Patients

This notice relates to identifiable personal data, governed by the Data Protection Act 2018.

If you are seeking non-personal or corporate information under the Freedom of Information Act, please click here  

University Hospitals of North Midlands NHS Trust (UHNM) provides high-quality healthcare services across Staffordshire and beyond. We operate two main hospitals, Royal Stoke University Hospital and County Hospital in Stafford, delivering specialist, emergency, and routine care. Our dedicated staff work to improve patient outcomes through innovation, compassion, and excellence in clinical practice, education, and research.

Royal Stoke University Hospital
Newcastle Road
Stoke-on-Trent
Staffordshire
ST4 6QG
Tel: 01782 715444

UHNM is registered to process personal and sensitive information under the Data Protection Act 2018
registration number is Z7476085

Interested in Working at UHNM?
Visit our Vacancy Page to explore current job opportunities.

University Hospitals of North Midlands NHS Trust (UHNM) has appointed a Data Protection Officer (DPO) in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The DPO is responsible for:

• Overseeing UHNM’s compliance with data protection legislation
• Advising on the Trust’s legal obligations
• Acting as a point of contact for individuals regarding their data protection rights

You can contact the Data Protection Officer at: DPO.UHNM@uhnm.nhs.uk

University Hospitals of North Midlands NHS Trust (UHNM) collects and holds personal information in various formats, including paper records, electronic systems, and audio/video files. Information accessed by patients via secure apps on personal devices is also securely stored.

We collect personal and special category data to provide safe, effective care. This includes:

Personal Information:

• Full name (including preferred or maiden name)
• Date of birth
• NHS number
• Contact details (telephone, email)
• Next of kin and GP details
• Power of Attorney status
• Financial details (for private healthcare)
• Visual images (e.g. CCTV, drone footage, body-worn cameras for security)
• Protection orders or safeguarding status
• Emergency Department appointment data (via NHS Digital’s
• Emergency Department Digital Integration system here)

Healthcare Records:

• Notes and reports on treatment and care
• Appointment history, phone calls, and home visits
• Medical conditions (physical and mental health)
• Test results (e.g. x-rays, lab reports)
• Current and future care needs
• Involvement of other agencies, professionals, and relatives

Special Category Data:

• Racial or ethnic origin
• Sexual orientation
• Genetic and biometric data
• Sex life information

Additional Information:

• Audio/visual files used for training or marketing (only with explicit consent)
• Geolocation tracking of medical devices (please note that this is location of the device only)
• Summary Care Record (SCR): Contains key GP information (e.g. medications, allergies) and may be shared with hospital staff unless you’ve opted out. This may also be added to the Integrated Care Record (One Health & Care). Further details of that can be found here
• Personal Demographic Service (PDS): Helps healthcare professionals match patients to records and communicate via text/email. Further information about PDS can be found here

Alerts on Patient Records:

In some cases, UHNM may place an alert on a patient’s record to inform staff of specific considerations (e.g. access needs). These alerts are subject to a rigorous review process to ensure proportionality and compliance with Article 8 of the Human Rights Act.

Your data may be used for the following purposes:

• Healthcare delivery – To provide you with appropriate treatment and care.
• Chaplaincy and pastoral care – To support your spiritual and emotional wellbeing.
• Financial accountability – To ensure public funds are used appropriately.
  Complaints and incident investigations – To review and respond to concerns or legal claims.
• Service planning – To help design services that meet future patient needs.
• Quality assurance – To review and improve the standard of care provided.
• Specialised service management – To coordinate and deliver targeted healthcare services.
• Collaborative care – To share information with approved external organisations (e.g. Age UK, Revival, Vast) for specific, justified purposes, authorised by UHNM’s Caldicott Guardian.
• Regulatory reporting – To demonstrate performance and compliance to oversight bodies.
• Patient feedback – To gather insights through surveys for service improvement.
• Research – Only with your explicit consent, your data may be used for ethically approved research.
• Appointment management – To send reminders and updates via email (where provided).
• Summary Care Record (SCR) – Hospital staff may access your SCR prior to outpatient appointments, unless you have opted out. This includes key GP information such as medications, allergies, and adverse reactions.

