Privacy Notice for patients

This is a Privacy Notice - also known as a Fair Processing Notice.

It should not be confused with the Privacy Statement which concerns the use of this website.

This page describes how the Trust uses and manages the information it holds about its patients, including how the information may be shared with other NHS organisations and with non-NHS organisations, and how the confidentiality of patient information is maintained.

Personal data is information that relates to a living individual who can be identified from that data.

The Trust holds personal data about its patients for the purposes of providing them with appropriate care and treatment.

The Trust keeps records about the health care and treatment it provides to its patients.

This helps to ensure that patients receive the best possible care from the Trust.

The Trust may also use personal details to issue patient satisfaction surveys relating to the services used.
It helps patients because:

  • Accurate, up-to-date information is important for providing the right care;
  • If a patient has to see another doctor or is referred to a specialist or to another part of the NHS, then full details of the patient's healthcare can be made available;
  • Satisfaction surveys enable the Trust to improve the way it delivers healthcare to its patients.
  • It helps the Trust:
  • To plan, manage and audit the health services it provides;
  • To prepare statistics on its performance;
  • To monitor how it spends public money;
  • To teach and train healthcare professionals;
  • To conduct health research and development

The Trust is registered with the Information Commissioner's Office as a Data Controller reference Z4953683, as required by the Data Protection Act 1998.

Patients have the right to access personal information about them held by the Trust, either to view the information in person, or to be provided with a copy.

Patient wanting to access their health records should refer to the Patient Records webpage for further details.

What kind of information the Trust holds about patients

  • Identity details - name, date of birth, NHS Number
  • Contact details - address, telephone, email address
  • 'Next of kin' - the contact details of a close relative or friend
  • Details of any A&E visits, in-patient spells or clinic appointments
  • Results of any scans, X-rays and pathology tests
  • Details of any diagnosis and treatment given
  • Information about any allergies and health conditions

By providing the Trust with their contact details, patients are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address).

How patient records are kept confidential

Everyone working for the NHS is subject to the Common Law Duty of Confidence.

Information provided in confidence will only be used for the purposes advised and consented to by the patient, except in circumstances where the law requires or allows the Trust to act otherwise.

Under the Confidentiality Code of Conduct, all Trust staff are required to protect patient information, to keep patients informed of how their information will be used, and to allow patients to decide about how their information can be shared.

This will be noted in patients' records.

How patient records are shared

The Trust shares patient information with a range of organisations or individuals for a variety of lawful purposes, including:

  • Disclosure to GPs and other NHS staff for the purposes of providing direct care and treatment to the patient, including administration;
  • Disclosure to social workers or to other non-NHS staff involved in providing healthcare;
  • Disclosure to specialist organisations for the purposes of clinical auditing;
  • Disclosure to those with parental responsibility for patients, including guardians;
  • Disclosure to carers without parental responsibility (subject to explicit consent);
  • Disclosure to medical researchers for research purposes (subject to explicit consent, unless the data is anonymous);
  • Disclosure to NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services;
  • Disclosure to bodies with statutory investigative powers - e.g. the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman;
  • Disclosure to national generic registries - e.g. the UK Association of Cancer Registries;
  • Disclosure, where necessary and appropriate, to non-statutory investigations - e.g. Members of Parliament;
  • Disclosure, where necessary and appropriate, to government departments other than the Department of Health;
  • Disclosure to solicitors, to the police, to the Courts (including a Coroner's Court), and to tribunals and enquiries;
  • Disclosure to the media (normally the minimum necessary disclosure subject to explicit consent)

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

  • When there is a Court Order or a statutory duty to share patient data;
  • When there is a statutory power to share patient data;
  • When the patient has given his/her explicit consent to the sharing;
  • When the patient has implicitly consented to the sharing for direct care purposes;
  • When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006

Patient information may be shared, for the purposes of providing direct patient care, with other NHS 'provider' organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc.

In such cases, the shared data must always identify the patient for safety reasons.

For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations, such as the local Clinical Commissioning Group (CCG), and the Health & Social Care Information Centre (part of NHS England).

In such cases, the shared data is made anonymous, wherever possible, by removing all patient-identifying details, unless the law requires the patient's identity to be included.

Information sharing with non-NHS organisations

For the benefit of the patient, the Trust may also need to share patient health information with non-NHS organisations which are also providing care to the patient.

These may include social services or private healthcare organisations.

However, the Trust will not disclose confidential health information to third parties without the patient's explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires disclosure.

The Trust may also be asked to share basic information about its patients, such as names and addresses, which does not include sensitive health information.

Generally, the Trust would do this where it is necessary to assist an organisation to carry out its statutory duties.

These non-NHS organisations may include, but are not restricted to: social services, education services, local authorities, the police, voluntary sector providers, and private sector providers.

As it may not be practicable in such circumstances to obtain patients' explicit consent, the Trust is informing its patients through this notice, which is referred to as a Fair Processing Notice, under the Data Protection Act 1998.

Where patient information is shared with other non-NHS organisations, or for reasons other than direct patient care, it is good practice for an information sharing agreement to be drawn up to ensure that information is shared in a way that complies with all relevant legislation.

Refusing or withdrawing consent

The possible consequences of refusing consent will be fully explained to the patient at the time, and could include delays in receiving care.

In those instances where the legal basis for sharing of confidential personal information relies on the patient's explicit or implied consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.

In instances where the legal basis for sharing information without consent relies on HRA CAG authorisation under Section 251 of the NHS Act 2006, then the patient has the right to register their objection to the disclosure, and the Trust is obliged to respect that objection.

In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.

How long health records are retained

All patient records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained.

The Trust does not keep patient records for longer than necessary.

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Raising a concern

Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact the Patient Advice & Liaison Service (PALS).

Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Trust has handled or shared their personal information:

The Information Commissioner's Office (ICO)
Wycliffe House
Water Lane

Tel: 0303 123 1113 or 01625 545745
Information Commissioner's Office website (

Further information

To learn more about how the Trust uses, manages and maintains confidentiality of patient information, please speak to the health professionals concerned with your care, or contact:

The Information Governance Manager
IM&T Offices
The Great Western Hospital
Marlborough Road

Tel: 01793 605675

Report a problem with this web page

Please contact us at and we'll put it right.

Translate this page: