to process your personal information. 

PurposeArticle 6Article 9
NHS funded
care		Public taskHealth and social care (with a basis in law)
 Vital interestsHealth and social care (with a basis in law) or vital interests
ResearchPublic taskArchiving, research, and statistics (with a basis in law)
Planning care servicesPublic taskHealth and social care (with a basis in law)
Clinical auditsLegal obligationHealth and social care (with a basis in law)
Patient surveysPublic taskHealth and social care (with a basis in law)
Privately funded careContractHealth and social care (with a basis in law)
Legal claimsLegitimate interestsLegal claims and judicial acts
Public healthPublic taskPublic health (with a basis in law) or Substantial public interest (Protecting the public)
SafeguardingPublic taskSubstantial public interest (protecting children and individuals at risk)

When we may ask for your consent

When the processing is related to your care or treatment or when there is another lawful basis that we can use, we do not rely on consent as the lawful basis under the UK GDPR. Consent under the UK GDPR gives the data subject (patient) a right to stop the processing and a right to erasure. If we could not comply with this right, for example, where we have a statutory duty to process the information, then consent would not be valid.

However, where you have provided personal information in confidence and we need to share it in ways you could not reasonably expect, we will ask for your consent under ‘common law’ (except where we are required to do so by law).  Common law consent comes from the ‘Common law duty of confidence’. This is not a written law but is based on case law. Common law consent is not the same as consent under the UK GDPR and does not include a right to erasure.

What personal data do you process about me?

The personal data we process about patients includes:

  • First name and surname
  • Date of birth
  • Gender
  • Ethnicity
  • Religion
  • Address
  • Email address
  • Contact number
  • Postal address
  • Contact details of parent/guardian, next of kin or nearest relative
  • Carer contact details (if applicable)
  • Appointments and hospital visits
  • Tests
  • Diagnoses
  • Other health conditions (called comorbidities)
  • Treatments, operations, and medications
  • Allergies
  • Pregnancy information
  • X rays, scans and ultrasound images
  • Genetic data
  • NHS Number
  • Hospital Number
  • Your GP practices
  • Financial information on payments (private patients)
  • Any images that have been captured by CCTV security cameras in our hospitals
  • Nationality

Keeping your information up to date

If you are a current patient, please tell us straight away if your address or contact details, or if you notice any incorrect or out of date information on your records. Please get in touch with the service you are under to amend any contact details.

We will take the opportunity to share information from your records with you when you attend appointments, so you can tell us if there is anything that is incorrect or that you don’t agree with.

If you want don’t want your information used for research or planning purposes (NHS National Data Opt Out)

Being able to use patient information for research and planning is vital for research into new treatments, improving existing treatments, faster diagnoses, and helping the NHS to improve patient experiences and outcomes. It also helps the NHS to plan services where they are needed most, such as new clinics and GP practices.

However, if you don’t want your information used for these purposes, then you can opt out using the national data opt-out service. To find out more about the national data opt-out and how to set your opt-out choice visit https://digital.nhs.uk/services/national-data-opt-out. You can change your opt-out choice at any time, but please allow 21 days for your request to be actioned.

The National Data Opt Out applies to patients who live in England.  Anyone who has an NHS Number is an NHS patient.

How long are my records kept for?

Your records are retained in line with the NHS Records Management Code of Practice 2021

Your rights over your personal data

The UK GDPR gives you rights over your personal data. Some rights are universal, and others depend on the lawful basis for processing. 

  • The right to be informed – we must tell you how we process your personal information.
  • The right of access – you can ask to see what personal information we hold about you. This is called making a Subject Access Request (SAR). To find out more about how to make a SAR go to https://www.enherts-tr.nhs.uk/patient-visitors/commitment/health-records/
  • The right to rectification – if you think we hold information about you that is inaccurate, you can ask us to correct it.  We will correct any information that we agree is wrong, or we don’t agree, we will add your comments about what you feel is wrong.
  • The right to erasure – in some circumstances you have a right to erasure of certain information we hold about you.  This depends on whether we have a statutory obligation to retain the information and what lawful bases we have relied upon for the processing.
  • The right to restrict the processing – this right, where it applies, allows you to ask us to retain some information but to restrict what we can retain or use.
  • The right to object – you can object to how we process your personal information. We will comply with your objection unless there is an overriding reason to continue the processing.
  • The right to data portability – in some circumstances, you can request a copy of the personal data that you have provided to us, in a machine-readable format, so that you can transfer it to another organisation or use it for a similar purpose.
  • The right to challenge an automated decision – where computers have been set up to make automated decisions, you have a right to challenge the decision or ask for a person to check the automated decision.

How we protect your information

Your personal information is held securely.  Our information systems have strict access controls and staff are only able to see the information that they need to perform their role.  All our staff are subject to a duty of confidentiality and receive data protection and information security training every year as a minimum.

How to complain

If you have any questions, concerns, or objections about how we process your personal information, please speak to your clinician in the first instance. If you still have concerns after speaking to a clinician, you can contact our Patient Advice and Liaison Service (PALS) who can help to resolve any issues. If you are still dissatisfied and want to make a complaint, please email our Data Protection Officer (DPO) at [email protected]. Our DPO will investigate your complaint and write to you.

If you remain dissatisfied, you have a right to complain to the Information Commissioner’s Office (ICO). The ICO is the UK’s independent authority that upholds information rights in the public interest, including data privacy for individuals. 

Helpful information

ICO Guide to the UK GDPR

Privacy and Electronic Communications Regulations (PECR)

Confidentiality Policy

Information for staff, job applicants, volunteers, contractors and third parties

Below are the main UK GDPR lawful bases we use to process your personal data. This list is not exhaustive and there are other reasons why we may need to process your personal data.

PurposeArticle 6Article 9
StaffEmployment purposes including: payroll, pension, annual leave, training, educational funding or grants, performance monitoring, occupational health, professional memberships, regulatory requirements, results of pre employment checksPublic taskEmployment, social security and social protection (if authorised by law)
Job applicantsPre employment checks (including right to work, DBS checks, qualifications, references)Public taskEmployment, social security and social protection (if authorised by law)
VolunteersAdministrative purposes to manage your volunteering role (including shift records, health and safety, training)Public taskExplicit consent or Public health
ContractorsPre-employment checks, training, performance monitoring, contract information.Public taskDependent on purpose of contract
Third partiesAdministrative or care related purposes
Public taskDependent upon purpose

For information about how long staff records are kept for, please refer to the NHS Records Management Code of Practice 2021. Volunteer records are kept for six years from the date you cease being a volunteer. Contractor records are kept or six years or in line with financial requirements.

For your rights over your personal data, please see the above section.

If you have any concerns or questions about about how your personal data is processed, please speak to your manager or officer who you have been dealing with in the first instance. If you are still dissatisfied and want to make a complaint, please email our Data Protection Officer (DPO) at [email protected]. Our DPO will investigate your complaint and write to you. If you remain dissatisfied, you have a right to complain to the Information Commissioner’s Office (ICO).

For helpful information, please see resources above.