Your Medical Record

Your Patient Information (Privacy Policy)

Your data protection rights

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information.  You are not required to pay any charge for exercising your rights.  If you make a request, we have one month to respond to you.  Please see further information below ‘How can I see the information you hold about me’. 

Your right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing - You have the the right to object to the processing of your personal data in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

How can I see the information you hold about me?

You have the right to access any information we hold about you.  Please email: or write to:

Access to Health Records
King’s Mill Hospital
Mansfield Road
Sutton in Ashfield
NG17 4JL

Telephone: 01623 672231

Can I access personal information about my child?

Information about children under 12 may be released to a person with parental responsibility.  However, the best interests of the child will always be considered.

Even if a child is very young, data about them is still their personal data and does not belong to anyone else.  It is the child who has a right of access to the information held about them.

Before responding to a request for information held about a child 12 years or over, we will consider whether the child is mature enough to understand their rights.  If we are confident that the child can understand their rights, then we will respond to the child rather than the parent.  What matters is that the child can understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.

Can I access personal information on someone else’s behalf?

The UK General Data Protection Regulation does not stop you making a request on someone else’s behalf.  This is often necessary for a solicitor acting on behalf of a client, or it could simply be that an individual wants someone else to act for them.

In these cases, we will need to satisfy ourselves that the third party making the request has the individual’s permission to act on their behalf.  It is the third party’s responsibility to provide this evidence, which could be a written authority to make the request, or a power of attorney.

If a person does not have the mental capacity to manage their own affairs and you are their attorney, for example you have a Lasting Power of Attorney with authority to manage their property and affairs; you will have the right to access information about the person you represent to help you carry out your role. The same applies to a person appointed to make decisions about such matters:

  • In England and Wales, by the Court of Protection
  • In Scotland, by the Sheriff Court; and
  • In Northern Ireland, by the High Court (Office of Care and Protection).

Accessing and sharing information: Acting on behalf of a person with dementia

Can I access information about the deceased under the UK General Data Protection Regulation?

The Regulation only applies to personal information about a living individual.  You may access information about deceased individuals through other legislation, such as the Access to Health Records Act.

Can I access the medical records (health records) of someone who has died?

Do I have to prove who I am?

Yes, we must be satisfied that an applicant is the patient or their authorised representative.  This means we will ask for proof of identity and reserve the right to make further checks if necessary or refuse access if there is any doubt.

Applicants applying for a child’s health records will be asked to supply a copy of the child’s birth certificate and sign a form of authority confirming that they hold legal parental responsibility or if the applicant is not a parent, documentary evidence confirming parental responsibility.

What can I expect if I have rights under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland)?

Under equality law we have a duty to make sure that our services are accessible to all service users.  You can request a response in a particular format that is accessible to you, such as Braille, large print, email, or audio format.

If you think that we have failed to make a reasonable adjustment, you can make a claim under the Equality Act (or Disability Discrimination Act in Northern Ireland).

Further advice is available from:

Equality Advisory Support Service (EASS) –; and Citizens Advice –

Can we withhold any information?

Yes.  There are some circumstances where the information you have asked for contains information that relates to another person.  Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, we are entitled to withhold this information.

The UK General Data Protection Regulation and Data Protection Act 2018 covers personal information that:

  • is held, or going to be held on computer
  • is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved
  • is in most health, educational, social service, or housing records; or
  • is other information held by a public authority?

How to complain

If you feel we have withheld some of your personal information, we recommend you contact us with your concern.  Make sure you state the information you think is being withheld.

If you have contacted us and still believe some of your personal information is being withheld, or you are unhappy with how we have used your data please contact the Information Commissioner’s Office via their live chat service or call their helpline on 0303 123 1113.

The ICO’s address:           

Information Commissioner’s Office

Wycliffe House

Water Lane




If you want to know more

If you have any concerns about how we keep and manage your personal information, please discuss this with a member of the team providing your care at the Trust.

