Privacy Notices

The Trust has a Data Protection Officer who oversees how personal information is used.

Should you have any queries on the use of your information, or wish to exercise one or more of your rights, please direct your enquiry to the Data Protection Officer, by writing to the above address or email, to: dgn-tr.dataprotectionofficer@nhs.net

If you are unhappy with the outcome of your enquiry you can contact the regulator: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF - Telephone:  0303 123 1113

Patients such as, adults, young people, babies

Staff such as, employees, former employees, applicants, agency staff, bank staff and volunteers

Service users such as, carers, relatives and guardians, next of kin, complainants and enquirers, bereavement service users, contractors, suppliers, visiting clinicians

General Public such as those using our grounds for access etc.

Depending on how you use our services, we may collect and process the following information, such as:

Personal data

• Name, address, date of birth

• NHS number and hospital number

• Contact details (telephone, email)

• Gender and demographic information

• Next of kin and emergency contacts

• Information about your nationality relating to your entitlement to NHS care in the UK

• Photos or audio-visual recordings (clinical and/or legal reasons)

Special category data

• Health and clinical information (diagnosis, treatment, care provided)

• Safeguarding and mental capacity information

• Religion, ethnicity, sexual orientation

• Disabilities and accessibility needs

• Biometric Data such as fingerprints (staff only)

Special category data is handled with additional safeguards, in line with UK GDPR and the Data Protection Act 2018. 

We may obtain patient specific information from:

• You (directly or via forms, emails, conversations)

• Family members or legal representatives

• GPs and other NHS or health and social care providers

• Referral systems and national NHS systems

• Trust clinical and administrative systems

• CCTV and Bodycam recordings, when onsite

For others, we may obtain information (as relevant) from:

• You (directly or via forms, emails, conversations)

• Contractors

• Suppliers

• DBS Checks

• Fingerprints for staff access to systems

• CCTV and Bodycam recordings, when onsite

Information is collected mainly to deliver healthcare, which may relate to patients, staff, and other service providers.

It may also be used to assist with:

• Involving relatives, carers and others to support the care of a patient
• Carrying out clinical audit, service monitoring and national reporting
• Safeguarding people
• Managing contracts with service providers and suppliers
• Preparing statistics on our performance for the Department of Health and other regulatory bodies
• Helping train staff and support research
• Supporting the funding of your care
• Processing and reporting of investigation of complaints, claims and untoward incidents
• Reporting events to the appropriate authorities when we are required to do so by law.

Under UK data protection laws, we must have a lawful reason to use your information.

Our main legal basis for the processing of personal data, is that the NHS is an official authority with a public duty to care for its patients. Data protection law says it is appropriate to do so for health and social care treatment of patients, and the management of health or social care systems and services.

Legal basis for use of personal data:

• Public task – providing NHS care and services
• Performance of contract (Article 6(1)(b)) – for employees, contractors, and similar arrangements
• Legal obligation – where the law requires us to share information
• Vital interests – to protect life in an emergency
• Consent – only where required (for example, research, photos for media, educational purposes or publicity)

Legal basis for use health and other special category data:

• Health or social care purposes
• Performance of a contract
• Employment, social security & social protection law
• Legal claims or judicial acts
• Substantial public interest
• Explicit consent

For deceased patients, the UK GDPR does not apply, but the Common Law Duty of Confidentiality continues to protect information given in confidence.

If we need to use your personal information for any reason beyond those stated above, we will discuss this with you, although there may be exceptions to this which are listed below.

• If the public interest is considered to be of greater importance, for example:

• if a serious crime has been committed
• if there are risks to the public or our staff
• to protect vulnerable children or adults.

We have a legal duty, for example:

• registering births
• reporting some infectious diseases
• reporting wounding by knives or firearms; and court orders
• we need to use the information for medical research without specific consent. In this case, we have to ask permission from the Secretary of State for Health. An example is carrying out mass surveys of cancer patients to determine the effectiveness of treatment over a long period.

All sharing is subject to contractual, legal and security controls and we only share information where it is lawful and necessary, including with:

Internal

• Trust staff (on a need‑to‑know basis)
• Visiting staff on honorary contracts
• Safeguarding, complaints, legal, governance and patient safety teams

External

• Companies under contract to provide services to the Trust
• GPs and other NHS Trusts
• Integrated Care Boards (ICBs)
• NHS England
• Care Quality Commission (CQC)
• Coroners, police and courts
• Social services
• Funeral directors and bereavement partners (where applicable)
• Approved contractors and service providers (under contract)
• Public health agencies
• NHS Counter Fraud Agency, DWP, Home Office (where relevant)

Healthcare may be provided by members of a care team, which might include people from other organisations such as health, social care, education, or other care organisations.

The organisation adheres to the Common Law Duty of Confidentiality and the Caldicott Principles. Our Caldicott Guardian provides senior oversight to ensure that personal confidential information is used and shared appropriately, in line with legal and ethical requirements.

Personal confidential information is handled with care and respect, and is only used or disclosed where there is a clear legal basis, a legitimate purpose related to care, employment, or statutory functions, and where it is necessary and proportionate to do so. We ensure that information sharing is appropriately authorised, limited to what is relevant, and supported by robust security and governance controls.

