Skip to content Contact us

Cookies on the Sherwood Forest Hospitals website

We use cookies to ensure that we give you the best experience on our website.

To continue using the website we'll assume that you are happy to receive all cookies on our site.

Continue Find out more

Your personal information - Data Protection Act (Privacy Notice)


Your medical record

The information we hold about you

We hold your electronic and paper health (and where applicable social care) records. This contains sensitive information about you, your health and your wellbeing.  The following list provides an example of the type of information (both past and present) that can be held within your record:

  • Demographic and contact details (name, date of birth, address, telephone number, email address, gender, sex, religion, marital status etc.)
  • Appointments and Consultations
  • Diagnoses (including physical disabilities and mental health conditions)
  • Medication, Vaccinations, Pathology results (e.g. blood tests) and Allergies;
  • Social care involvement
  • Hospital correspondence and correspondence from other health and social care settings (including x-rays, discharge letters and referrals)
  • Relationships/Next of Kin.

How the NHS and care services use your information

We are one of the many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can apply your national data opt-out choice. Our Trust is not currently able to apply your national data opt-out choice to any confidential patient information we may use or share with other organisations for purposes beyond your individual care. 

Do I have a choice?

If you wish to receive safe and appropriate care and treatment at our hospital we must maintain an accurate record of relevant information about you.  If you have any concerns about providing information, or how we share it with other health and social care providers, please discuss this with our staff so that you fully understand the potential impact on your care or treatment.

Do you ever share my information without my consent?

We will not disclose your information to any other third parties for non-care purposes without your consent unless there are exceptional circumstances or where we are legally required to report information to the appropriate authorities.

For example:

  • Notifications of new births
  • Diagnosis of infectious diseases such as meningitis or measles (but not HIV or AIDS) which may put other people at risk
  • To comply with a court order
  • Public interest, for example, if there is a risk of death or serious harm
  • A legal need to share it, for example: to protect a child under the Children Act and Local Safeguarding Procedures
  • To support investigations by the NHS Counter Fraud Agency
  • A legitimate enquiry from the police under data protection legislation for information relating to a serious crime
  • To comply with Confidentiality Advisory Group approvals under Section 251 of the NHS Act 2006, this permits the collection of health information for patients with specific conditions without consent for the benefit of research and other important activities. Examples include the National Cancer Registry, the Trauma Audit and Research Network, the National Congenital Anomaly, Rare Disease Registration Service, and the NHS Patient Survey Programme. If you wish to opt out of your information being used for these purposes, please contact the Trust’s Data Protection Officer.

Sharing information with your family

With your agreement we will share information about your current care with your family or carer. It is important that we know which family members or carers to involve in your care, and who we can share your information with. This person does not need to be related to you but they should be able to tell us your wishes in case you are unable to do so yourself.

How the NHS and care services use your information

We are one of the many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services 

If a patient utilises our services we will take a professional decision to imply consent to access health related information held on behalf of a patient to ensure the highest quality of care can be provided and in the best interests of the patient, unless explicitly stated otherwise. 

Implied consent and actions that arise will be a consistent part of a best interest approach for specific and timely decisions to maintain and promote the health and wellbeing of patients until the patient regains capacity for explicit consent or their proxy is present.

CCTV

Security cameras are installed at various locations at our sites to prevent and detect crime, and for the protection of staff, visitors and patients and their property.

Short Message Service (SMS) text messaging

When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you.  With your agreement your mobile number can be used to provide appointment details via SMS text messages.

How long do you keep my records?

There are national records management standards in the NHS for how long we need to keep information about you. This varies depending on the type of information. Typically, your health record is destroyed or deleted 8 years following the end of treatment, or death. Records for some patients, e.g. children’s records, are kept much longer. Our policy on the Retention and Disposal of Health Records is available here.

How do we keep your information secure and confidential?

You have the right to confidentiality under data protection legislation, the Human Rights Act 1998 and the common law duty of confidence. Everyone working in the NHS has a legal duty to keep information about you confidential. Anyone who receives information from us is also under a legal duty to keep it secure and confidential.

Your information is held in secure systems in both paper and electronic format. Our electronic systems record when, and by whom, your record was accessed.

New systems are subjected to a data protection impact assessment to ensure any risks to privacy are mitigated.

All staff completes annual data protection and confidentiality training, supplemented by related policies and procedures. These policies can be found on our website in the ‘About Us’ section.

Who do you share my information with?

We recognise our duty to share information about our patients with healthcare professionals from other organisations to ensure safe and effective continuity of your care. We do so under a formal agreement about how it will be used and kept confidential. Some examples are:

NHS radiology system

We are part of a group of NHS hospitals in the East Midlands that have a shared NHS radiology system. This will enable healthcare professionals in other NHS hospitals in the East Midlands to access your radiology record when necessary, to ensure you receive consistent, safe and effective clinical care and treatment, irrespective of where you receive your care.

Here is a link to their Privacy Notice.

Nottinghamshire Health and Care Portal

We participate in the Nottinghamshire Health and Care Portal. The community portal enables providers to electronically share your health and social care information, such as hospital and GP attendances, test results, medication and care plans with other Nottinghamshire health and social care providers. With your explicit consent, health and social care professionals, or staff who are supervised by health and social care professionals, will be able to access this information to better coordinate and provide care to you. Access is strictly controlled and the shared record is hosted by Nottingham University Hospitals NHS Trust in their secure data centre.

