What is a Privacy Notice?
This is the Privacy Notice (also known as a 'Fair Processing Notice') for the University Hospitals of North Midlands NHS Trust. (UHMM), who is a data controller and therefore is able to decide the purposes for which any personal information is used.
- What information we collect about you
- Why we collect information about you
- How we use your information
- Who we may share your information with
- How long we store your information
A copy of the Privacy Notice, Accounts and Expenditure information and Policies can be found via the Trust's Publication Scheme by clicking on the link further down the page below. A paper copy can also be provided on request.
This page deals with identifiable information, legislated under the Data Protection Act (2018). If you wish to make a Freedom of Information Request (i.e. corporate, non-identifiable information, please click HERE
How We Protect Your Information:
- UHNM complies with the Data Protection Act 2018 and the Information Commissioner's registration requirements
- UHNM has to provide information for staff and patients about how it manages and handles identifiable data.
- The Data Security & Protection team are available to answer any queries. You can contact the team here - DSP.UHNM@uhnm.nhs.uk
- An information leaflet is available to download and can be kept as a reference guide - How We Use Your Personal Information. This information can also be provided verbally if requested, by contacting the PALS team using this link - contact the PALs team.
- If you wish to make a Complaint about the service you have received at UHNM you can do so by contacting the Complaints Team by using this link - contact the Complaints Team.
Version Control - v2 - 19.03.21
Contact Information for UHNM, Data Controller:
Royal Stoke University Hospital
Tel: 01782 715444
UHNM is registered to process personal and sensitive information under the Data Protection Act 2018
registration number is Z7476085
Page version control - v2 - 19/03/21
The Secretary of State for Health and Social Care has directed NHS Digital to collect and analyse data from providers and other organisations involved in managing the COVID-19 response.
This will help to manage and mitigate the spread and impact of the current outbreak of Covid-19. Sharing information more widely with other organisations will help to support planning and management of the response.
Organisations are required to process confidential patient information. If this is COVID 19 related, it will only be processed solely for COVID 19 in accordance with the Regulation 7 of COPI (which remains in force until March 2022)
- Understanding Covid-19 and risks to public health.
- Understanding the trends in Covid-19 and any risks.
- Controlling and preventing the spread of Covid-19 and any risks.
- Identifying and understanding information about patients or potential patients with or at risk of Covid-19.
- Understanding information about incidents of patient exposure to Covid-19.
- Management of patients with or at risk of Covid-19 including:
- Monitoring patients and collecting information including providing services in relation to:
- Fitness to work.
- Medical and social interventions.
- Recovery from Covid-19.
- Understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19. This would include the availability and capacity of those services or that care.
- Monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness.
- Information about:
- Supplies and services including the workforce within the health services.
- Adult social care services.
- Delivering services and providing information in connection with Covid-19 to patients, clinicians, health services, adult social care services workforce and the public. This includes fit notes, the provision of health care and adult social care services and research and planning.
This notice is effective until 30th September 2021 and then may be extended further.
A Supplementary Privacy Notice has been drafted to cover the fair processing of data (including staff data in respect of COVID-19 testing) during COVID-19 and it can be found here.
As a result of COVID 19, UHNM have made arrangements to allow in-patients and their relatives to be able to communicate through a ‘face time’ option from the ward. Relatives and patients will also be given the opportunity to pass on messages through the PALS team by clicking on this link. Contact the PALs team.
Clinicians may use digital technology to conduct patient consultations and ward rounds. All technology is secure. Patient confidentiality will be maintained throughout.
Page version control - v5 - 23/09/21
The National Health Service and Community Care Act 1990 is the Trust’s source of 'Official Authority'.
To process personal information, UHNM needs to have a legal basis to do so. The main purpose is to process personal information in order to support healthcare activities. This is explained in Article 6 (lawfulness of processing) as part of the UK General Data Protection Regulation and Article 9 (processing of special categories of personal data).