We take the security and confidentiality of your personal information very seriously. When you share your data with us, we ensure it is stored safely and handled in line with data protection laws.

Secure Systems
Your information is stored on secure NHS systems that are protected by strong technical safeguards. These systems are regularly monitored and updated to prevent unauthorised access, loss, or misuse.

Access Controls
Only authorised staff who need access to your information to provide care or support are able to view your records. All staff are trained in data protection and confidentiality.

Retention and Disposal
We keep your data only for as long as necessary, in line with NHS records management policies. When your information is no longer needed, it is securely deleted or destroyed.

Paper Records
If any of your information is held in paper format (e.g. forms or letters), it is stored in locked cabinets or secure areas with restricted access.

Backups and Recovery
We maintain secure backups of your data to ensure it can be recovered in the event of a system failure. These backups are also protected and stored securely.

At UHNM, we are committed to safeguarding your personal data. Your privacy and trust are important to us, and we take every measure to protect your information.

UHNM is committed to safeguarding your data. We ensure:

• Full compliance with the Data Protection Act 2018 and the Information
• Commissioner’s Office (ICO) registration requirements.
• Clear guidance for patients and staff on how we manage identifiable data.

Support from our Data Security & Protection Team, who can be contacted at: DSPuhnm@uhnm.nhs.uk 

University Hospitals of North Midlands NHS Trust (UHNM) processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a public authority, UHNM’s official authority to process data is derived from the National Health Service and Community Care Act 1990.

Legal Grounds for Processing

To process personal data, UHNM must have a valid legal basis. The appropriate basis depends on the nature and purpose of the processing.

These include:

• Consent – Where required, we will seek your explicit consent. You have the right to withdraw your consent at any time.
• Contract – Necessary for fulfilling contractual obligations, such as employment contracts.
• Legal Obligation – Required to comply with legal duties.
  Vital Interests – Necessary to protect someone’s life.
• Public Task – Necessary for performing a task in the public interest or under official authority.
• Safeguarding – Where there is a safeguarding concern, data may be shared to protect individuals at risk.

Healthcare Provision
For the delivery of healthcare services, UHNM relies on the following legal bases:

• Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or under official authority.
• Article 9(2)(h) – Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, and the provision of health or social care.

Purpose of Processing

University Hospitals of North Midlands NHS Trust (UHNM) has a legal and ethical duty to safeguard children, young people, and adults at risk. To fulfil this duty, we may need to collect, use, and share personal information to identify and respond to safeguarding concerns.

What Information We Collect
Safeguarding information may include:

• Personal details (e.g. name, date of birth, contact information)
• Health and social care records
• Details of safeguarding concerns or incidents
• Information about family members or carers
• Risk assessments and professional opinions
• Outcomes of safeguarding investigations

Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing safeguarding information are:

• Article 6(1)(c) – Processing is necessary for compliance with a legal obligation
• Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
• Article 9(2)(b) – Processing is necessary for carrying out obligations and exercising specific rights in the field of social protection law
• Article 9(2)(g) – Processing is necessary for reasons of substantial public interest (safeguarding of individuals at risk)

How We Use and Share Your Information

We use safeguarding information to:

• Assess and manage risks to individuals
• Make referrals to appropriate safeguarding bodies
• Support multi-agency safeguarding investigations
• Fulfil our statutory duties under the Children Act 1989, Care Act 2014, and other relevant legislation

We may share safeguarding information with:

• Local authorities (e.g. social services)
• Police and other law enforcement agencies
• NHS organisations and healthcare professionals
• Education providers
• Regulatory bodies (e.g. CQC)
• Other safeguarding partners as appropriate

We only share information where it is lawful, proportionate, and necessary to protect individuals from harm.

Retention of Data
Safeguarding records are retained in accordance with UHNM’s Policy DSP16 Information Lifecycle & Records Management and the Records Management: NHS Code of Practice. Retention periods vary depending on the nature of the safeguarding concern and the individual’s circumstances.

Your Rights
You have rights under UK GDPR, including the right to access your personal data. However, in safeguarding cases, some rights may be restricted to protect individuals or prevent harm.

For more information or to exercise your rights, please contact the DSP Team DSPUHNM@UHNM.nhs.uk 

University Hospitals of North Midlands NHS Trust (UHNM) uses a range of secure communication methods to ensure patients receive timely and appropriate information. All communication channels are reviewed and approved by the Data Security & Protection Team, and patients will be informed of the method being used before contact is made.

Approved Communication Methods

• Written correspondence – Letters sent to your registered address.
• Text messages – Used for urgent updates, such as rescheduling clinic appointments.
• Telephone calls – For direct communication with patients or their representatives.
• Email – May be used for appointment letters or updates, including communications related to the One Health and Care project.
• Video conferencing – Used for remote consultations or when staff are working off-site.
• Video diagnosis – Enables clinicians to assess patients remotely when in-person attendance is not possible.
• Secure apps – Patients may be invited to provide updated information via a secure digital platform.
• Patient Portal - UHNM is pleased to offer patients access to Patients Know Best (PKB) – a secure, online patient information portal that allows you to view and manage your health information from any smartphone, tablet, or computer. Further information can be found under the Specific Projects section of this privacy notice.

UHNM may send electronic appointment letters, offer video consultations, or invite patients to update their details through a secure app. All methods are selected to ensure confidentiality, security, and convenience.

To provide you with safe, effective, and coordinated care, University Hospitals of North Midlands NHS Trust (UHNM) may share your personal information with a range of organisations. All sharing is governed by strict legal, ethical, and security standards.

1. NHS Organisations
Other NHS Trusts, Ambulance Services, GPs, and NHS bodies involved in your care.

Collaborative NHS services such as:

• Wayfinder App (via NHSE) – allows patients to view outpatient appointments through the NHS App.
• Integrated Care Record (One Health & Care) – a regional initiative involving GP practices, local authorities, hospital trusts (acute, community, mental health), and commissioning groups. This provides clinicians with a snapshot of relevant patient data to support care.
• West Midlands Digital Pathology Network
• Stoke CCG Homeless Healthcare Initiative

2. Non-NHS Organisations Involved in Your Care

• Social Services, Local Councils, Private Care Homes, Charities, Community Pharmacies, and other voluntary or private sector providers.

3. Non-NHS Organisations Providing Services on UHNM’s Behalf

• Organisations contracted to deliver direct healthcare services, such as remote patient monitoring.

4. Mandated Sharing with National Bodies

• Cancer Registries, Renal Disease Registries, Public Health England, Infected Blood Compensation Authority, and other statutory bodies.

5. Non-NHS Organisations Offering Support Services

• Where UHNM believes you may benefit from external services, we may share your information with relevant organisations. You are under no obligation to engage, and refusal will not affect your care by UHNM e.g. Keep Well Keep Warm initiative and further details for this initiative are included in the One Health & Care Privacy Notice here

The National Data Opt-Out allows patients to choose whether their confidential health information can be used for research and planning purposes beyond their individual care.

How the NHS and Care Services Use Your Information
University Hospitals of North Midlands NHS Trust (UHNM) is part of a wider health and care system that collects and uses patient information to improve care and services. Information about you is recorded when you access services such as Accident & Emergency or community-based care. This helps ensure you receive the best possible treatment and may also be used to support broader health and care initiatives.

Purposes Beyond Individual Care
Your confidential patient information may be used for:

• Research into new treatments
• Preventing illness and disease
• Monitoring safety
• Planning and improving services

This information is only used when there is a clear legal basis to do so. In most cases, data used for research and planning is anonymised, meaning you cannot be identified, and your confidential information is not required.