How we keep your data secure

We protect your information using:

• All staff undertake annual Information Governance and Data Security training
• Access is role-based on a need-to-know basis
• Password protection, encryption and Multi Factor Authentication
• Secure emailing/transfers of information with technical and security measures such as encryption and password
• Secure clinical systems with frequent back ups
• Locked cabinets and restricted areas for paper records
• Network security, firewalls, backups and audit logging
• Robust policies and procedures
• Confidential waste disposal of paper and digital information
• Contracts with suppliers and contractors that include the data security, legal and NHS standards required
• Independent external auditing
• Data Security Protection Toolkit, which is Cyber Assurance Framework (CAF) aligned, to meet the national standards and data protection legislation

Information is kept in line with the NHS Records Management Code of Practice, Trust Policy and other specific regulatory or professional requirements

. Retention periods vary depending on the type of record and purpose, such as:

• Adult health records: 8 years after last episode of care
• Children’s records: until the 25th or 26th birthday
• Cancer records: up to 30 years
• Complaints and legal matters: up to 10–20 years
• Bereavement and mortuary records: typically, 8–25 years
• Chaplaincy records: short-term (e.g. 2 months)
• Contracts: 6 years after contract ends

Under UK data protection law, you have rights over how your personal information is used.
Which rights apply will depend on the reason we are using your information.

Your rights include:

• Your right to be informed
  You have the right to be told how we collect and use your personal information.
• Your right of access
  You have the right to ask us for copies of your personal information.
  This is often called a Subject Access Request (SAR).
• Your right to rectification
  You have the right to ask us to correct personal information you think is inaccurate or incomplete.
• Your right to erasure
  You have the right to ask us to delete your personal information in certain circumstances.
  This right does not apply where we are required by law to keep the information, such as health records.
• Your right to restrict processing
  You have the right to ask us to limit the way we use your personal information in certain situations.
• Your right to object
  You have the right to object to the use of your personal information in some circumstances, including where we rely on public task as our lawful basis.
• Your right to data portability
  You have the right, in certain circumstances, to ask that we transfer the personal information you have provided to us to another organisation, or to give it to you.
• Your rights in relation to automated decision‑making and profiling
  You have the right not to be subject to a decision made solely by automated processing where it would have a significant effect on you.
  The Trust does not currently make decisions solely by automated means without human involvement.
• Your right to complain
  You have the right to complain about how we use your personal information.

Important information about your rights

You can exercise any of your rights by contacting the Trust’s Data Protection Officer using the contact details at the beginning of this notice.

Some rights may be limited where we have a legal duty to use or retain information, for example for patient care, safeguarding, or regulatory purposes.
All requests will be considered on a case‑by‑case basis.

Making a Complaint

Currently you can complain directly to the Information Commissioner’s Office, without complaining to the Trust first. However, this will change on 19 June 2026, when you will be required to complain to the trust first, before going to the ICO.

Under the Data (Use and Access) Act 2025, you have the right to raise concerns or complaints about how your information is used and to escalate these to the appropriate regulator if you are not satisfied with the Trust’s response to your complaint.

We are working on a formal data protection complaints process which will be published when available.

Patients also have the right to opt out of having their confidential information used for purposes beyond individual care, where applicable.

Some uses of information (such as direct care, safeguarding, legal obligations or Section 251 approvals) are exempt.

To find out more or to make your choice visit http://nhs.uk/your-nhs-data-matters

or call 0300 303 5678

The Trust may use patient and service user information within the NHS Federated Data Platform (FDP). The FDP is a national NHS system that securely brings together information from different NHS organisations to support the planning, delivery and improvement of health and care services.

Information used within the FDP is accessed on a controlled, role-based basis and only for purposes such as direct patient care, service planning, population health management, operational performance, and meeting statutory and regulatory requirements. The use of data within the FDP is subject to strict security controls, contractual safeguards and NHS information governance requirements.

For more information NHS England » NHS Federated Data Platform privacy notice

The Secondary Care ePMA Data Collection NHS England is collecting information for medicine given to patients by hospitals in England when that data is recorded on a computer system.

Protection is in place to ensure the information is securely transferred from hospitals to NHS England, is stored safely, and can only be accessed by organisations that have a legal basis and legitimate need to use it.

The information will be analysed with the main objective being that it will improve safety for patients. Some examples of what this data will be used for are to examine how antibiotics are used in hospitals, to see how new medicines are used, and to monitor medicine usage.

NHS England has collected information on a weekly basis since January 2025. It is also collecting older information back to June 2018 (or from when the computer system started to be used, if after June 2018).

To read more about the information NHS England collects, the reasons for collecting this information and what choices and rights patients have, see NHS England keeping patient data safe web page: Keeping data safe and benefitting the public - NHS England Digital

The NHS England Privacy Notice can be accessed via this link:

Transparency Notice for Secondary Care ePMA Data Collection 2024 - NHS England Digital

Supplementary service specific privacy notices can be found at the bottom of this web page.

The key pieces of legislation/guidance we are governed by are:

• Accessible Information Standards (AIS)
• Audit Commission Act 1998 (to participate in the National Fraud Initiative (NFI))
• Caldicott Principles
• Care Act 2014
• Children Act 1989, 2004
• Computer Misuse Act 1990
• Copyright Design and Patents Act 1988
• Common Law Duty of Confidentiality
• Data Protection Act 2018
• Data (Use and Accces) Act 2025
• Fraud Act 2006
• Freedom of Information Act 2000
• General Data Protection Regulation (GDPR)
• Health and Social Care Act 2008, 2012, 2015, 2022
• Human Rights Act 1998 (Article 8)
• Information Security Management – NHS Code of Practice
• International Organisation for Standardisation (ISO) – Information Security Management Standards (ISMS)
• National
• National Health Service Act 2006
• NHS Confidentiality Code of Practice 2003
• Patient Safety Incident Response Framework (PSIRF)
• Public Records Act 1958
• Public Health Act 1984
• Records Management Code of Practice 2021
• The Re-Use of Public Sector Information Regulations 2015

• The laws that health and care organisations rely on when using your information
• For the public | ICO
• Keeping data safe and benefitting the public - NHS England Digital