Changes to this privacy notice

We keep our privacy notice under regular review.  This privacy notice was last updated on 15th November 2023.

Data Protection Officer

Head of Data Security and Privacy 01623 672232.

The Trust is registered as a Data Controller with the Information Commissioner’s Office.  Our ICO registration number is Z4885823.  Our registration entry can be found here.

Further information on the UK General Data Protection Regulation can be found here.

How to contact us

If you want to request information about our privacy policy, you can email us:

Or write to:

Information Governance

King's Mill Hospital

Mansfield Road

Sutton in Ashfield


NG17 4JL

Coronavirus (COVID‑19)

The health and social care system are facing significant pressures due to COVID-19.  Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health.  Information will also be vital in researching, monitoring, tracking, and managing the outbreak.  In the current emergency it has become even more important to share health and care information across relevant organisations.

It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new Opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals, and NHS 111.  We may also use the details we have to send public health messages to you, either by phone, text, or email.  

During this period of emergency, we may offer you a consultation via telephone or videoconferencing.  By accepting the invitation and entering the consultation you are consenting to this.  Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.   Our approach will be in the form of the tool ‘Attend Anywhere,’ which the nationally supported video consultation platform is provided by NHS England/Improvement.

You can find out a bit more information on how the process will work by watching this video.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.  

In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require, and we will ensure that any information collected is treated with the appropriate safeguards. 

To support staff testing for COVID-19, information about the use of data at this time has been published.

It sets out how an individual’s personal data is collected and used when participating in the testing programme, as well as further information about the programme itself. You can read the full details on the link below:

Summary Care Record

During the height of the pandemic changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it, to support direct patients care, leading to improvements in both care and outcomes.

These changes to the SCR will remain in place unless you decide otherwise.

Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.

You can exercise these choices by doing the following:

  1. Choose to have a Summary Care Record with all information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a detailed Summary Care Record, including Core and Additional Information, if they need to provide you with direct care.
  2. Choose to have a Summary Care Record with Core information only. This means that any authorised, registered and regulated health and care professionals will be able to see limited information about allergies and medications in your Summary Care Record if they need to provide you with direct care.
  3. Choose to opt-out of having a Summary Care Record altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.

To make these changes, you should inform your GP practice or complete this form and return it to your GP practice.

Legal basis for sharing this data

In order for your Personal Data to be shared or processed, an appropriate 'legal basis' needs to be in place and recorded. The legal bases for direct care via SCR is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

  • for the processing of personal data: Article 6.1 (e) of the UK GDPR: 'processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller'.
  • for the processing of 'Special Category Data' (which includes your medical information): Article 9.2 (h) of the UK GDPR:  'processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services'.

Flu vaccines and the COVID-19 response

On average, flu kills over 11,000 people each year – some years this number is much higher – and it hospitalises many more. This is anything but a typical year due to the potential impact of flu and COVID-19 circulating at the same time. 

This year, as well as GP practices inviting key eligible groups to receive their vaccination, reminders have gone out nationally to supplement this. COVID-19 vaccines will also be managed centrally once they are available. Given the potential time gap required between the flu and COVID-19 vaccines, it is important that the invites, reminders, and uptake of the vaccines are carefully managed together and regarded as part of the response to the COVID-19 pandemic.

This guidance describes how data is being used to help ensure that those who are entitled to a flu vaccine receive one. This includes data relating to both health and care staff and patients.

Patients Know Best

Sherwood Forest Hospitals is pleased to offer patients an online service that gives you secure access to your health record. It’s designed to improve your patient experience and access to NHS services and information.  It also means you can receive electronic notification of your appointments, through to your computer, smartphone, or tablet device.

This service is free to our patients and can be accessed using the NHS App and through our trusted partner Patients Know Best (PKB).  It’s part of our promise and on-going commitment to give you more choice and control over your care. The service will allow you to:

View your medical information including:

  • Outpatient appointments 
  • medical correspondence 
  • test results
  • access health resources tailored for you.