Your Right to Choose
You have the right to decide whether your confidential patient information is used for purposes beyond your individual care. If you're happy for your data to be used in this way, you do not need to take any action.

If you choose to opt out, your confidential patient information will still be used to support your direct care, but not for research or planning purposes. You can change your choice at any time.

How to Opt Out

To learn more or to set your opt-out preferences, visit: www.nhs.uk/your-nhs-data-matters 

This website provides:

• A clear explanation of what confidential patient information is
• Examples of how data is used for care and beyond
• Information on data protection and safeguards
• Access to view, set, or change your opt-out status
• Contact details for support, including phone options
• Situations where the opt-out does not apply

Additional Resources
Further details of how patient information is used is at:

• https://www.hra.nhs.uk/information-about-patients/ This covers health and care research.
• https://understandingpatientdata.org.uk/what-you-need-know  This covers how and why patient information is used, the safeguards and how decisions are made.

Important Note: Data used for purposes beyond individual care is not shared with insurance companies or used for marketing without your explicit consent.

Health and care organisations were required to implement systems to support the National Data Opt-Out by 2020.

University Hospitals of North Midlands NHS Trust (UHNM) is committed to maintaining the highest standards of transparency and accountability in its handling of personal data. As part of this commitment, UHNM conducts Data Protection Impact Assessments (DPIAs) for all projects and initiatives that involve the use of identifiable personal information.

DPIAs are a vital tool for identifying, assessing, and mitigating data protection risks before any processing begins. They help ensure that privacy considerations are embedded into the design of services and systems from the outset, in line with the principles of UK GDPR and the Data Protection Act 2018.

By undertaking DPIAs, UHNM demonstrates its proactive approach to safeguarding personal data and its dedication to openness in how data protection decisions are made. These assessments reflect our responsibility to uphold the rights of individuals and maintain public trust.

Copies of completed DPIAs are available upon request through the Freedom of Information (FOI) process, subject to any applicable exemptions.

To make a request, please contact: FOI@uhnm.nhs.uk  

In certain circumstances, it may be necessary for University Hospitals of North Midlands NHS Trust (UHNM) to transfer your personal information outside of the United Kingdom.

Where this is required:

Transfers will typically be limited to countries within the European Economic Area (EEA), which are subject to equivalent data protection standards.

Where data is stored or processed outside the EEA, including in the United States, UHNM ensures that appropriate safeguards are in place. This includes:

• Reviewing supplier cloud storage arrangements
• Ensuring data can be retrieved securely and promptly
• Implementing contractual protections such as Standard Contractual Clauses (SCCs)

If data needs to be transferred outside the EEA, additional safeguards will be implemented to ensure your information is protected. These may include:

• Standard contractual clauses approved by the Information Commissioner’s Office (ICO)
• Binding corporate rules
• Adequacy decisions by the UK Government

All international transfers will be carried out in full compliance with the UK GDPR and Data Protection Act 2018. You will be informed in advance if your data is to be transferred outside the UK or EEA.

Supplier Relationships
Some data processing may occur as part of contractual arrangements with suppliers, including:

• Cloud-based storage solutions
• Maintenance and technical support services
• Remote access for system troubleshooting

UHNM’s Data Security & Protection Team follows guidance from the UK Government, Information Commissioner’s Office (ICO), and NHS Digital to ensure all international data transfers are lawful, secure, and transparent.

University Hospitals of North Midlands NHS Trust (UHNM) uses CCTV systems, including body-worn cameras and drone-captured images, as part of its building and site security measures. 

These systems are used to:

• Prevent and detect crime
• Ensure the safety of patients, staff, and visitors
• Protect Trust property and assets

All CCTV usage is in line with the Information Commissioner’s Office (ICO) CCTV Code of Practice and complies with data protection legislation.

Your Rights
If you believe your image or personal data has been captured by UHNM’s CCTV systems, you have the right of access to request a copy of that footage, subject to certain legal and operational limitations.
To make a request, please contact the Data Security & Protection Team: dspuhnm.uhnm@nhs.uk  

Cookies are small text files stored on your device by websites you visit. They help websites recognise your device, remember your preferences, and improve your browsing experience.

UHNM uses cookies to:

• Remember your accessibility preferences
• Collect anonymous website usage data via Google Analytics, helping us understand how visitors use our site and identify areas for improvement

By continuing to use our website, you consent to the use of cookies as described above.

Managing Cookies
You can manage or disable cookies through your browser settings. For more information about cookies and how to control them, visit: www.allaboutcookies.org      

To support the delivery of high-quality care, University Hospitals of North Midlands NHS Trust (UHNM) uses Artificial Intelligence (AI) technologies in selected clinical and operational areas.

AI refers to the use of digital systems that can perform tasks typically requiring human intelligence, such as pattern recognition, decision support, and data analysis.

How AI Is Used at UHNM

• AI tools may assist clinicians in interpreting diagnostic results, identifying trends, or supporting decision-making.
• AI may be used in imaging, remote monitoring, and predictive analytics to enhance patient care and service efficiency.

Important Note:
AI systems at UHNM do not make decisions independently. All outputs from AI tools are reviewed by qualified healthcare professionals, who remain responsible for all clinical decisions.

Your Rights and Assurance

• AI use is governed by data protection legislation and ethical standards.
• Any personal data processed by AI systems is handled securely and lawfully.
• You will be informed if AI is used as part of your care pathway.

For further information about how UHNM uses AI, please contact the Data Security & Protection Team: DSPUHNM@uhnm.nhs.uk  

Under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), you have specific rights regarding the personal data UHNM holds about you.

If you wish to exercise any of these rights, please contact the Data Security & Protection Team at: dspuhnm.uhnm@nhs.uk  or 01782 676441

We will acknowledge your request within 2 working days, explain the process, and provide an estimated timescale for completion. Updates will be provided if the timescale changes.

Your Rights Include:
Right of Access
You can request copies of the personal information UHNM holds about you. See the section How to Access Your Information for details.

Right to Rectification
You can ask us to correct inaccurate or incomplete information. This is subject to certain safeguards, for more information please click here

Right to Erasure
You may request that we delete your personal data in specific circumstances. For more information about this please click here

Right to Restrict Processing
You can ask us to limit how your data is used, for example, if you contest its accuracy or object to its use, click here for more information here

Right to Object
You can object to the processing of your data in certain situations. For more information, please click here

Right to Data Portability
You can request that your electronic data be transferred to another organisation, where applicable.

Rights Related to Automated Decision-Making
You have the right not to be subject to decisions made solely by automated processing. You also have the right to withdraw your consent to data processing or sharing at any time.

Under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), you have the right to request access to the personal information UHNM holds about you. 

This includes:

• A copy of all or specific pieces of your personal data
• Details on how and why your data is processed
• Information on who your data is shared with

Accessing Your Health Records
To request access to your health records, please contact the Health Records Team.

nos-tr.ministries@nhs.net  Further information can be found here: Access to Health Records Leaflet

Accessing Your Staff Records
Staff wishing to access their employment records should make a request through their Line Manager or the Human Resources Department.

Accessing Other Personal Data
For data not held in your health or staff record (e.g. emails or documents stored on Trust servers), requests should be made via the Personal Data Request (PDR) process:PDR@UHNM.nhs.uk  
These requests may be handled by the relevant department in coordination with the Information Security Team, especially if part of a complaint or general subject access request.

Renal Patients
Renal patients can access condition-specific information via a secure patient portal.

To ensure that the information UHNM holds about you is accurate and up to date, it is important that you notify us of any changes to your personal details. 
This includes updates to:

• Name
• Address
• Contact information (telephone number, email)
• Next of kin or emergency contact
• GP or healthcare provider
• Any other relevant personal or medical information

Keeping your records current helps us provide safe, effective care and ensures that communications and services are delivered appropriately.
If you need to update your information, please contact the relevant department or speak to a member of staff during your next visit.