The legal basis for using your data is dependent upon what we need to do with it. These include:
- Consent – To process your personal data, we need to obtain your consent. Where consent is the legal basis for processing, patients should be aware that they are able to withdraw that consent at any time.
- Contract – This is required to be in place with an individual, for example, a member of staff.
- Legal Obligation – This is necessary for UHNM to comply with the law.
- Vital Interest – This is necessary to protect someone's life.
- Public Task – This is necessary to perform a task in the public interest or for official functions. The task or function has a clear basis in law.
- Safeguarding concern, If there is a safeguarding concern, data may need to be shared.
For the purpose of providing you with healthcare, the Trust relies on:
- Article 6(1)(e) - processing is necessary for the purposes of a task carried out in the public interest or in the authority of official authority vested in the data controller.
- Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment.
For research/auditing programmes looking at the outcomes/effects of COVID treatment, the Trust is using:
- Article 9(2)(i) Public Health - processing is necessary for reasons of public interest in the area of public health. This includes protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices on the basis of Union or Member State law.
Currently, the UK is experiencing a national emergency as a result of Corona Virus or Covid-19. As a health Trust we are required to provide information to the Government in relation to our patients and Covid-19.
UHNM is allowed to do this legally as a result of Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI).
Where the confidential patient information to be processed is required for a Covid-19 purpose. It will only be processed solely for that Covid-19 Purpose in accordance with Regulation 7 of COPI.
Further information on this can be found on the Covid-19 details above.
Below are your rights as identified by the Data Protection Act 2018 in relation to the personal data that we hold.
If you wish to exercise any of these rights, please contact the Data Security & Protection Team at firstname.lastname@example.org or by telephoning: 01782 676441.
The Trust will acknowledge your request within 2 days of receipt, explaining the process and projected timescale for completion.
UHNM will advise of any updates to this timescale if required.
As data subjects (both patients and staff), you have the right to:
- Access – You have the right to ask UHNM for copies of the personal information that is held about you. Details about how to do this are included in the section ‘How to Access your Information’.
- Rectification – You have the right to ask UHNM to correct any information you think is inaccurate or incomplete. This is subject to certain safeguards however, for more information please click here
- Erasure – You have the right to ask UHNM to erase your information in special circumstances. For more information about this please click here
- Restrict processing – You have the right to limit the way UHNM uses your personal data. If you are concerned about the accuracy of the data or how it is being used where appropriate, click here for more information here
- Object to processing – You have the right to object to the use of your information in certain circumstances. For more information please click here
- Data portability – You have the right to ask that UHNM to transfer any electronic information you have given to another organisation in certain circumstances.
- Automated processing - You have the right NOT to be subject to decision-making on the basis of any automated processing and you have the right to withdraw your consent to the processing/sharing of your information.
Page Version Control - v3 - 19/03/.21
UHNM has appointed a Data Protection Officer who is responsible for information and advising on data protection regulations and national law. The Data Protection Officer can be contacted by email at DPO.UHNM@uhnm.nhs.uk
Version Control - v2 - 19/03/21
The Trust undertakes Data Protection Impact Assessments (DPIA) on any projects which require the use of identifiable information.
These are available to view via the Freedom of Information process by contacting FOI@uhnm.nhs.uk
Version Control - v2 - 19/03/21
UHNM holds personal information on you in a variety of formats. These include paper records, electronic records and video/audio files. Patients who access from their own devices via secure Apps is also held.
Data is collected for patients as listed below, however any further data which may be of a more sensitive nature is called special category data.
- Names, including preferred or maiden name.
- Telephone number(s).
- Date of birth.
- NHS number.
- Email address.
- Your next of kin contact details.
- GP details.
- Power of Attorney status.
- Financial details, where we provide healthcare to private patients.
- Visual images, personal appearance and behaviour, for example CCTV images, images captured from drones and body-worn cameras are used as part of building security.
- Whether you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status).
- Emergency Department Appointment Data, taken from NHS Digital's Emergency Department Digital Integration system (further details on this system can be found here).