Clinical Audits

We continually try to raise the standard of care we provide. To do this we need to review the clinical work we do, this is typically done using a process known as Clinical Audit.  Access to your patient records for this purpose is monitored and only anonymous information is used.

Health Research Authority

Consent is an important part of the research process and is frequently sought for participation in research studies. One reason is to ensure that any disclosure of confidential information meets the requirements of the common law duty of confidentiality. Where consent is sought from research participants, they are normally told how information about them will be used. 

Here is a link to their Privacy Notice.

If you want to know more

If you have any concerns about how we keep and manage your personal information, please discuss this with a member of the team providing your care at the Trust.

How can I see the information you hold about me?

You have the right to access any information we hold about you. 

Please email sfh-tr.AccessToHealthRecordsTeam@nhs.net or write to:

Access to Health Records
Case Notes Store
King’s Mill Hospital
Mansfield Road
Sutton in Ashfield
Nottinghamshire
NG17 4JL

Telephone: 01623 672231

Can I access personal information about my child?

Information about children may be released to a person with parental responsibility. However, the best interests of the child will always be considered.

Even if a child is very young, data about them is still their personal data and does not belong to anyone else.  It is the child who has a right of access to the information held about them.

Before responding to a request for information held about a child, we will consider whether the child is mature enough to understand their rights.  If we are confident that the child can understand their rights, then we will respond to the child rather than the parent.  What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.

Can I access personal information on someone else’s behalf?

The Data Protection Act does not stop you making a request on someone else’s behalf.  This is often necessary for a solicitor acting on behalf of a client, or it could simply be that an individual wants someone else to act for them.

In these cases, we will need to satisfy ourselves that the third party making the request has the individual’s permission to act on their behalf.  It is the third party’s responsibility to provide this evidence, which could be a written authority to make the request, or a power of attorney.

If a person does not have the mental capacity to manage their own affairs and you are their attorney, for example you have a Lasting Power of Attorney with authority to manage their property and affairs; you will have the right to access information about the person you represent to help you carry out your role. The same applies to a person appointed to make decisions about such matters:

  • In England and Wales, by the Court of Protection;
  • In Scotland, by the Sheriff Court; and
  • In Northern Ireland, by the High Court (Office of Care and Protection).

Accessing and sharing information: Acting on behalf of a person with dementia

Can I access information about the deceased under the Data Protection Act 2018?

The Act only applies to personal information about a living individual.  You may access information about deceased individuals through other legislation, such as the Access to Health Records Act.

Can I access the medical records (health records) of someone who has died?

Do I have to prove who I am?

Yes, we must be satisfied that an applicant is the patient or their authorised representative.  This means we will ask for proof of identity and reserve the right to make further checks if necessary or refuse access if there is any doubt.

Applicants applying for a child’s health records will be asked to supply a copy of the child’s birth certificate and sign a form of authority confirming that they hold legal parental responsibility or if the applicant is not a parent, documentary evidence confirming parental responsibility.

What can I expect if I have rights under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland)?

Under equality law we have a duty to make sure that our services are accessible to all service users.  You can request a response in a particular format that is accessible to you, such as Braille, large print, email or audio format.

If you think that we have failed to make a reasonable adjustment, you can make a claim under the Equality Act (or Disability Discrimination Act in Northern Ireland).

Further advice is available from:

Equality Advisory Support Service (EASS) – http://www.equalityadvisoryservice.com; and

Citizens Advice – https://www.citizensadvice.org.uk/.

Can we withhold any information?

Yes.  There are some circumstances where the information you have asked for contains information that relates to another person.  Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, we are entitled to withhold this information.

The Data Protection Act covers personal information that:

  • is held, or going to be held on computer;
  • is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved;
  • is in most health, educational, social service or housing records; or
  • is other information held by a public authority?

What can I do if I believe we have not sent all the information I am entitled to?

If you feel we have withheld some of your personal information, we recommend you contact us with your concern. Make sure you state the information you think is being withheld.

If you have contacted us and still believe some of your personal information is being withheld, please contact the Information Commissioner’s Office via their live chat service or call their helpline on 0303 123 1113.

E-newsletter

We use a third party provider, MailChimp, to deliver our monthly e-newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.

Here is a link to their Privacy Notice

People who contact us via social media

We use a third party provider, Tweetdeck to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by Tweetdeck for three months. It will not be shared with any other organisations.

Here is a link to their Privacy Notice

Membership

We collect information volunteered by members of the public about membership either using paper forms or an online form which links directly to the membership database hosted by MES (Membership Engagement Services). MES processes personal information in line with our constitution. Information from the paper forms is transferred into the membership database.

Here is a link to their Privacy Notice.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 30th June 2018.

Data Protection Officer

Jacquie Widdowson, Information Governance Manager, jacquie.widdowson@nhs.net 01623 435425.

Our ICO registration number is Z4885823. Further information on the Data Protection Act 2018 can be found here.

How to contact us

If you want to request information about our privacy policy you can email us:

sfh-tr.information.governance@nhs.net

Or write to:

Information Governance Department

Sherwood Forest Hospitals NHS Foundation Trust

King's Mill Hospital

Mansfield Road

Sutton in Ashfield

Nottinghamshire

NG17 4JL