General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) came into force on 25 May, 2018, replacing the Data Protection Act 1998.
The GDPR is designed to strengthen and unify individuals' data protection. In simple terms, it means there will be a new set of standards to strengthen the control of people have over their personal data.An overview of GDPR can be found here.
Worcestershire Acute Hospitals NHS Trust Privacy Notice
Being honest and clear with patients and staff about how the Trust uses personally identifiable information is an important part of the way we provide healthcare. Personal Information is about you. We believe that it is very important to protect your information in all that we do, and use it in the way the law says we can. We take care to put in place controls to make sure your information is safe. We also do checks to make sure that our controls are working.
The EU General Data Protection Regulation (GDPR) gives everyone in the UK more rights around controlling their personal information. It asks all organisations to be really clear with patients, customers, clients and staff about what we do with personal information. The normal way to do this is in a Privacy Notice.
What is a Privacy Notice?
A Privacy Notice is a statement that describes how an organisation collects, uses, retains and shares personal information. It will also tell you about the rights you have around your information.
What does our Privacy Notice tell you?
- Why we need your personal information,
- The legal basis for collecting and holding your personal information,
- How it will be used, and,
- Who it will be shared with.
What is Personally Identifiable Information?
Personally identifiable information is any information that relates to an identified or identifiable living individual. It could be on paper, an IT system or video. In our Privacy Notice we also refer to it as ‘personal information’.
For example it could be: name, address, email, telephone number, NHS number, location, or any health related data. For members of staff, it will include items such as your length of service, salary details or hours of work.
Who are we and what do we do
Worcestershire Acute Hospitals NHS Trust provides hospital-based services from three main sites - the Alexandra Hospital in Redditch, Kidderminster Hospital and Treatment Centre, and Worcestershire Royal Hospital in Worcester.
We provide a wide range of services to a population of more than 575,000 people in Worcestershire as well as caring for patients from surrounding counties and further afield.
Last year we provided care to more than 232,644 different Worcestershire patients – that is 40% of the Worcestershire population received care at one of our hospitals. We employ nearly 6,000 people and around 800 local people volunteer with us helping to deliver care. We have an annual turnover of over £360 million.
Worcestershire Acute Hospitals NHS Trust is the ‘data controller’. This means that we decide why and how personal information is processed.
Our main contact address is: Worcestershire Royal Hospital, Charles Hastings Way, Worcester WR5 1DD
Our main contact telephone number is: 01905 763333
Why do we hold your personal information?
In short, we hold your information to help us provide your healthcare. We hold staff information to ensure that we know who works for us, and so we can pay and train them.
For example:
If you are a patient, we use your medical details to provide healthcare to you, and to ensure we join up your information (e.g. your patient notes, scans, x-rays, clinic appointments and A&E visits). We keep records of your allergies and health conditions to ensure we provide you with good care each time you visit us. The Trust keeps details of your next of kin / emergency contact incase we need to get in touch someone, if you are not able to do it yourself. We use your contact details to let you know about your healthcare. For example, we might send you a letter, call you on the phone, text or email you to let you know about an appointment or some results.
If you contact the Trust for a reason unrelated to direct healthcare, for example to make a complaint, or submit a press enquiry or a Freedom of Information request, we will use the information you provide to keep in contact with you, and to look in to or investigate your request.
If you visit our website, we use cookies to help make our website work more efficiently. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
If you use the free patient Wi-Fi service, this is provided in conjunction with BT and is also subject to their policies and procedures. All information relating to the BT terms and conditions of this service are available at https://www.btwifi.co.uk/terms-and-conditions. We may collect the following information: name, contact information including email address, device information including MAC address, length of browsing time using the Wi-Fi service, websites visited, wi-fi bandwidth utilisation. We use this information to understand your needs and provide you with a better service, keep records and provide statistics and analyse public flow through the hospital. We use traffic log cookies to identify which pages are being used on our website to help us analyse data about web page traffic and improve our website. We only use this information for statistical analysis purposes and then the data is removed from the system. Users can modify their settings to decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from using the free Wi-Fi service.
