What is a Privacy Notice?
This is the Privacy Notice (also known as a 'Fair Processing Notice') for the University Hospitals of North Midlands NHS Trust (sometimes referred to as the 'Trust' or 'UHNM'), it describes what we do with the personal information we collect about you. It tells you:
- What information we collect about you
- Why we collect information about you
- How we use your information
- Who we may share your information with
- How long we store your information
UHNM is a data controller which means that the Trust decides the purposes for which any personal information is used.
We are the University Hospitals of North Midlands and we are the data controller. Our address for communications is:
Royal Stoke University Hospital
Tel: 01782 715444
We are registered to process personal and sensitive information under the Data Protection Act 2018 - our registration number is Z7476085
- Right of access – You have the right to ask us for copies of the personal information we hold about you, details about how to do this are included in the section How to Access your Information.
- Right to rectification – You have the right to ask us to correct any information you think is inaccurate or incomplete, this is subject to certain safeguards however, for more information please click here
- Right to erasure – You have the right to ask us to erase your information in certain circumstances, for more information about this please click here
- Right to restrict processing – You have the right to limit the way the Trust uses your personal data if you are concerned about the accuracy of the data or how it is being used where appropriate, for more information please click here
- Right to object to processing – You have the right to object to the use of your information in some circumstances, for more information please click here
- Your right to data portability – You have the right to ask that we transfer any electronic information you have given us to another organisation, or give it to you on certain occasions.
The Trust has appointed a Data Protection Officer who is responsible for information and advising UHNM on data protection regulations and national law. The Data Protection Officer can be contacted by:
The Trust undertakes Data Protection Impact Assessments (DPIA) on any projects which require the use of identifiable information.
These are available to view via the Freedom of Information process by contacting FOI@uhnm.nhs.uk
The Trust holds personal information on you in a variety of formats, including paper records, electronically, in video files and audio files. The personal information that the Trust may hold about you includes:
- Names, including preferred or maiden name
- Telephone number(s)
- Date of birth
- NHS number
- Email address
- Your next of kin contact details
- GP details
- Power of Attorney status
- Financial details, where we provide healthcare to private patients
- Visual images, personal appearance and behaviour, for example CCTV images, images captured from drones and body-worn cameras are used as part of building security
- Whether you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status)
Further data that we may collect which is called special category data because this is more sensitive information:
- Healthcare records which includes:
- Notes and reports about treatments and care
- Details regarding any contact we have had through appointments, telephone calls and home visits
- Details regarding medical conditions (physical and mental health)
- Results of investigations, for example x-rays and laboratory tests
- Future / current care needs
- Details regarding agencies, healthcare professionals and relatives involved in your care
- Racial or Ethnic origin
- Sexual orientation
- Genetic and biometric information
- Sex life information
Information we hold and process for staff, volunteers, job applicants and others:
- Employee details, job applicants, apprentices, complainants, enquirers, survey respondents, suppliers, professional experts, consultants, people captured in closed circuit television images
- Information is also held on job applicants for the purposes of processing their application and ensuring equality and patient safety
- Information on staff, volunteers and apprentices may be shared with third parties that provide services to the trust and in order to comply with statutory requirements and to facilitate the running of the Trust.
- Staff, Volunteers and apprentices need to be aware however that their information will be processed as part of their contract / agreement with the Trust. This will be fully explained to you by The Human Resources team and / or your manager.
- Staff, volunteers and job applicants should contact the Trust Human Resources department for further information on how their information is processed.
In order for us to give you the best possible care we collect personal and confidential information, this can come from your GP, referrals, healthcare professionals involved in your care and yourself. Your information may be used to:
- Provide healthcare services and treatment
- Provide chaplaincy and pastoral care services
- Ensure that money is used properly to pay for the services it provides
- Investigate complaints, legal claims or important incidents
- Make sure services are planned to meet patients' needs in the future
- Review the care given to make sure it is of highest possible standard
- To manage specialised services
- To improve the efficiency of our healthcare services by sharing information with other organisations (sometimes non-NHS/Social care) such as Age UK, Revival and/or Vast, for example, for a specific, justified purpose which is approved by UHNM's Caldicott Guardian
- Check and report to our regulators on how well we are performing
- Patient survey's for service improvements
- Research (consent will always be sought to use your data for this purpose)
- To manage service workload by e-mailing appointment reminders for example (where we have been provided with an e-mail address)
If you apply for a job or are employed with the Trust we will collect your personal information.
Your health records may be held in both paper and / or electronic format; we will keep your health records for specified periods of time, in accordance with the Records Management Code of Practice for Health and Social Care 2016.
Although there are exceptions and certain conditions affecting the length of time we will keep a health record, in general however, this means that we will keep an adult health record for 8 years after the last entry; we will keep a child's health record until the child reaches 26 years of age.
We may share your personal information with other NHS organisations in order to provide you with the best possible healthcare, for example: other NHS Trusts, Ambulance Service, GPs, etc.
There may also be the need to share your information with non-NHS organisations that are involved in your care, for example: Social Services, Private Care Homes, Local Councils, Voluntary and Private Sector Providers, Charities, community pharmacies etc.