As part of this process patients will start to receive an email, letter, or text to ask them to register for the service.  

PKB provides a patient-centric repository which allows for both patient access and patient contribution to their own health record. Patients can determine which organisations and teams can view their personal data. This processing is done through article 9(2)(h) and 9(2)(a) of GDPR 2018.

PKB cannot see your health record and has no control over your record. They keep your information on secure servers. They encrypt the data so no one can see your health record except the people you choose or those with a lawful basis. They are registered with the Information Commissioner’s Office (“ICO”), which regulates data protection in the UK, and their registration number is Z2704931.

Any information that you choose to input in your PKB account is yours to decide who to share it with if anyone.

PKB tracks software usage to improve software quality. PKB does not track identifying information or records. PKB uses cookies to improve website operation and usage; for example, we use cookies to set a User’s language and to monitor usage trends. Cookies do not contain identifying information such as IPs, health data or personal details.

For more information please see PKB’s privacy notice:

Our legal basis for processing personal information

The ways in which we use your information are governed by law.

Clinical (direct) care

When your information is used for your care and administrative purposes related to

your care it is processed for the purposes of Article 6.1(e) of the GDPR – processing is necessary for the performance of a task carried out in the public interest and Article 9.2(h) of the GDPR – processing of special categories of data is necessary for the purposes of preventative or occupational medicine... [and] the provision of health or social care treatment or the management of health or social care systems and services.

Secondary (indirect care) purposes

When there is a legal requirement that we provide specified data to NHS England for

example, we rely on Article 6(1)c of the UK GDPR.  In cases where the common law duty of confidentiality cannot be satisfied through consent, we seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.


Our Trust is a research active organisation and encourages a research-positive culture to give patients wider access to clinical research and improve patient care and treatment options.  During your visit you may expect to see a member of our dedicated clinical research team or be approached about research opportunities. 

Consent is an important part of the research process and is frequently sought for participation in research studies.  In most instances we will rely on Article 6(1)e and Article 9(2)j of the UK GDPR if and when we use your information for research. If you have formally consented to take part in research, this will satisfy the common law duty of confidentiality and you will be told how information about you will be used.  Where it has been impracticable to obtain your consent we will seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.  For further information on this legislation please visit the Government's UK legislation Website.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.  To find out more or to register your choice to opt out, please visit  

The guidance below outlines the relevant time frame patient records should be retained if they have participated in a clinical trial.

The rationale for retaining patient records for an appropriate period is to allow further analysis and safety monitoring by regulatory authorities as necessary.

The Medical Research Council (MRC) has set out guidance for the time frame of the retention of medical notes below:

  • For basic research –research data and data material should be retained for 5 years after the completion of the trial.
  • For population health and clinical studies, the records and research data should be retained for 20 years after the study has been completed.
  • Studies that require records to be retained for more than 20 years must have a valid justification.
  • In some cases, the sponsor of the clinical trial may have set guidance for a specific retention time which differs from the MRC. In such cases the sponsor guidance should be followed.

In order to identify patient records that must be retained in this way a yellow alert sticker is placed on the red alert page in the inside of a patients’ notes.

If there is any doubt or concern over how long an individual patient’s record should be stored please contact the Head of Research and Innovation.

Here is a link to their Privacy Notice.

The information we hold about you

We hold your electronic and paper health (and where applicable social care) records. This contains sensitive information about you, your health, and your wellbeing.  The following list provides an example of the type of information (both past and present) that can be held within your record:

  • Demographic and contact details (name, date of birth, address, telephone number, email address, gender, sex, religion, marital status etc.)
  • Appointments and Consultations
  • Diagnoses (including physical disabilities and mental health conditions)
  • Medication, Vaccinations, Pathology results (e.g. blood tests) and Allergies
  • Social care involvement
  • Hospital correspondence and correspondence from other health and social care settings (including x-rays, discharge letters and referrals)
  • Relationships/Next of Kin.

How the NHS and care services use your information

We are one of the many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.  Our Trust is compliant with the national data opt-out policy.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Do I have a choice?

If you wish to receive safe and appropriate care and treatment at our hospital, we must maintain an accurate record of relevant information about you.  If you have any concerns about providing information, or how we share it with other health and social care providers, please discuss this with our staff so that you fully understand the potential impact on your care or treatment.

Do you ever share my information without my consent?

We will not disclose your information to any other third parties for non-care purposes without your consent unless there are exceptional circumstances or where we are legally required to report information to the appropriate authorities.

For example:

  • Notifications of new births
  • Diagnosis of infectious diseases such as meningitis or measles (but not HIV or AIDS) which may put other people at risk
  • To comply with a court order
  • Public interest, for example, if there is a risk of death or serious harm
  • A legal need to share it, for example: to protect a child under the Children Act and Local Safeguarding Procedures
  • To support investigations by the NHS Counter Fraud Agency
  • A legitimate enquiry from the police under UK General Data Protection Regulation for information relating to a serious crime
  • To comply with Confidentiality Advisory Group approvals under Section 251 of the NHS Act 2006, this permits the collection of health information for patients with specific conditions without consent for the benefit of research and other important activities. Examples include the National Cancer Registry, the Trauma Audit and Research Network, the National Congenital Anomaly, Rare Disease Registration Service, and the NHS Patient Survey Programme. If you wish to opt out of your information being used for these purposes, please contact the Trust’s Data Protection Officer.

Child Protection Information Sharing System (CP-IS)

The CP-IS shares information about children subject to a Child Protection Plan (CPP), pregnant women with an Unborn Child Protection Plan (UCPP) and children who are designated a Looked After Child (LAC) children being cared for under the following sections of the Children’s Act 1989:

  • Full Care Order (Section 31)
  • Interim Care Order (Section 38)
  • Voluntary Care Agreement (Section 20).

The benefits of this data sharing are that it:

  • provides mental, sexual, dental and community paediatric healthcare professionals with a reliable source of information on who vulnerable children are in circumstances where they present for unscheduled or scheduled care
  • supports maintaining contact with vulnerable children and young people to help reduce the risk of poor health outcomes, abuse, injuries and in extreme circumstances avoidable death whilst quarantined in their homes or subject to significant social restrictions during the COVID-19 response
  • will enable early intervention – informing healthcare professionals so they can take action to prevent or reduce future harm happening to children
  • allow improved safety and care – ensuing the information is at hand at the point of care and when children need help increase workforce efficiency and effectiveness – reducing the manual activities and filling any gaps in contextual information about a protected child.

The CP-IS flag and health audit data is currently shared between:

  • Local Authorities
  • emergency departments
  • minor injury units
  • walk-in centres
  • GP out-of-hours services/111
  • Unscheduled access to maternity units
  • Unscheduled access to paediatric wards
  • ambulance services

NHS England has now directed NHS Digital under the COVID-19 Public Health NHS England Directions, to establish and operate a system for the collection and analysis of information about child protection in response to the increased risk to vulnerable children due to the impact of the COVID-19 pandemic. The purpose is to share child protection information with the current healthcare providers and further care settings, to heighten awareness of the children at risk and enable those with statutory duty to safeguard and promote the welfare of children, to fulfill their obligations. The CP-IS will operate in the current settings (as above) for these purposes and be extended to:

  • Mental health settings (unscheduled and scheduled)
  • Sexual health settings (unscheduled)
  • Dental settings (unscheduled and scheduled)
  • Community paediatrics.

Sharing information with your family

With your agreement we will share information about your current care with your family or carer. It is important that we know which family members or carers to involve in your care, and who we can share your information with. This person does not need to be related to you, but they should be able to tell us your wishes in case you are unable to do so yourself.

How long do you keep my records?

There are national records management standards in the NHS for how long we need to keep information about you.  This varies depending on the type of information. Typically, your health record is destroyed or deleted 8 years following the end of treatment, or death. Records for some patients, e.g. children’s records, are kept much longer. Our policy on the retention and destruction of Health Records is available here.

