Privacy Notice - How we use your information


​​​​We respect your right with regards to keeping your personal information private and its protection and security when you communicate (electronically or via paper) with us. This may be through our various websites, social media, offline programs and events.​

How to access yo​ur information

The Data Protection Act 2018 and the  General Data Protection Regulation (GDPR) 2018 gives you the right to see the information that UHNM holds about you, how and why we process your data, and who we will share your data with. ​​Find out more on our ​Health Records page​

What is a Privacy Notice?

A privacy notice is a statement that describes how UHNM collects, uses, retains and discloses personal information. Different organisations sometimes use different terms and it can also be referred to as a 'privacy statement', a 'fair processing notice' or a 'privacy policy'.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we need your data
  • How it will be used and processed
  • Who it will be shared with

This information also explains what rights you have to control how we use your information.

The law determines how organisations can use personal information. The key laws are: the General Data Protection Regulation (GDPR) the Health and Social Care Act 2016, and the Human Rights Act 1998 (HRA), relevant health service legislation and the common law duty of confidentiality.

Within these pages we describe instances where UHNM is the "Data Controller" for the purposes of Data Protection, and where we direct you to another hospital or treat you here to help deliver better healthcare, or to assist the management of healthcare services.

UHNM recognises the importance of protecting personal and confidential information in all that we do and all we direct or commission, and takes care to meet its legal duties.

This part of the privacy notice outlines the management of the notice, contact details and other access to information legislation.

Staff Privacy Notice

Complaints about how we process your personal information

In the first instance, you should contact

Data Protection Notification

UHNM is a 'data controller' under the General Data Protection Regulations, which means we have to register with the Information Commissioner on how we use your personal information and protect it against unauthorised access.

We have notified the Information Commissioner that we process personal healthcare data and the details are publicly available from:

Information Commissioner's Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF


Data Protection Officer

The trust has appointed a Data Protection Officer who is responsible for Informing and advising UHNM on data protection regulations and national law or data protection provisions and can be contacted via:


How to contact us

Please contact us if you have any questions about our privacy notice or information we hold about you:

Information Governance Team
Telephone: 01782715444


Your information​

What information do we collect about you?

We only collect and use your information for the lawful purposes of treating you with the care that you need. These purposes include:

  • Accounting and Auditing
  • Accounts and records
  • Advertising, marketing & public relations
  • Consultancy and Advisory services
  • Crime prevention and prosecution of offenders
  • Education
  • Health administration and services
  • Information and databank administration
  • Research
  • Sharing and matching of personal information for national fraud initiative
  • Staff administration
  • Audit



What types of personal data do we handle?

We process personal information to enable us to provide healthcare services to patients, maintain our own accounts and records, promote our services, and to support and manage our employees.

We also use information to support and monitor the health services to enable the delivery of high quality healthcare. This type of information will usually be provided so that we cannot identify you as an individual. However, we may under special circumstances use your identifiable information.


The types of personal information we use include:

  • personal details such as names, addresses, telephone numbers
  • family details for example next of kin details
  • Health care records such as treatments or procedures you have received at UHNM,
  • education, training, mostly frequently of clinicians
  • employment details, for example for those that work for us either directly or are commissioned by us to provide a service
  • financial details, where we provide healthcare to private patients
  • visual images, personal appearance and behaviour, for example if CCTV images are used as part of building security​


How will we use information about you?

Your information is used to run and improve health services at UHNM and across Staffordshire and the Welsh border. It may be used to:

  • Ensure that money is used properly to pay for the services it provides
  • Investigate complaints, legal claims or important incidents
  • Make sure services are planned to meet patients' needs in the future
  • Review the care given to make sure it is of the highest possible standard
  • To manage specialised services
  • To improve the efficiency of healthcare services, by sharing information with other organisations (sometimes non-NHS) for a specific, justified purpose and approved by UHNM's Caldicott Guardian
  • Check and report to our regulators on how well we are performing.
  • Patient Survey's for Service Improvements
  • We may keep your information in written form or on a computer. Whenever possible all information that identifies you will be removed.


Other reasons for sharing your information

There are a number of reasons why we share information. This can be due to:

  • Our obligations to comply with current legislation
  • Our duty to comply with a Court Order
  • You have consented to disclosure
  • Our obligation under a Duty of Contract with Clinical Commissioning Groups, NHS Digital, Public Health England, Third parties contracted via NHS England and other Commissioning Support providers
  • For crime and disorder


Retaining information

We will only retain information for as long as necessary. Records are maintained in line with the NHS Digital's retention schedule which determines the length of time records should be kept.


Security of your information

We take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. We have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a 'Caldicott Guardian' who is responsible for the management of patient information and patient confidentiality.

All staff are required to undertake annual data security training and agree to the Confidentiality Code of Conduct imposed on all NHS Employees.  Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Everyone working for the NHS is subject to the common law duty of confidentiality.  Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by law.

Data Protection Impact Assessment (DPIA) disclosure log

It is a mandatory requirement that the Trust reviews all processes that are considered to be high risk processing. High risk processing encompasses:

  • ​automated processing

  • large scale processing of special categories data, including health data

  • systematic monitoring of a public area​

As part of UHNM's data protection transparency agenda, the Trust will publish details of the DPIA​​s. Those approved since 1st October 2018 are listed below

CategoryDPIA SummaryDivisionDPO Sign OffICO Risk Notification Required
Service ProvisionProvision of Day Case Endoscopy ProceduresMedicine29/10/2018NO
Service Provision Provision of Cardiothoracic Theatres Support Specialised23/01/2019NO​​

Changes to our Privacy Notice

We keep our privacy notice under regular review and will place any updates on this webpage. This notice was last updated on 14th March 2019.​