- Healthcare records which include:
- Notes and reports about treatments and care.
- Details regarding any contact we have had through appointments, telephone calls and home visits.
- Details regarding medical conditions (physical and mental health) for both our patients and, on occasions and subject to patient consent, patients from other Trusts.
- Results of investigations, for example x-rays and laboratory tests.
- Future / current care needs.
- Details regarding agencies, healthcare professionals and relatives involved in your care.
- Racial or Ethnic origin.
- Sexual orientation.
- Genetic and biometric information.
- Sex life information.
- AV files, for internal and external use for both training and marketing purposes. This information will ONLY be shared with the data subject's EXPLICIT consent.
- Summary Care Record
- Prior to your appointment, your NHS Summary Care Record (SCR) will be available to view by the hospital staff involved in your care, unless you have previously opted out of having an SCR. Your SCR contains important information from your GP record including Health & Social Care Information Centre medications, allergies and any bad reactions to medicines. This information may also be added to the information held within the Integrated Care Record (One Health & Care) and further details of that can be found here
On occasions the Trust is required to place an Alert on a patient's record to advise staff of any issues that they may need to be aware of when treating the patient, such as any access difficulties for example. These Alerts are part of a rigorous review procedure which includes the proportionality of the alert to comply with the requirements of the Human Rights Act (Article 8).
Information we hold and process for staff, volunteers, job applicants and others:
- Employee details, job applicants, apprentices, complainants, enquirers, survey respondents, suppliers, professional experts, consultants, people captured in closed circuit television images.
- Staff details to allow for the on-line processing of staff COVID vaccination appointments, utilising current technology to facilitate the appointment for example QR Code
- Information for job applicants for the purposes of processing their application and ensuring equality and patient safety.
- In order to comply with statutory requirements and to facilitate the running of the UHNM, staff, volunteers and apprentices information may be shared with third parties that provide services to the UHNM.
- Staff, Volunteers and apprentices information will be processed as part of their contract / agreement with the Trust. This will be fully explained by The Human Resources team and / or your manager.
- Staff, volunteers and job applicants can contact the Trust Human Resources department for further information on how their information is processed.
Personal and confidential information is collected to help us provide you with the best possible care. This information can come from your GP, referrals, healthcare professionals involved in your care and yourself.
If you apply for a job or are employed at UHNM, we will collect your personal information.
The information provided may be used to:
- Provide healthcare services and treatment.
- Provide chaplaincy and pastoral care services.
- Ensure that money is used properly to pay for the services it provides.
- Investigate complaints, legal claims or important incidents.
- Make sure services are planned to meet patients' needs in the future.
- Review the care given to make sure it is of highest possible standard.
- Manage specialised services.
- Improve the efficiency of healthcare services by sharing information with other organisations (sometimes non-NHS/Social care). These include Age UK, Revival and/or Vast, for example, for a specific, justified purpose which is approved by UHNM's Caldicott Guardian.
- Check and report to our regulators on how well we are performing.
- Provide patient survey's for service improvements.
- Research (consent will always be sought to use your data for this purpose).
- Manage service workload by e-mailing appointment reminders, for example (where we have been provided with an e-mail address).
- Access to the National Summary Care Record (SCR) - staff may often access SCR to review patient records prior to a patient presenting for an outpatient appointment.
Page version control - v3 - 03.12.21
Your health records may be held in both paper and / or electronic format. UHNM will keep your health records for specified periods of time in accordance with the Records Management Code of Practice for Health and Social Care 2016.
Although there are exceptions and certain conditions affecting the length of time, UHNM will keep a health record for an adult for a period of 8 years after the last entry. A child’s record is kept until he/she reaches the age of 26 years old.
Page version control - v2 - 19/03/21
In order to provide you with the best possible healthcare, your personal information may be shared with:
- Other NHS organisations, including other NHS Trusts, Ambulance Service, GPs, etc.
