Data Requests & Your Privacy
In the UK by law you have a right to access your information
In the UK by law you have a right to access your information under what is called a Subject Access Request. Simply complete the online form below and ensure the requested documents are uploaded such as Photographic ID and address verification so we can ensure you are who you say you are. You may be telephoned by one of the team to check some details from the record only you would know for security. We by law have to process this within 30 days.
Please read the online Supporting Information page here as part of your application to learn how the process works, how long it will take and how you can make a complaint if you are not satisifed with the service.
Note: We will not release your information without the correct identification. Please read the Guidance on providing identification (ID) below.
Alternatively download the Online Data Request form here and email to or post to our address listed on our Contact Us details below.
If you are not a public body (Police, Fire or GP etc.), executor of an individual’s estate or for any other reason you will usually need a Lasting Power of Attorney for Health and Wellbeing. Public bodies usually require a Court Order, or a special request previously known as a Section 29 to detect and prevent crime. If in doubt, simply complete online form below (Option 3) and one of the team will come back to you initially usually within 48 hours.
If the individual is deceased, your information request would fall under the Access to Health Records Act 1990 and more information can be found on the NHS website here.
In order to provide you with a copy of any personal information, or invoke your individual rights as outlined below, we require two forms of identification; one photographic and one that confirms your current address.
If you require any information outside the remit of Nottingham University Hospitals NHS Trust such as GP or Community Health information, please contact the relevant organisations directly.
Note: We will not release information without the correct identification or documentation. Please read the Guidance on providing identification (ID) below.
Data Protection Office
Nottingham University Hospitals NHS Trust
QMC campus
Derby Road
Nottingham
NG7 2UH
Tel: 0115 924 9924 extension 86838
Email: nuhnt.dutyin@nhs.net
The Data Protection Act 2018 gives you a statutory right of access to your personal records (manual or computer). In certain circumstances your records or part of your records may be withheld under the terms of the Act, but if that is the case this will be discussed with you.
You must provide two types of identification. These may be:
In addition, proof of address must be provided e.g. bank statement, utility bill and Tax certificate. If you wish to have information sent out to you, photocopies of identification information must be sent to Nottingham University Hospitals NHS Trust.
Identification documents to receive personal information:
An applicant should provide:
Where the applicant is not able to provide acceptable photographic ID the following must be provided: -
*The date on these documents should be within the last 6 months (unless there is a good reason for it not to be e.g. clear evidence that the person was not living in the UK for 6 months or more) and must contain the name and address of the applicant.
Please view our dedicated webpage below for submitting an FOI or complete the Online Data Request Form above:
If you wish to invoke your Individual Rights under the Data Protection Act 2018, this includes requesting an amendment or deletion to your personal information held by the Trust, please download and complete the form below (or within the Downloads section) and email to nuhnt.dpo@nhs.net
Please also complete the following table and include this with the above form which will help the Trust locate and identify areas you may highlight under your right to rectification for multiple requests:
Please view the Guidance on providing ID information above.
Please read the NHS Amending patient and service user records guidance below before submitting:
The Freedom of Information Act and the associated Fees Regulations stipulate that we cannot levy a fee for information unless there is a statutory basis for doing so, or the amount of time taken to locate the information exceeds 18 hours. However, we are allowed to charge for disbursements related to the provision of information and any reformatting requested by the applicant provided we ensure that applicants are aware of any charges that may be made.
Our fees are based on The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, Statutory Instrument 2004 No. 3244.
No charges will be made for information accessed via our website. For any information that is provided in hard copy and where there are no statutory provisions our rates for photocopying, postage and reformatting will be as follows:
Photocopying and printing - 20p per copy
Postage - 2nd class postage
Reformatting - Calculated at £25 per hour plus the additional cost of reproduction in anything other than paper format.
Further information about the fees regulations can be found in the Ministry of Justice step-by-step guide to fees.
The Act provides for public authorities to either charge for or decline requests for information that would cost over what is referred to as the appropriate limit. With regards to NUH (and other public authorities) the appropriate limit is set at £450.
We are required to estimate whether a request is likely to breach the 'appropriate limit' and where it does, to notify you of the estimated costs and where available, the options to reduce those costs as may be required.