If you apply for a job at the Trust, all of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfill legal or regulatory requirements if necessary. Worcestershire Acute Hospitals NHS Trust is the data controller for the information you provide during the process unless otherwise stated. All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfill legal or regulatory requirements if necessary. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for. We do not collect more information than we need to fulfill our stated purposes and will not retain it for longer than is necessary. The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
What we do with your Personal Information
What we do with your Personal Information
Patient personal information we collect may also be used to:
- remind you about your appointments and send you relevant correspondence
- review the care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research, for example the Friends and Family Test (FFT)
- support the funding of your care, e.g. with commissioning organisations
- prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
- help to train and educate healthcare professionals
- report and investigate complaints, claims and untoward incidents
- report events to the appropriate authorities when we are required to do so by law
- review your suitability for research studies or clinical trials
- contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.
Staff personal information we collect about you may also be used:
- For crime prevention and prosecution of offenders
- Sharing and matching of personal information for national fraud initiatives
- To monitor your use of information and communication systems to ensure compliance with IT policies
- When dealing with legal disputes involving you or other employees, workers and contractors, including accidents at work
- When gathering evidence for possible grievance or disciplinary hearings
- To support the pandemic information repurposing e.g. swab testing. This will only be used on approval based on legitimate interest access and assurance of data security has been provided.
- The Trust is required to process data from National Immunisation and Vaccination System (NIVS) and National Immunisation Management Service (NIMS) to manage compliance with the government regulations.
The Trust shall collate and hold information on an individual’s Vaccination status. This data is ‘health’ information and will be kept confidential, with access to it strictly controlled.
The COPI Notice provides a legal basis for NHS organisations to use what would otherwise be confidential patient information to support the pandemic response. The Trust needs to know the vaccination status of individual members of staff who have been determined as falling within the scope of the Vaccination Policy in order to protect patients and the workforce. A record will be kept of data processed under the COPI notice.
- The Control of Patient Information (COPI) notices issued by the Secretary of State for Health and Social Care under the Health Service (Control of Patient Information) Regulations 2002, provides a legal basis for NHS England to disclose this information to health and care organisations, and NHS organisations are required under the COPI notice to process what would otherwise be confidential patient information for ‘COVID-19 purposes’. This includes but is not exclusive to:
- “monitoring and managing the response to COVID-19 by health and social care bodies and the government including providing […] information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
- delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of healthcare and adult social care services.”
UK General Data Protection Regulation (UK GDPR), Article 6(1)(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Data protection law provides that it is lawful to ‘process’ (use) ‘special category data’ (GDPR Article 9 conditions for processing) (i.e. health data, including information about vaccination status) where:
- it is necessary for employment purposes (Article 9 (2) b)
- in is in the ‘substantial public interest’, including to comply with legal obligations (Article 9(2)g)
- it is necessary for the management of healthcare services; and/or (Article 9(2)h)
- it is necessary for public health purposes (Article 9(2)i)
The VCOD (Vaccination as a Condition of Deployment) phase 2 guidance allows sharing with staff who ‘need to know’, and for the purposes stated above this will include line managers, HR and senior managers of staff affected.
How long we will keep your personal information for
The length of time we hold your personal information for will depend on what kind of information it is. The Trust has a Records Management Policy which sets out categories of information, and how long we keep the information for.
pdf Coporate Records Management Policy and Procedure (WAHT CG 127) (940 KB)
pdf Corporate Records Management Retention Schedule Appendix 12 (1.39 MB)
In accordance with the NHS Retention Schedule there are national rules around the retention and destruction of patient records, which sets out the appropriate length of time each type of NHS records is retained.
For more information, please visit the NHS Digital website.
All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.
Your Information Rights
There are 8 rights under the GDPR; the relevant rights to this Privacy Notice are considered below.
Right to be informed
The Trust must let you know what personal information we hold about you, in clear plain language. This Privacy Notice is our main way of letting you know these details. The Trust has produced ‘signposting’ posters to make sure you know where to come to look at the Privacy Notice. You will also be aware of the information which forms part of your patient record through communication with our staff.
If you apply for a job with the Trust, or work for the Trust, then you will be aware of the personal information you have provided as part of this process or contract.
Right of access
If you are a patient or an employee, you have a right to obtain a copy of your personal information. If you are a patient, you may want a copy of your medical notes. If you are a job applicant or employee, you may want a copy of your file. The process of asking for access to your personal information is known as a Subject Access Request.