- Other NHS organisations who UHNM are collaborating with to provide joint services, for example, the Integrated Care Record where UHNM is working collaboratively with other partners in the region (GP Practices, Local Authorities, other Hospital Trusts – Acute, Community and Mental Health) as well as Commissioning Groups to create an integrated care record which will contain data about all patients seen and treated at either of the UHNM Hospitals. This is not the full record but a snapshot of the data held to help clinicians to provide the most appropriate care. Also, the West Midlands Digital Pathology Network or the initiative developed by Stoke CCG to manage the healthcare of the city's Homeless. For further information, see the 'One Health & Care' link
- Non-NHS organisations that are involved in your care, for example: Social Services, Private Care Homes, Local Councils, Voluntary and Private Sector Providers, Charities, community pharmacies etc.
- Non-NHS organisations, with whom we have robust contractual arrangements who undertake services on our behalf for example Remote Monitoring of patients for the purposes of providing direct healthcare
- Non-NHS Organisations that we are mandated to share with for example Cancer Registries, Public Health Notifications, Renal Disease Registries
- Non-NHS organisations who may contact you if we feel that you will benefit from the services they offer - you are under no obligation to accept and any refusal will not affect future treatment or care by UHNM.
As part of a legal requirement, the Trust has a duty to share your information and includes, but is not limited to:
- Disclosure to the Police for the prevention and detection of crime.
- Prevention and detection of fraud.
- Disclosure under a Court Order.
- Disclosure & Barring Service – for employment/recruitment purposes.
- In the public interest to prevent abuse or serious harm to others.
- Our obligation under a Duty of Contract with:
- Clinical Commissioning Groups.
- NHS Digital.
- Public Health England.
- Care Quality Commission.
- Third parties contracted via NHS England.
- Other Commissioning Support Providers.
- National Immunisation Vaccination Service for Healthcare Workers (NIVs) - this is a NHS England initiative and further information can be found here.
- NHS111 (via a System called EDDI) which allows a patient to call to make an appointment at A&E. You can find out more information about NHS111 here.
- Evidence for External Accreditations (for example DSP Toolkit)
- National Congenital Anomaly & Rare Disease Registration Service - national survey managed by Public Health England
Sharing your personal information with other organisations is always governed by specific legislation and transferred in accordance with the requirements of the legislation and the NHS Confidentiality Code of Conduct, including the use of a Secure Portal.
If you have any questions regarding the sharing of your data please contact DPO.UHNM@uhnm.nhs.uk
As part of the treatment pathway for patients being treated for COVID within the Community, an agreement has been reached with Staffordshire Fire & Rescue Service whereby we share patient demographic details to allow the service to deliver medication to patients at home. This is to reduce the numbers of patients who have to attend the hospital.
In addition, due to the current Covid-19 restrictions on patient visiting, a process for patients' relatives and carers has been put in place so that you are able to receive up to date information.
The patient will be required to provide staff with a 'password' which friends and relatives can quote when ringing for updates. This will be explained to the patient on admission.
Alternatively, patients can contact the PALs team who will be able to provide the patient information update.
Page version control - v9 - 12.08.22
How to access your information
Under the Data Protection Act 2018 and the UK General Data Protection Regulation you can make a request for:
- A copy of all or a specific piece of information the Trust holds about you.
- How and why we process your information.
- Who we share your information with
For Data held in your health record:
For data held in your health record you will need to make a formal request to the Health Records team. Further information can be found on the Health Records page and Access to Health Records Leaflet.pdf
The team can be contacted at email@example.com
For Data held in your staff record:
Staff records need to be requested through your Line Manager or the HR Department.
For Data not held in your Health or Staff Record:
Certain information, such as emails held on the Trust servers, do not form part of your health or staff record and therefore any requests made as part of a Complaint or a general Subject Access request, will be dealt with by the relevant team who will liaise with the Information Security team.
Alternatively, a request can be made direct through the personal data request process by emailing PDR@UHNM.nhs.uk
Renal Patients are able to access their condition-specific information via a patient portal.
The Information Commissioners Office (ICO) is an independent body which regulates the Trust under Data Protection and Freedom of Information legislation.