There are situations where the Trust has a duty to share your information due to a legal requirement. These situations include, but are not limited to:
- Disclosure to the Police for the prevention and detection of crime
- Prevention and detection of fraud
- Disclosure under a Court Order
- Disclosure & Barring Service – for employment/recruitment purposes
- In the public interest to prevent abuse or serious harm to others
- Our obligation under a Duty of Contract with:
- Clinical Commissioning Groups
- NHS Digital
- Public Health England
- Care Quality Commission
- Third parties contracted via NHS England
- Other Commissioning Support Providers
Any sharing of your personal information with other organisations is always governed by specific legislation and transferred in accordance with the requirements of the legislation and the NHS Confidentiality Code of Conduct. If you have any questions regarding the sharing of your data please contact DPO.UHNM@uhnm.nhs.uk
Under the Data Protection Act 2018 and General Data Protection Regulation one of your rights is that you can make a request for a copy of all or a specific piece of information the Trust holds about you, how and why we process your information and who we share your information with.
For Data held in your health record
For data held in your health record you will need to make a formal request to the Health Records team, more information can be found on the Health Records page. For further information please see Access to Health Records Leaflet.pdf
The team can be contacted at the following email address:
For Data held in your staff record
For your staff record you need to make your request to your Line Manager or contact the HR Department
For Data not in held in your health or staff record
Quite often, patients and staff members request personal data information (such as e-mails held on the Trust servers) which do not form part of your health or staff record, for example, where this request is made as part of a Complaint or a general Subject Access request, the relevant team will liaise with the Information Security team. Alternatively, a request can be made direct through the personal data request process by emailing PDR@UHNM.nhs.uk
The Information Commissioners Office (ICO) is an independent body which regulates the Trust under Data Protection and Freedom of Information legislation.
The Trust is registered with the ICO and the registration number is: Z6476085
You can contact the ICO by:
Information Commissioner's Office
Cheshire, SK9 5AF
Telephone: 0303 123 1113
Changes to this Privacy Notice
We will keep this privacy notice under regular review. This notice was last updated on October 2019.
How the NHS and care services use your information
University Hospitals of North Midlands (UHNM) is one of many organisations working in the health and care system to improve care for patients and the public).
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn't needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.
UHNM is working collaboratively with other partners in the region (GP Practices, Local Authorities, other Hospital Trusts (Acute, Community and Mental Health) as well as Commissioning Groups to create an integrated care record.
This will be a central repository of information that each organisation can access (for their own patients only) so that clinicians will have a complete picture of a patients' needs, medications etc.
More information on this initiative (which will be launched shortly) can be found by accessing the One Health and Care website by clicking the link on the right hand side of this page
In order to process personal information the Trust needs to have a legal basis to do so.
The primary purpose for which the Trust processes personal information is in order to support its healthcare activities as set out in the National Health Service and Community Care Act 1990, this is the Trusts source of 'Official Authority'.
The basis for the Trust processing your information is described in Article 6 (lawfulness of processing) and Article 9 (processing of special categories of personal data) of the General Data Protection Regulation.
The legal basis for using your data is dependent upon what we need to do with it, these are the legal basis we can use:
- Consent – We would obtain freely given, specific and informed consent to process your personal data for some purposes
- Contract – The processing is necessary for a contract we have with an individual, for example a member of staff
- Legal Obligation – The processing is necessary for us to comply with the law
- Vital Interest – The processing is necessary to protect someone's life
- Public Task – The processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law
- If there is a safeguarding concern then data may be shared
In general, however, for the purpose of providing you with healthcare, the Trust relies on
Article 6(1)(e) - processing is necessary for the purposes of a task carried out in the public interest or in the authority of official authority vested in the data controller
Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment
In some circumstances it may be necessary to transfer your personal information overseas. If this is required, information will only be shared within the European Economic Area (EEA) unless additional safeguards have been put in place to protect your information.
Any transfers that do take place will be made in full compliance with all aspects of Data Protection legislation and if this is to happen then you will be informed by the Trust beforehand.
The Trust makes use of CCTV systems, including body worn cameras and images captured from drones which are used as part of our building security for crime prevention in line with the Information Commissioners CCTV code of practice. You have a right of access if you wish to request your data captured on CCTV.
If you have any questions about our privacy notice or information we hold about you please contact our Information Governance Team :
If you would like to make a complaint about how your information is being used you can discuss your concerns with our Patient Advice and Liaison Service (PALS) (Email: firstname.lastname@example.org) or you can contact our complaints department (Email email@example.com)
The PALS offices are located at;
At Royal Stoke the PALS office is situated inside the main building entrance, which is open 9:00am to 4:00pm Monday to Friday (excluding bank holidays).
At County Hospital the PALS office is situated inside the main entrance which is open 9:00am to 5:00pm Monday to Friday (excluding bank holidays).
The contact information for both office is below;
Royal Stoke Hospital Telephone: 01782 676450 / 01782 676455 / 676435
County Hospital Telephone: 08000 407060 / 08000 721 646
If you want to contact us in writing please use the below address;
Chief Executive OR Chief Nurse
University Hospitals of North Midlands
Royal Stoke University Hospital
For further information please see the complaints leaflet.
Your duty to inform us of changes
It is important that you keep us updated of any changes to your personal information to ensure that all the information we hold is accurate and current.