How do we keep your information secure and confidential?

You have the right to confidentiality under UK General Data Protection Regulation, the Human Rights Act 1998, and the common law duty of confidence.  Everyone working in the NHS has a legal duty to keep information about you confidential. Anyone who receives information from us is also under a legal duty to keep it secure and confidential.

Your information is held in secure systems in both paper and electronic format.  Our electronic systems record when, and by whom, your record was accessed.

New systems are subjected to a data protection impact assessment to ensure any risks to privacy are identified.

All staff complete annual data protection and confidentiality training supplemented by related policies and procedures.  These policies can be found on our website in the ‘About Us’ section here.

Who do you share my information with?

We recognise our duty to share information about our patients with health and care professionals from other organisations to ensure safe and effective continuity of your care. We do so under a formal agreement about how it will be used and kept confidential. Some examples are:

Eyecare Electronic Referral System (EeRS)

This notice is a statement that describes how we collect, use, retain and disclose your personal information in relation to the Eyecare Electronic Referral System (EeRS) project.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we need your data
  • How it will be used and processed
  • Who it will be shared with

The Eyecare Electronic Referral System (EeRS) project is delivering an internet facing electronic referral, advice and guidance and image sharing system to enable connectivity between primary care optometrists and acute care ophthalmology consultants for first outpatient appointments. This aims to improve patient experience and safety by progressing the quality of the referral triaging process. 

We will need to collect, on a voluntary basis, basic demographic information (Name, Address DOB) for the project itself. The complete list of information categories that we will be collecting throughout the project are listed below:





Address (inc. Postcode)

Phone Number/Mobile Number


NHS Number

GP details

Racial or Ethnic origin

Health information (physical and mental)

NHS radiology system

We are part of a group (EMRAD) of NHS hospitals in the East Midlands that have a shared NHS radiology system. EMRAD (East Midlands Imaging Network) enables healthcare professionals in other NHS hospitals in the East Midlands to access your radiology record when necessary, to ensure you receive consistent, safe, and effective clinical care and treatment, irrespective of where you receive your care. For further information please see their Privacy Notice.


EMRAD Trusts (which includes our Trust) keep a store of patient images for teaching purposes, so radiologists and reporting radiographers can learn from each other. However, our processes ensure that patients cannot be identified by the system user, although some data on body part, and what the image shows are kept according to the Royal College of Radiologists standards.

Extremely rarely, it may be necessary to re-identify a patient when there is an exceptional patient safety issue – for example, if something serious was felt to have been missed when the image was originally looked at. If we need to re-identify a patient under these circumstances, only two senior EMRAD radiologists have permission to establish the patient’s identity, and between them they would ensure the possible safety incident was addressed by the Trusts’ usual procedures.

Nottinghamshire Health and Care Portal

We participate in the Nottinghamshire Health and Care Portal.  The portal enables providers to electronically share your health and social care information quickly and securely.  This information can include hospital and GP attendances, test results, medication and care plans with other Nottinghamshire health and social care providers. With your explicit consent, health and social care professionals, or staff who are supervised by health and social care professionals, will be able to access this information to better coordinate and provide care.  Access is strictly controlled, and the shared record is hosted by Nottingham University Hospitals NHS Trust in their secure data centre.

Nottingham and Nottinghamshire Ecosystems Platform and Notts Care Record

The Nottingham and Nottinghamshire Ecosystems Platform and Notts Care Record is a shared system that allows healthcare staff within the Nottingham and Nottinghamshire health and social care community to appropriately access the most up-to-date and correct information about patients involved in their care, to deliver the best possible care.

The Notts Care Record is sub-processed by Interweave:

We will not provide your information to any other third parties without your permission unless there are exceptional circumstances, such as, if the health and safety of you and others is at risk or if the law requires us to pass on information.