We will calculate the fees by estimating the time it will reasonably take to:
The standard hourly rate that all authorities must use to calculate the staff costs of answering requests is £25 per hour.
There will be no fee to pay for requests for information that cost less than £450 or take less than 18 working hours to complete.
We are however, entitled to make a charge to recover the cost of reproduction of the information and postage (which are referred to as disbursement costs) and will do so if those costs exceed £15 in total.
If there is a fee to pay, you will be notified in writing of the total cost with an explanation of how those costs have been calculated. The 20 day compliance time will be suspended and then will be reactivated when we receive your payment.
We will provide advice and assistance and discuss with you how the scope of the request could be narrowed in order to keep any fees as low as possible.
When we have issued a fees notice, you have three months to pay. We do not have to answer the request until payment has been received (section 9(2) of the Freedom of Information Act) and will consider the request to have been cancelled if payment has not been received within three months after the fees notice is issued.
If you do not agree with the Trust's decision that the cost of complying with the request would exceed the appropriate limit, you can ask the Information Commissioner to investigate.
If a request would cost more than the 'appropriate limit' to answer, we not obliged to answer it. However, we will provide advice and assistance to you to see whether the question could be refined, or resubmitted in part, to bring it below the appropriate limit.
If after providing such advice the request would still cost more than the appropriate limit to answer, we will inform you no later than the 20-day limit for answering requests with one of three outcomes:
Where we receive a number of requests from either the same person or different people asking for the same or similar information within a short time of each other, we may consider aggregating these requests to take an overall view of the resources which would have to be committed to answering all of the requests.
We can only aggregate requests in the following circumstances:
Environmental information is exempt from the information the Freedom of Information Act by virtue of section 39, and is dealt with under the Environmental Regulations 2005 regime.
Unlike Freedom of Information, there is no 'appropriate limit' in the Regulations, and there is no requirement under regulation 12(4)(b) to answer a request that is 'manifestly unreasonable'. This would apply to requests which would have an unreasonable resource impact on us.
We cannot make a charge for allowing you:
For all other situations, charging is at our discretion. The Environmental Information Regulations (EIR) 2005 state that public authorities may charge for environmental information and this charge should be "reasonable". An EIR request will be treated in exactly the same way as an FOI request if it falls below the appropriate limit of £450.
Disbursement costs for photocopying, printing and postage may be charged if they exceed £15. You will be notified in writing if there is a fee to pay.
Unlike FOIA, a request for environmental information cannot be refused if it exceeds the appropriate limit. In such cases, we will consider the request on its own merits and agree a course of action with you, which may include a reasonable charge being made for the information. Again, you will be notified in writing if there is a fee to pay.
For further information see: Information Commissioner's Guidance Environmental Information Regulations - Charging for environmental information.
A mixed request is a case in which part of the information requested is regulated by one access to information regime, and other parts by other regimes.
Maximum fees will be determined according to each separate regime. For example, where a request is for a mixture of your own personal data, and other information to which the Freedom of Information Act applies, then the maximum fee will be the sum of the maximum subject access fee under the Data Protection Act and the maximum fee for providing the remainder of the information calculated under the freedom of information regime.
The information featured on this website is the copyright of Nottingham University Hospital NHS Trust unless otherwise indicated. You may re-use the information on this website free of charge in any format. Re-use includes copying, issuing copies to the public, publishing, broadcasting and translating into other languages. It also covers non-commercial research and study. Re-use is subject to the following conditions. You must:
Our research is only possible because patients, families, carers and the public take part.
Using data collected from you, or about you or about whole populations of people with similar diseases or characteristics as you is an essential part of our research. We understand that sharing your data with us is an important decision.
So we make sure that at every stage of our research, we protect your privacy, confidentiality and dignity.
Our researchers are specially trained, qualified and authorised to work with your data. We handle and store data in the most secure ways possible. We will only use your data for clincal research.
We will only use your personal data with the proper approvals, regulations and safeguards in place. In order to use your data we will work in one of the following ways:
The video above summarises how the NHS uses data to save lives and improve treatment and care; we are grateful to the Understanding Patient Data initiative for these resources.
You will find more information and resources on the Understanding Patient Data website.
At NUH we make the following commitments about the data we keep about you and the way that we protect it. We will:
We are working with our partners in the University of Nottingham to develop the skills and capabilities to analyse extremely large amounts of data for research.