Our Subject Access Request Policy is available here:
pdf Subject Access Request Policy 2018 (195 KB)
To complete a Subject Access Request, please submit the relevant form:
Health Records
document GDPR Application Form for Health Records (58 KB)
Employment and occupational health records
document GDPR Application Form for Employment and Occupational Health Records (59 KB)
Complaints and PALs
document GDPR Application Form for Complaint and PALS (58 KB)
Incident investigation
document GDPR Application Form for Incident Investigation (58 KB)
Right to rectification
You have the right to have your personal information corrected if it is inaccurate or incomplete.
Contemporaneous records will not be altered or amended unless the information is proven to be incorrect or misleading as to any matter of fact. Where there is a difference of opinion between the maker/holder of the record and the person (or their legal representative if the person is under 13 years of age or lacks capacity) to whom the information relates then an addendum should be added to the record, at the point where the information is being contended, indicating that the person has challenged the accuracy of the information and their reasons for this.
If you believe there is something in your patient or staff record which needs rectifying or updating – such as a change in address or new phone number, please notify the reception staff at your point of care. If you are an employee then please log on to ESR and amend your personal details, or let your line manager know. If you need another way to get in touch, please email This email address is being protected from spambots. You need JavaScript enabled to view it. with full details of your suggested amendment.
Right to erasure
For personal information in health records, and staff records, this right is generally not applicable. Where there is a law we have to comply with so we can perform our role in healthcare or as an employer, we do not have to erase this personal information.
What does the law say about your personal information?
- If you are a patient or emergency contact, we can collect and use your information because we are using it for your treatment, or to organise your care. We may also be required to use your information as part of nationally mandated statistical returns.
- If you are a patient, the law says we can use your information to invite you to take part in patient surveys. It is in the public interest to know what our patients think about the services we provide – it helps us to make our services better. If you do not want to take part, please just let us know.
- If you work for the Trust, we use your information to look after you at work. This includes things like making sure you are paid, keeping a log of annual leave and any sickness, and making sure you have done your training.
- If you are using the free wifi in our hospitals, you will be asked to say yes or no (consent) to your information being used and shared with BT. The Trust are then allowed to use and share your information as described if you say ‘yes’.
- If you volunteer for the Trust, you will be asked to say yes or no (consent) to your information being held by the Trust.
Lawful basis of processing
For patients in relation to personal information related to the treatment or administration of health services, or for identified ‘next of kin’. For provisions of patient information as part of nationally required statistical returns
Article 9(2)(h)
“Article 9 Processing of special categories of personal data
- Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical believes, or trade union member ship, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited
- Paragraph 1 shall not apply is one of the following applies:...
(h) processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member state law or pursuant to contract with a health processional and subject to the conditions and safeguards referred to in paragraph 3:.. - Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies.”
The Member state law referred to in Article 6(3) is the common law duty of confidentiality which applies to all NHS staff. For more information on the common law duty of confidentiality please visit the Department of Health website.
For patients in relation to personal information used for nationally mandated surveys
Article 6(1)(e)
“Article 6 Lawfulness of processing
- Processing shall be lawful only if and to the extent that at least one of the following applies:...
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
For job applicants, and people employed by the Trust, whether paid or unpaid, either directly or through a third party:
Article 6 (1)(b)
“Article 6 Lawfulness of processing
- Processing shall be lawful only if and to the extent that at least one of the following applies:...
(b) processing is necessary for the performance of a contract to which the data subject is part or in order to take steps at the request of the data subject prior to entering into a contract;”
For users of the free Trust wifi
Article 6 (1)(b)
“Article 6 Lawfulness of processing
- Processing shall be lawful only if and to the extent that at least one of the following applies:...
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
For people who volunteer for Worcestershire Acute Hospitals NHS Trust
Article 6 (1)(b)
“Article 6 Lawfulness of processing<
- Processing shall be lawful only if and to the extent that at least one of the following applies:...
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
Who helps the Trust with processing personal information?
The Trust has various arrangements and contracts in place to help us provide our services. This can be for different reasons. For example: the Trust may not have the skills or knowledge for our employees to do the task; the company may do the task for all NHS Trusts; or it might provide us with the best service at the best price to do it this way.
The Trust are responsible for making sure any third party who processes your personal information is doing so in the right way. This means safely, securely, legally and confidentially. Third parties can only do what the Trust tells them with the data – they can not use it for anything else.
Our main IT systems are supported by large companies who provide systems for gathering and keeping patient information. Examples would be Xerox, Allscripts, Computacentre, NHSmail, Bluespier, and Northgate.