The Trust is registered with the ICO
Registration Number - Z6476085.
Contact details for the ICO:
Information Commissioner's Office
Cheshire, SK9 5AF
Telephone: 0303 123 1113
Changes to this Privacy Notice
We will keep this privacy notice under regular review. Each page has its own version control identifying when the page was last updated.
The Information Commissioner's Office has made a statement about their working arrangements as a result of the COVID-19 Epidemic. You can read their updated information here.
Page version control - v2 - 19/03/21
How the NHS and care services use your information
UHNM is one of many organisations working in the health and care system to improve care for patients and the public.
Important information about you is collected in a patient record for that the service you are using, for example, Accident and Emergency or Services in the Community. Collecting this information helps to ensure you get the best possible care and treatment and can also be used and to provide other organisations with data for the purposes of your individual care. These include:
- Research into the development of new treatments.
- Preventing illness and diseases.
- Monitoring safety.
- Planning services.
This information and any patient confidential information will only be used when there is a clear legal basis to use it.
Most of the time, anonymised Data is used for research and planning is usually anonymised so that you cannot be identified and therefore your confidential patient information is not required.
You have a choice about whether you want your confidential patient information to be used in this way, and if you are happy with this, you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
This web page includes:
- Explaining what is meant by confidential patient information.
- Examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
- Benefits of sharing data.
- Understanding more about who uses the data.
- Finding out how your data is protected.
- Being able to access the system to view, set or change your opt-out setting.
- Details of contact telephone number(s and if you want to set/change your opt-out by phone.
- Situations where the opt-out will not apply.
Further details of how patient information is used is at:
- https://www.hra.nhs.uk/information-about-patients/This covers health and care research.
- https://understandingpatientdata.org.uk/what-you-need-know This covers how and why patient information is used, the safeguards and how decisions are made.
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes. Data is only used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place to enable compliance with the national opt out scheme which allows you to choose how your confidential patient information is used and shared for the purposes beyond your individual care.
Page version control - v2 - 19/03/21
UHNM is working collaboratively with other partners in the region (GP Practices, Local Authorities, other Hospital Trusts – Acute, Community and Mental Health) as well as Commissioning Groups to create an integrated care record which will contain data about all patients seen and treated at either of the UHNM Hospitals. This is not the full record but a snapshot of the data held to help clinicians to provide the most appropriate care.
This will be a central library of information that each organisation can access (for their own patients only) so that clinicians will have a complete picture of a patients' needs, medications etc.
More information on this initiative can be found by accessing the One Health and Care website by clicking here
Page version control - v3 - 13.07.21
In some circumstances it may be necessary to transfer your personal information overseas. If this is required, information will only be shared within the European Economic Area (EEA) unless additional safeguards have been put in place to protect your information.
Any transfers that do take place will be made in full compliance with all aspects of Data Protection legislation and you will be informed by the Trust beforehand.
Page version control - v2 - 19/03/21
UHNM makes use of CCTV systems, including body worn cameras and images captured from drones. These are used as part of building security for crime prevention in line with the Information Commissioners CCTV code of practice. You have a right of access if you wish to request your data captured on CCTV.
Page version control - v2 - 19/03/21
If you have any questions about our Privacy Notice or information we hold about you, please contact:
Data Security & Protection Team, DSPUHNM@uhnm.nhs.uk
the Trust’s Data Protection Officer DPO@uhnm.nhs.uk
If you would like to make a complaint about how your information is being used you can discuss your concerns with our Patient Advice and Liaison Service (PALS) Email: firstname.lastname@example.org) or you can contact our Complaints Department, email: email@example.com)
For further information please see the complaints leaflet.
Royal Stoke PALS office, situated inside the main building entrance
Monday to Friday between 9.00am and 4.00pm (excluding bank holidays).
Tel: 01782 676450 / 01782 676455 / 676435
County Hospital PALS office situated inside the main entrance is open
Monday to Friday 9:00am to 5:00pm (excluding bank holidays).
