Data Requests & Your Privacy
In the UK by law you have a right to access your information
This Privacy Notice explains what we do with your personal information where we are providing, or have provided, care to you. It tells you:
You can read the different sections of the Privacy Notice in the drop down menus below.
We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
You can find an easy read version on the webpage below at the bottom:
If you would like access to the Privacy Policy in other formats please contact our Interpreting Service, full details of which you will find in the Accessing our hospitals section of this website.
Why we collect personal information about you
The staff caring for you need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care.
Health records comprise of information relating to your physical and/ or mental health, created to support your care. Health records consist of both electronically-held information, such as radiology images and test results, and paper records which have been scanned.
Your records will information from throughout your contact with the Trust, including referral and discharge letters, observation charts, outpatient/inpatient clinical notes, and relevant information from people who care for you and know you well such as health professionals and relatives, carers or guardians.
The ways in which we use your information are governed by law. NUH is a data controller and make key decisions about how your data is stored and shared.
When your information is used for care and administrative purposes related to your care it is processed for the purposes of “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under GDPR Article 6(1)(e) and the “provision of health or social care or treatment or the management of health of social care systems and services” under GDPR Article 9(2)(h).
When your information is used for secondary purposes such as audit and service improvement by the hospital it is processed for the purposes of “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under the GDPR Article 6(1)(e) and the “provision of health or social care or treatment or the management of health of social care systems and services” under the GDPR Article 9(2)(h).
When your information is processed to manage health emergencies such as COVID-19, the legal basis is ““the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under the GDPR Article 6(1)(e) and “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health” under the GDPR Article 9(2)(i).
When there is a legal requirement that we provide specified data to NHS Digital for example, we rely on Article 6(1)(c)of the GDPR. In cases where the common duty of confidentiality cannot be satisfied through consent we seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.
Research
In most instances we rely on Article 6(1)(e) and Article 9(2)(j) of GDPR if and when we use information for research. If you have consented to take part in research, this will satisfy the common law duty of confidentiality. Where it has been impracticable to obtain consent we will seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.
We collect personal information about you in a number of ways. This can be from referral details from your GP or another hospital, or directly from you or your authorised representative.
It is likely that we will hold the following basic personal information about you:
We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred or maiden name.
In addition to the above, we may hold special category personal information about you which could include:
This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.
It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.
How do we use your personal information.
The healthcare professionals who are responsible for your care, may use your records to:
Security cameras are installed at various locations at Nottingham City Hospital, Queens Medical Centre and Ropewalk House to help prevent and detect crime, and for the protection of staff, visitors and patients and their property.
Body worn cameras may be used in line with the Trust CCTV Policy.
Requests for copies of recordings should be directed to the Data Protection Administration Office. The use of CCTV and any disclosure of images will be in accordance with the codes of practice issued by the Information Commissioner.
We may on occasions need to share relevant personal information with other NHS organisations and non-NHS providers of healthcare.
Some examples are:
Under a legal obligation we share personal information with the Data Services for Commissioners Regional Offices who de-identify the information before sharing it with commissioning organisations.
We may need to share information with other non-NHS organisations from which you receive care, such as Social Services or private care homes. However, we will not disclose information to third parties unless there are specific circumstances, such as when the health or safety of others is at risk, where current legislation permits or requires it or where we have explicit consent.
There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
There may also be situations where we are under a duty to share your information due to a legal requirement. This includes, but is not limited to:
The personal information we collect about you may also be used to:
Where possible, we will always look to anonymise/ pseudonymise personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.
The Data Protection Act 2018 gives individuals certain rights in relation to their personal data, including the right to:
You can choose whether your confidential patient information is used for clinical research and planning.
You can find more information on the NHS Data Opt Out in this section of our website: https://www.nuh.nhs.uk/data-requests-your-privacy and on the NHS Digital national website: https://digital.nhs.uk/services/national-data-opt-out
Your personal information is held in both paper and electronic (including audio recordings, electronic databases etc.) formats, for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.
We hold and process information in accordance with Data Protection legislation. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the Trust's Record Management Policy This varies depending on the type of information. Typically, your health record is held for 8 years following the end of treatment, or death. Records for some patients, e.g. children’s records, are kept much longer. Our policy on the Retention and Disposal of Health Records is available here.
We will always try to keep your information confidential and only share information when absolutely necessary. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
It is essential that we have your correct details to ensure the appropriate care, treatment and follow up is provided to you. If you change your name, address, phone number, or GP, please let our staff know so that your records can to be updated. You should also tell us if any of your information we hold is incorrect by contacting us on the Contact Details provided on the Your Data and Privacy page.
Nottingham University Hospitals Data Protection Office Service
If you have any questions or concerns, please contact the Data Protection Officer, Marc Wilson.
If after exhausting our internal processes you believe that we have not complied with the data protection legislation you may wish to seek advice from the Information Commissioner.
When you have a scan (X-ray, CT, MR, or Ultrasound) in our hospitals, it is stored on an electronic system that is shared with seven other hospital Trusts in the East Midlands, collectively known as EMRAD. Access to your full scan history will enable healthcare professionals in those hospitals to access your radiology record when necessary.
This will help you by:
NaturalReader is a Text to Speech software with natural sounding voices. This easy to use software can convert any written text such as MS Word, Webpage, PDF files, and Emails into spoken words. NaturalReader can also convert any written text into audio files such as MP3 or WAV for your CD player or iPod.
You can download the free version of the software onto your computer and have the site read aloud to you.