The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and freedom of information. UHNM is registered with the ICO and complies with its guidance and statutory obligations under the Data Protection Act 2018 and UK GDPR.

UHNM ICO Registration Number: Z6476085
Contact Details for the ICO:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
Telephone: 0303 123 1113
Visit the https://ico.org.uk/ 

Covid-19
The Information Commissioner's Office has made a statement about their working arrangements as a result of the Covid-19 Epidemic. You can read their updated information here.

University Hospitals of North Midlands NHS Trust (UHNM) retains personal health records in accordance with the Records Management Code of Practice (2023) 

further information can be found here

Health records may be stored in both paper and electronic formats. The retention period depends on the type of record and the individual’s circumstances, but general guidelines include:

• Adult health records: Retained for 8 years after the last entry.
• Children’s health records: Retained until the child reaches 26 years of age.

Certain records may be kept for longer or shorter periods depending on legal, clinical, or operational requirements. UHNM ensures that all records are securely stored and disposed of in line with national standards.

If you have any questions about this Privacy Notice or the information UHNM holds about you, please contact:

Data Protection Contacts
Data Security & Protection Team
DSPUHNM@uhnm.nhs.uk 

Data Protection Officer (DPO)
DPO.UHNM@uhnm.nhs.uk 

Complaints and Patient Support
If you have concerns about how your information is being used, you can contact:

Patient Advice and Liaison Service (PALS)
patientadvice.uhnm@nhs.net 

Complaints Department
complaints.department@nhs.net 

PALS Office Locations and Hours
Royal Stoke University Hospital
Inside the main building entrance
Monday to Friday, 9:00am – 4:00pm (excluding bank holidays)
01782 676450 / 676455 / 676435

County Hospital
Inside the main entrance
Monday to Friday, 9:00am – 5:00pm (excluding bank holidays)
08000 407060 / 08000 721646

Postal Contact
If you prefer to contact us in writing, please address your correspondence to:
Chief Executive or Chief Nurse
University Hospitals of North Midlands NHS Trust
Trust Headquarters
Royal Stoke University Hospital
Newcastle Road

 Freedom of Information
University Hospitals of North Midlands NHS Trust (UHNM) processes personal data in order to respond to Freedom of Information (FOI) requests in accordance with the Freedom of Information Act 2000. This includes managing requests, issuing responses, and maintaining records of correspondence.

What Information We Collect
When you submit an FOI request, we may collect and process the following personal data:

• Your name
• Contact details (email address, postal address, or phone number)
• Any other personal information you voluntarily provide in your request

Lawful Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for processing this information is:
Article 6(1)(c) – Processing is necessary for compliance with a legal obligation.

This legal obligation arises from UHNM’s duty to respond to FOI requests under the Freedom of Information Act 2000.
How We Use Your Information
We use your personal data to:

• Log and track FOI requests
• Communicate with you regarding your request
• Provide you with the information requested (where applicable)
• Maintain records for audit and compliance purposes

Sharing Your Information
Your personal data may be shared internally within UHNM to locate and compile the requested information. We do not share your personal data externally unless required by law or regulation.

Retention of Data
FOI request records, including personal data, are retained in accordance with UHNM’s Policy DSP16 Information Lifecycle & Records Management and the Records Management: NHS Code of Practice. Typically, FOI records are retained for 3 years from the date of closure, unless a longer retention is required for legal or audit purposes.

Your Rights
You have rights under UK GDPR including:

• The right to access your personal data
• The right to rectification
• The right to object to processing (in certain circumstances)

For more information about your rights or to exercise them, please contact the DSP UHNM Team dspuhnm@uhnm.nhs.uk 

UHNM keeps this Privacy Notice under regular review to ensure it reflects current practices, legal requirements, and service developments. 
Each page or section includes version control to indicate when it was last updated.