Tel: 08000 407060 / 08000 721 646
If you want to contact us in writing please use the below address:
Chief Executive OR Chief Nurse
University Hospitals of North Midlands
Royal Stoke University Hospital
The University Hospitals of North Midlands Trust is committed to the Freedom of Information Act 2000.
The NHS is facing unprecedented challenges relating to the COVID-19 at the current time and understandably our resources have been diverted to support our front-line colleagues who are working tremendously hard to provide care for our patients and to those in need of our services. During this time it is likely that responses to some requests for information may be delayed. We will endeavour to provide you with as much information as we can as soon as we can. UHNM continues to strive to be transparent and to work with an open culture. The Information Commissioner's Office has recognised the current situation in the NHS.
Page version Control - v2 - 19/03/21
UHNM will engage with other organisations on projects which may involve sharing patient data. Such sharing is always undertaken in a lawful way, according to the Data Protection Act (2018).
We include below links to the projects currently approved:
One Health & Care (an Integrated Care Record) - https://www.twbstaffsandstoke.org.uk/about-us/our-work/one-health-and-care
Patient Health Record (PHR) - This is part of the One Health & Care Integrated Care Record and allows the patient to access elements of their own record via an App - https://www.twbstaffsandstoke.org.uk/about-us/our-work/one-health-and-care/personal-health-record-privacy-notice
Team Prevent (for staff Occupational Health) - https://www.teamprevent.co.uk/storage/user/Privacy_Statement_TEAM_PREVENT.pdf
COVID-19 – Supplementary Privacy Notice - http://www.uhnm.nhs.uk/media/3369/supplementary-privacy-note-on-covid-19-for-patients.docx
Keele University - https://www.keele.ac.uk/privacynotices/privacynotice-students/
Smart with your Heart (NHS Test Bed project for Heart Failure patients; Cardiac Re-hab patients and Community Heart patients):
Florence 'FLO' - https://legal.mediaburst.co.uk/
Recap Health - https://health2works.com/privacy-policy/
NHS Secure Boundary - a service managed by NHS Digital to improve the detection of cyber security threats to NHS organisations' internet breakout traffic. -
Page Version Control - v7 - 09/06/22
UHNM uses a number of different methods to communicate with our patients which have been reviewed by the Data Security & Protection team. UHNM can assure patients that the most secure methods are used you will be made aware of which method before making contact.
- Writing to you.
- Text message. This may be used if a clinic appointment needs to be rescheduled and we need to contact you quickly.
- Email. This may be as part of the One Health and Care Project (see further information on this above) and Electronic appointment letters may be sent.
- Video conferencing. This is sometimes advantageous when staff are working remotely.
- Video Diagnosis - We may use video conferencing to help clinicians when making a diagnosis if the patient is not able to attend Clinic
- Secure App. You may be offered the opportunity to provide updated information via a secure app.
We may send electronic appointment letters or, on occasions, we may contact you by video conferencing. We may even offer you the opportunity to make contact with us to provide updated information via a Secure App which allows you to provide us with updated information.
If you have any questions about how we contact our patients, please contact that Data Security & Protection Team (DSPUHNM@uhnm.nhs.uk)
Page version control - v4 - 18/06/21
Now that the UK has formally left the EU, this has had an effect on the Trust's practices in terms of data being transferred to and from the EU.
The Trust's Data Security & Protection team have been following the Government's guidance (together with the guidance provided by the Information Commissioner's Office and NHS Digital) and has taken steps to assure itself that any data held off-shore (most usually via a Supplier's Cloud Storage arrangements) can be retrieved at any time.
Along these lines, the Trust is also making appropriate arrangements to provide assurance of data security for any information which may held (or processed) in the United States. Such processing is most usually an element of our contractual arrangements with Suppliers which may include maintenance support by those suppliers.
Page Version Control - v1 - 28.1.21
Your duty to inform us of changes
It is important that you keep us updated of any changes to your personal information to ensure that all the information we hold is accurate and current.