Musculoskeletal (MSK) Service

You and your GP have agreed you should be referred to the MSK service.  This means that the clinical staff who work in that team will be able to look at what is written in your GP record. This is all done electronically.   But if you have said you don’t want either all your record to be viewed or a part of it not to be viewed – then they won’t be able to look.

Seeing what care you have received before will help the staff in the MSK service do a better assessment of your current problem and so will be able to help you to decide what treatment you want to receive now for this current problem.

The GP record though will still be kept by the GP; we’re only allowing the MSK specialists to ‘see’ it.  What this also means is your GP can see what you and the MSK service have agreed as your treatment.

The MSK Service works to improve care for patients and the public and on occasion may contact you using your registered email or postal address to ask for feedback about the care you have received or would like to receive.  You do not have to respond to these requests and your care will not be affected by your decision to participate or not.  Here is a link to Triple Value Healthcare’s privacy policy:

Sleep Service

With the online application “AirView”, the Physiologists from the Sleep Service at Sherwood Forest Hospitals NHS Foundation Trust can monitor your sleep diagnosis and/or therapy from a distance.

For this purpose, data is collected by ResMed CPAP or Non-Invasive Ventilator Machines which are used to diagnose or treat patients with sleep-disordered breathing.  This data includes the length of time the machine and the mask are used, leakage figures, pressure values or the apnoea-hypopnoea index – are transmitted to AirView in encrypted form.

The Device is identified by means of the serial number; no personal data such as name or address are sent. Afterwards, the data which have been transmitted can only be attributed to individuals by Sherwood Forest Hospital NHS Foundation Trust, who can then use the information for your treatment.

Link to ResMed privacy Policy:

National Adult Asthma Audit

The adult asthma audit forms part of the National Clinical Audit and Patient Outcomes Programmes (NCAPOP). The adult asthma audit will collect patient identifiable information in order to link patient data to HES, ONS, eDris and PEDW data.

NACAP has approval from the Health Research Authority (for England and Wales) to collect this information without patient consent.  Please see reference number below:

Health Research Authority – CAG reference number: CAG 8-06(b)/2013.

National Heart Failure Audit

The National Heart Failure Audit collects data on patients with an unscheduled admission to hospital in England and Wales who are discharged with a primary diagnosis of heart failure.   The audit aims to drive up the quality of the diagnosis, treatment and management of heart failure by collecting, analysing and disseminating data, and eventually to improve mortality and morbidity outcomes for heart failure patients. The audit is managed by NICOR, with clinical direction and strategy provided by the British Society of Heart Failure (BSH).  The audit is commissioned by the Healthcare Quality Improvement Partnership (HQIP).  The National Heart Failure Audit was established in 2007. The audit aims to capture data on clinical indicators which have a proven link to improved outcomes for heart failure patients, and to encourage the increased use of clinically recommended diagnostic tools, disease modifying treatments and referral pathways. The dataset is updated periodically to ensure that the data collected remains in line with contemporary clinical guidance, and clinical input has been integral to the decision-making and running of the audit since its inception.

National Inpatient Survey

This national survey will help us at and the Care Quality Commission to find out what was good about your care and if any improvements are needed. If you are selected to take part you will receive a questionnaire in the post and text message reminders using your registered telephone number or postal address. You do not have to respond to the request to participate and your care will not be affected by your decision to participate or not.

If you do not want to take part or have any questions about the survey please contact:

Homecare Service

Below are the companies that provide this service to the Trust:

CareLink™ System

CareLink™ System is a service provided by Medtronic to health care professionals to upload patient insulin pumps, continuous glucose monitor devices and compatible BG meters.  This enables health care professionals to generate reports to assist with patient’s diabetes management.  health care professional’s may create a patient profile in the system and upload a patients compatible device in clinic to see data from their device or request that the patient links their CareLink Personal™ with the clinic so that data patients upload at home can be viewed in CareLink™ System by the health care professional.

Further information is available here

Sapien Health

Pilot study in conjunction with the Sherwood Forest perioperative team whereby Sapien Health will be used to support 100 patients before and after their surgery with a view to improving their surgical outcomes.

Sapien is a mobile app-based behavioural intervention for patients undergoing elective surgery. The Sapien Health model combines personalised digital guidance with 1-to-1 remote health coaching to help optimise patients preoperatively and support their recovery during the postoperative phase.

Further information is available here.

Outpatient Parental Antibiotic’s Therapy (OPAT) Database – Horizon Strategic Partners Ltd

The database will store patient demographics, treatment plans and medications.  Further information is available here.  


The service uses Endobase software package to record the finding of the endoscopy procedure and produce a final report which is shared with the Patient, their GP and printed for a copy to be retained on their paper patient record file.


During your assessment and treatment we will use an electronic blood monitoring system that enables the safe management of your blood results.  This is managed by your medical team and overseen by your consultant.

MacMillan Holistic Needs Assessments

With the explicit consent of the patient, Macmillan holistic needs assessments are shared with the patient’s GP and community teams.

Clinical Audits

We continually try to raise the standard of care we provide. To do this we need to review the clinical work we do, this is typically done using a process known as Clinical Audit.   Access to your patient records for this purpose is monitored and only anonymous information is used.

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. It helps to identify a person who may benefit from a targeted healthcare intervention. Information about you is collected from several sources including NHS Trusts and from this GP Practice. The identifying parts of your data are removed, analysis of your data is undertaken, and a risk score is then determined. This is then provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way in most circumstances, please contact the practice for further information about opt out.

Individual Risk Management at a GP practice level however is deemed to be part of your individual healthcare and is covered by our legal powers relating to direct healthcare.

The CCG uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services.  This is called risk stratification for commissioning.  The CCG does not have access to person identifiable data.  The information is pseudonymised. 

GPRCC and eHealthScope

General Practice Repository for Clinical Care (GPRCC) is a data warehouse. This means that it is a secure database containing encrypted patient data. Data in the GPRCC will contain personal identifiers including name, NHS Number, date of birth, address, postcode, telephone number and date of death, which will be stored in pseudonymised form in a secure and accredited SQL environment.

GPs upload patient data that can then be shared with other healthcare professionals involved in your care. GPs then use a programme called eHealthScope which is able to explain and predict care gaps in their area. Healthcare professionals can now access your medical history from all organisations involved in your care to ensure you are given the best care possible. Access to identifiable GPRCC data is exclusively via eHealthScope, which provides Role-Based Access Control. Only staff from General Practice and individuals nominated by them in the Local Care Teams (e.g. Care Delivery Groups) who are involved in the care of patients will be given access to re-identified data, given these staff have a ‘legitimate’ relationship with the patient. GPRCC also gives eHealthScope the data to be able to inform GPs of specific care needs in their area. This means they can create solutions such as drop-in services to address healthcare needs before they become a problem. This processing is done through article 9(2)(h) as it helps to provide direct patient care.  There will be no use of this data for any secondary purposes e.g. no use for commissioning, contracting or performance management.

Data relating to adults involved with social care and those aged 65+ will automatically be alerted to NHS organisations as part of the Care Portal and E-Health scope procedure.

Medical Interoperability Gateway (MIG)

The Medical Interoperability Gateway (MIG) is a way to transfer Primary Care data from GPs to other healthcare professionals. All healthcare professionals who use the same records system can use it to access your GP medical history to ensure you have the highest standard of care across all organisations that provide your care. If your care needs to move beyond your GP, then all the healthcare professionals that are involved in your treatment can access your medical history to make sure you are given the best care for you. This is a GP sharing service held inside the secure NHS network. Sharing is only between professionals directly involved with your care.

Medicines Management

The organisation may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. The reviews are carried out by the CCGs Medicines Management Team under a Data Processing contract with the Practice.

Shared Care Records

To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems.  You can opt out of this sharing of your records with our partners at any time if this sharing is based on your consent. 

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.  All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for Sherwood Forest Hospitals NHS Foundation Trust an appropriate contract (art 24-28) will be established for the processing of your information.

Patient Level Information Costing System (PLICS)

We use anonymised data from the Trusts clinical systems to create a detailed model of the Trusts clinical services.

The PLICS model allows the Trust to easily analyse activity and costs, the use of resources, and the efficiency of services.

This information enables better decision making and enables more effective use of finite resources.

The data is also used by NHS England and Improvement to centrally monitor resources, to aid in the creation of the ‘model hospital’ and inform contracting decisions.

Medtrum EasyTouch App and EasyView Pro website

Medtrum will enable patients, their caregivers and healthcare professionals to remotely monitor the patients’ real-time glucose data and insulin delivery data, view the statistics and create the reports on the EasyTouch App and EasyView Pro website.

Once the patients accept the request sent by the caregivers or the healthcare professionals, the patient data will be shared remotely and in real-time.

Here is a link to their privacy notice.

Virtual Wards

Virtual Wards will support patients who would otherwise be in hospital, to receive the care, monitoring and support they need in the place they call home.  This includes either preventing avoidable admissions into hospital or supporting early discharge out of hospital.  The initial phase of the initiative will focus on early supported discharge out of hospital, whilst remaining under consultant care.

Further information

New state-of-the-art technology will see some patients across Nottingham and Nottinghamshire with respiratory infections, a flare up of a long-term lung condition or recovering from some types of surgery, monitored from the comfort of their own home rather than in hospital. 

Patients who are eligible will be referred to a ‘virtual ward’ – a safe and efficient alternative to an NHS hospital bed and means patients can be treated in the place they call home. 

Virtual wards can make us of technology to support patients who would otherwise be in hospital, to receive the care, monitoring and support they need in the place they call home, which frees up hospital beds for patients who are most in need of acute care.

Patients who are suitable to be referred to a virtual ward will usually have a health concern that needs regular monitoring and on-going treatment, such as an acute respiratory infection, a chronic lung condition or, if at Nottingham University Hospitals, a postoperative wound care and intravenous antibiotics that they would usually receive in hospital. However, with the right care and support, these patients can now receive the care they need at home safely and conveniently.

Patients in virtual wards will be supported and monitored on a daily basis using remote monitoring apps, utilising technology platforms and using medical devices such as pulse oximeters, which record vital health data about blood oxygen saturation and heart rates. Patients can also receive face-to-face care from teams based in the community.

To find out more you can read an article on virtual wards here.

CCTV and Body Warn Video

Within the Trust premises CCTV cameras and Body Warn Video are used for the following purposes only:

  • To protect staff, patients and visitors
  • To protect Trust premises and assets
  • To increase personal safety and reduce the fear of crime
  • To reduce incidents of violence and aggression to staff members
  • To support the Police in reducing and detecting crime
  • To assist in identifying, apprehending and prosecuting offenders
  • To provide a deterrent effect and reduce criminal activity
  • To assist in the traffic management and car parking services, and Health & Safety.

Short Message Service (SMS) text messaging

When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you.  With your agreement your mobile number can be used to provide appointment details via SMS text messages.


Microsoft Sway is used to deliver our weekly all staff bulletin as well as our Trust Membership monthly e-newsletter. We gather statistics around email opening and clicks using Microsoft Sway to help us monitor and improve our e-newsletter.  

Here is a link to their Privacy notice

People who contact us via social media

We use a third-party provider, Tweetdeck to manage our social media interactions.

If you send us a private or direct message via social media, the message will be stored by Tweetdeck for three months. It will not be shared with any other organisations.

Here is a link to their Privacy Notice.


We collect information volunteered by members of the public about membership either using paper forms or an online form which links directly to the membership database hosted by MES (Membership Engagement Services). MES processes personal information in line with our constitution.  Information from the paper forms is transferred into the membership database.

Here is a link to their Privacy Notice.