We are also working nationally as part of information collaborations and new developments in research data to improve healthcare across the country.
Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments.
In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.
As a result of these changes, you can choose whether your confidential patient information is used for clinical research and planning.
How confidential patient information is used
When your choice does not apply
Your health records contain a type of data called confidential patient information. This data can be used to help with research and planning.
You can choose to stop your confidential patient information being used for research and planning. You can also make a choice for someone else like your children under the age of 13.
Your choice will only apply to the health and care system in England. This does not apply to health or care services accessed in Scotland, Wales or Northern Ireland.
Confidential patient information is when two types of information from your health records are joined together.
The two types of information are:
· something that can identify you
· something about your health care or treatment
For example, your name joined with what medicine you take.
Identifiable information on its own is used by health and care services to contact patients and this is not confidential patient information.
Health and care staff may use your confidential patient information to help with your treatment and care. For example, when you are a patient at NUH, your clinical team will look at your records for important information about your health.
Confidential patient information might also be used to:
· plan and improve health and care services
· research and develop cures for serious illnesses
You can stop your confidential patient information being used for research and planning. Find out how to make your choice.
If you’re happy with your confidential patient information being used for research and planning you do not need to do anything.
Any choice you make will not impact your individual care.
This information is also available in other languages and formats.
Caldicott Guardians are experts on confidentiality issues and access to patient records. Dame Fiona Caldicott recommended such posts in her 1997 report into how patient information was used (and should be protected) in the health service, and in its increasingly complex information systems: "A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information."
The NUH Caldicott Guardian is readily available to give advice on any concerns you may have about a case or activity.
Dr Jeremy Lewis
Caldicott Guardian
Consultant in Acute Medicine
Nottingham University Hospitals NHS Trust
QMC campus
Derby Road
Nottingham
NG7 2UH
The Caldicott report sets standards for management of confidentiality and access to personal information in the NHS.
Two key preconditions for confidentiality of information are its integrity and its security. Integrity is achieved by ensuring the accuracy and completeness of information through proper processing. Security is achieved by effective protection against inappropriate access or disclosure.
The eight 'Caldicott' principles apply specifically to patient-identifiable information. The Caldicott Guardian has a responsibility to oversee an ongoing process of audit, improvement and control of application of the principles.
Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.
Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.
Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.
Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.
Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.
Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.
Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.
Caldicott Guardians and the Data Protection Act 2018
The Act is the key legislation covering all aspects of information processing. This includes security and confidentiality of personal information. The Caldicott requirements provide the framework to put the Data Protection Act into operation.
More information on the role of a DPO can be found below:
Email: nuhnt.dpo@nhs.net
The data protection law changed to the Data Protection Act 2018. Which now uncompases the UK General Data Protection Regulation (GDPR) to protect your data and rights as a data subject.
Data Protection legislation requires that data controllers (NUH in this case) provide certain information to people whose information (personal data) they hold and use. A Privacy Notice is one way of providing this information.
You can view and read the staff privacy notice here: Staff Privacy Notice.pdf [pdf] 526KB
The East Midlands Radiology Consortium (EMRAD) aims to deliver timely and expert radiology services to patients across the East Midlands, regardless of where they are being treated.
The services provided by EMRAD include imaging tests like x-rays and scans in the following NHS hospital trusts:
A key benefit for patients is that clinicians, and other staff who support your care, can access your complete radiology imaging record, including scans, reports and clinical opinions, regardless of where they are based in the East Midlands, which enables clinicians to provide more care closer to patients’ homes.
It will also help to avoid unnecessary appointments and duplicate or repeat scans.
Further Information about EMRAD
When you have a scan (X-ray, CT, MR, or Ultrasound) in our hospitals, it is stored on an electronic system that is shared with seven other hospital Trusts in the East Midlands, collectively known as EMRAD. Access to your full scan history will enable healthcare professionals in those hospitals to access your radiology record when necessary.
This will help you by:
Privacy Policy
You can read and download a copy of the EMRAD privacy policy here.
If you wish to complain about any aspect of the manner in which your access request was handled, in the first instance please follow the steps below:
If you are still not satisfied with the response you receive you may refer your complaint to the Information Commissioner if it is in relation how data is handled or proceeed within the Trust: