Data Protection and Information Governance

Privacy notice for patients

Please see the Supplementary Privacy Notice - Covid-19 for information about how we may use your information to protect you and others during the Covid-19 outbreak.

For a pdf copy click here

Humber Teaching NHS Foundation Trust collects, stores and uses large amounts of personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work. This privacy notice explains how we process your personal data.

Humber Teaching NHS Foundation Trust is the data controller of the personal data and is responsible for complying with data protection legislation.

Our registered address is Trust Headquarters, Beverley Road, Willerby, HU10 6ED.

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

At Trust Board level, we have a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.

We have a Data Protection Officer who ensures the Trust is accountable and compliant with the General Data Protection Regulation (GDPR) and Data Protection Act 2018.

Data Protection Officer:  Lisa Davies, Mary Seacole Building, Willerby Hill, Beverley Road, Willerby, HU10 6ED.

What information do we collect about you?

The doctors, nurses and team of healthcare professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer. These records may include:

  • Basic details about you such as name, address, date of birth, next of kin, etc

  • Details of your lifestyle and social circumstances

  • Contacts we have had with you such as appointments or clinic visits
  • Notes and reports about your health, treatment and care

  • Results of x-rays, scans and laboratory test

  • Relevant information from people who care for you and know you well such as health professionals and relatives

  • Visual images, personal appearance and behaviour, for example if CCTV images are used as part of building security

  • Offences (including alleged offences, criminal proceedings, outcomes and sentences)

We may also process sensitive categories of information that may include:

  • racial and ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • health information
  • sex life or sexual orientation

It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.

Using your personal data: the legal basis and purposes

We will use your personal data to direct, manage and deliver the care you receive to ensure that:

  • The doctors, nurses and other healthcare professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you

  • Healthcare professionals have the information they need to be able to assess and improve the quality and type of care you receive

  • Appropriate information is available if you see another doctor, or are referred to a specialist or another part of the NHS

Your information will also be used to help us manage the NHS:

  • Review the care we provide to ensure it is of the highest standard and quality

  • Manage the health service and ensure our services can meet future patient needs

  • Ensure the Trust receives payment for the care you receive

  • Prepare statistics on NHS performance

  • Audit NHS accounts and services

  • Investigate patient queries, complaints and legal claims

  • Helping to train and educate healthcare professionals

For these purposes we use anonymous data wherever possible.

This processing is necessary to perform a public task (GDPR Article 6(1)(e))and necessary for the provision of health or social care treatment (GDPR Article 9(2)(h)).

Your information may also be used to protect the health of the general public.

This data will be processed when it is necessary to comply with a legal obligation (GDPR Article 6(1)(c) and necessary for public health (GDPR Article 9(2)(j)).  Wherever possible we will use anonymous data.

Your information may also be used to ensure that adult and children’s safeguarding matters are managed appropriately.

This will only be when it is necessary to perform a public task (GDPR Article 6(1)(e)) and when it is necessary to carry out obligation under social protection law (GDPR Article 9(2)(b)).

Your information may also be used for health research and development (see below).

The legal basis for this processing is necessary to perform a public task (GDPR Article 6(1)(e)) and is necessary for scientific or historical research purpose (GDPR Article 9 (2)(j)).  However, we must also comply with our Common law duty of confidence and individual consent will be sought for participation in particular research projects. 

NHS Digital 

The Trust is required to share information with NHS Digital under Section 259(1) of the Health and Social Care Act 2012.

When we are required to provide data under this legislation, a Data Provision Notice is issued to the Trust.  This details information such as the purpose, benefits, data required, frequency and legal basis.  An example is the Mental Health Service Data Set.

For more information on how NHS Digital look after your health and care information, please click:

Yorkshire and Humber Health Care Record

Trust GP Practices participate in the Yorkshire and Humber Health Care Record.  The Yorkshire & Humber Care Record is a shared system that allows Healthcare staff within the Humber, Coast and Vale Health and Social Care community to appropriately access the most up-to-date and correct information about patients, to deliver the best possible care.

This processing is necessary to perform a public task (GDPR Article 6(1)(e))and necessary for the provision of health or social care treatment (GDPR Article 9(2)(h)).

The Yorkshire & Humber Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing.

If you would like any further information, or would like to discuss this further, please contact the Yorkshire and Humber Care Record on 0113 206 4102 or contact your GP practice.

Yorkshire and Humber Care Record Patient Information Leaflet

Risk Stratification

Trust GP practices use your information for the purposes of Risk Stratification. This is used to identify groups of patients who would benefit from some additional help from their GP or care team. The aim is to prevent ill health and possible future hospital stays, rather than wait for you to become sick.

This processing is necessary to perform a public task (GDPR Article 6(1)(e))and necessary for the provision of health or social care treatment (GDPR Article 9(2)(h)).

This processing has Section 251 Approval (CAG 7-04(a)/2013) from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority.

Our GP practices use the services of a health partner, North of England Commissioning Unit (NECS) to help with Risk Stratification.  NECS process personal confidential data on our behalf under a contractual agreement that requires the security and protection of information. 

Our GP practices can access identifiable information (NHS Number) to see which patients may benefit from additional help.

The Clinical Commissioning Group (CCG) and Public Health have access to de-identified information to help them plan the most appropriate health services for our local population.

If you do not want your information to be used for risk stratification, please speak to your practice manager. 

Medicines Optimisation

Humber GP Practices work with the North of England Commissioning Support Unit (NECS) to review the prescribing of medicines to ensure that it is safe and cost-effective. This may require the use of identifiable information. 

This processing is necessary to perform a public task (GDPR Article 6(1)(e))and necessary for the provision of health or social care treatment (GDPR Article 9(2)(h)).

In cases where identifiable data is required, this is done with Trust agreement. Patient records are viewed in the GP practice and may also be viewed remotely. 

There is a protocol that provides a framework for Medicines optimisation team (MO) members to access patient records for routine medicines optimisation operations.

The protocol is used in conjunction with:

  • NHS Confidentiality Policy (NHS England, 2014)
  • North Of England Commissioning Support (NECS) Standards of Business Conduct procedure
  • NECS Information Risk Policy
  • Relevant professional codes of conduct and ethical standards
  • NHS IG requirements should be adhered to at all times.

The staff groups that are covered by the protocol are:

  • Medicines Optimisation Pharmacists
  • Medicines Optimisation Technicians.
National Fraud Initiative

The Trust participates in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.  This is necessary to comply with a legal obligation (GDPR Article 6(1)(c)) and does not require consent under the data protection legislation. For further information, please see the full text fair processing notice

Care Mail 

Care Mail is our initiative to help friends and family stay connected to someone who is an inpatient at one of our Trust locations during Covid-19.  It can also be used to send messages of support, thanks and encouragement to reach our amazing staff who are working so hard to deliver care to our communities.

Our legal basis for processing this information is the legitimate interests of the Trust (GDPR Article 6(1)(f)).

National Data Opt Out

Information may only be used for purposes beyond your care when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations.  Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit

You can find out more about how patient information is used for research at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can apply your national data opt-out choice. 

Who do we share personal information with?

Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

We will share information with the following main partner organisations:

  • Other NHS trusts and hospitals that are involved in your care

  • Clinical commissioning groups and other NHS bodies (see below)

  • General practitioners (GPs)

  • Ambulance services

You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

  • Social care services

  • Education services

  • Local authorities

  • Voluntary and private sector providers working with the NHS

We will not disclose your information to any other third parties unless: 

  • We have your permission

  • We have to share by law

  • We have good reason to believe that failing to share the information will put you or someone else at risk of serious harm or abuse

  • We hold information that is essential to prevent, detect, investigate or punish a serious crime

Please ask our staff if you have any concerns or would like further information. Alternatively you can contact the Information Governance Team, Mary Seacole Building, Willerby Hill, Willerby, HU10 6ED, Tel: 01482 477854 or email:

National Record Locator Service

The Trust is part of the NHS Digital National Records Locator Service (NRLS).  When you contact the Ambulance Service or NHS 111 they can use the NRLS to see if you are receiving a mental health service and get a Trust contact number for further information to help them make decisions about how best to treat you.

The NRLS is secure and confidential and can only be accessed by healthcare professionals directly involved in your care.

Only your NHS number, the type of records and the contact number of someone at the Trust will be shared with the NRLS. 

If you do not want to be part of the NRLS, please contact your Care Worker or the Team involved in your care. 

Clinical commissioning groups (CCG's)

CCGs are responsible for planning the health needs of their patients, and for paying to keep their local health services running. Information in computerised form is sent to CCGs, with your name and address removed, but including NHS numbers and postcodes. Exactly the same information is sent to the Office of National Statistics which produces information about the performance of hospitals.


Sometimes we undertake studies for which we may ask you for additional co-operation; these studies may involve you in extra tests or visits to the hospital. You always have a choice whether or not to be involved after being given detailed information. If you choose not to take part this will not affect your future treatment in any way.

Please click here for further information about patient information and health and care research.


From time to time, staff caring for you may be accompanied by students for teaching purposes. You have the right to refuse the presence of a student. If you have strong feelings about this or require any further information do not hesitate to let staff know.

The NHS Care Record Guarantee

The NHS Care Record Guarantee (PDF, 128.2kB) for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this.

It covers people’s access to their own records; controls on other’s access; how access will be monitored and policed; options people have to further limit access; access in an emergency; and what happens when someone cannot make decisions for themselves.

Everyone who works for the NHS, or for organisations delivering services under contract to the NHS, has to comply with this guarantee.

Your rights

We will ensure your rights are respected. You have the right to: 

  • Be informed – we will tell you what we do with your information. We do this through notices like this, service information leaflets, notices on our website and posters. 

  • Rectification - we will correct any personal information if it is inaccurate or rectify any data that is incomplete. 

  • Object – you have the right to object how we process your information. Your objection will be considered in relation to your particular situation. We will stop processing unless there is a legitimate reason for us not to e.g. we need to process your data to provide you with safe care.

    If you would like to raise an objection about how we process your information, please speak to your health professional or alternatively write/email the Information Governance Team at the below address.
  • Restrict processing - we will temporarily restrict processing your data, whilst we check the information, if you query the accuracy of it.
    We will also restrict processing (if you raise an objection to how we process your data) whilst we consider your objection.
  • Access – you can ask for copies of information we hold about you. This is called a subject access request.

    How you can access your records

If you would like to request a copy of your medical record, please complete our access to health records form and send to Medical Records Department, Mary Seacole Building, Trust Headquarters, Willerby Hill, Hull, HU10 6ED or email

SMS Text messaging

Your contact details are important to us; ensuring that we can contact you in regard to appointment bookings, appointment cancellations and as a means of reminding you of your forthcoming appointments. The contact information we store will only be used by us in relation to your care and treatment.  We will not pass on your information to any other party.  You will be asked for your agreement to contact you in this way.

Sending Data to other countries

Sometimes your data may be processed outside of the UK. In most circumstances it will remain in the European Economic Area (EEA) and will have the same protection as if processed within this country.  When it is outside the EEA we will identify the data protections in place prior to transfer.

How long we keep your information

All records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care 2016 (the Code). The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.


If you have any concern about how we have handled your data you can contact our Complaints or Patient Advice & Liaison Service (PALS).

Additionally, you have the right to raise a complaint with the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113 or report online at:

Freedom of Information

The Freedom of Information Act 2000 provides any person with the right to obtain information held by Humber Teaching NHS Foundation Trust, subject to a number of exemptions.  If you would like to request information from us, please contact: Freedom of Information Mary Seacole Building Willerby Hill, Willerby HU10 6ED  or complete our online form.

Please note: if your request is for information we hold about you (for example your health records), please instead see above under “How you can access your records”.

Information governance enquiries, please contact:

Information Governance, Humber Teaching NHS Foundation Trust, Mary Seacole Building, Willerby Hill, Beverley Road, Willerby, HU10 6ED.  Tel. 01482

477854 or  email:

Lisa Davies, Data Protection Officer, Humber Teaching NHS Foundation Trust, Mary Seacole Building, Beverley Road, Willerby Hill, Willerby, HU10 6ED.

Last updated: July 2019