For workforce Personal Information, SBS administer the Trust payroll. In order for them to do this, we share personal staffing information with them. NHS Jobs administer our vacancies and recruitment, so if you apply for a job with us, this is where your will enter your details. The Trust remains the ‘data controller’ in both these cases.
Current list of data processors
spreadsheet Completed Data Collection Sheet April 2017 (35 KB)
The Trust is currently conducting a ‘data mapping’ exercise to ensure that we have all known processes documented. This document will continue to be updated as we gather this information.
Personal information may be transferred to, and processed in, countries other than the country in which you live by companies who help us process information. These countries may have data protection laws that are different to the laws of your country and, in some cases, may not be as protective.
The Trust, and the companies we work with, have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information. This requires any companies doing this to protect personal information they process from the European Economic Areas in accordance with European Union data protection law.
Any relevant Standard Contractual Clauses can be provided on request. The Trust continues to keep any such transfers under close review by the WAHT GDPR Working Group, to ensure processing is in line with this Privacy Notice.
Who does the Trust share information with?
Patient information
The Trust shares patient personal information with a range of organisations or individuals for a variety of lawful purposes, including:
- With General Practitioners (GPs) and other NHS staff (hospitals, community services or ambulance services) for the purposes of providing direct care and treatment to the patient, including administration;
- With social workers or to other non-NHS staff involved in providing healthcare;
Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:
- When the patient has given their explicit consent to the sharing;
- When the patient has implicitly consented to the sharing for direct care purposes;
- When there is a Court Order or a statutory duty to share patient data;
- When there is a statutory power to share patient data;
- When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006
Where patient information is shared with other non-NHS organisations, or for reasons other than direct patient care, it is good practice for an information sharing agreement to be drawn up to ensure that information is shared in a way that complies with all relevant legislation. The main Information Sharing Protocols for the Trust are available here.
Overseas Visitors
Where the Trust treats you as an overseas patient in addition to the above the Trust may collect additional information to establish your eligibility for free treatment within the NHS and to recover payment from you if that becomes necessary.
This may include:
- additional identification such as a passport
- proof of residence
- asylum status
- evidence of health insurance
- purpose and length of stay.
- Once we have satisfactorily established your status we will not retain copies of any supporting documents you supplied.
Relevant information may be shared with the Home Office where required by the National Health Service (Charges to Overseas Visitors) Regulations 2015 so that they can confirm your immigration status to us. This will not include clinical information about your healthcare with us.
The information provided may be used and retained by the Home Office for its functions, which include enforcing immigration controls overseas, at the ports of entry and within the UK. The Home Office may also share this information with other law enforcement and authorised debt recovery agencies for purposes including national security, investigation and prosecution of crime, and collection of fines and civil penalties.
If you are chargeable but fail to pay for NHS treatment for which you have been billed, it may result in a future immigration application to enter or remain in the UK being denied. Necessary (non-clinical) personal information may be passed via the Department of Health to the Home Office for this purpose.
National Data Opt-Out
Whenever you use a health or care service, such as attending Accident & Emergency or an outpatient appointment, important information about you is collected to help ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, and research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family, and future generations. Confidential personal information about your health and care is only used in this way where it is allowed by law.
You have the right to opt-out of having your data shared for the purposes of indirect care (research and planning). You can do so via the national opt-out website.
If you do choose to opt-out your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt-out, please visit Your NHS Data Matters.
If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
Where to go if you have questions
Our Data Protection Officer is Kimara Sharpe (Company Secretary). The Data Protection Officer is in charge of making sure the Trust is meeting its obligations under the new data protection law. She reports in to the Chief Executive on data protection matters, and has the power to independently raise any concerns about data protection in the Trust.
If you have any questions about this Privacy Notice, how we use your personal information or the new GDPR, you can:
Write to us at:
Worcestershire Royal Hospital, Charles Hastings Way, Worcester WR5 1DD
Call us on 01905 763333
Or email us on: This email address is being protected from spambots. You need JavaScript enabled to view it.
Contacting the Information Commissioners Office
If you continue to have concerns, or wish to escalate any issue, please contact the ICO (the UK Supervisory Authority):
Write to the ICO at: Information Commissioner's Office, Wycliffe House
Water Lane, Wilmslow, Cheshire, SK9 5AF
Call the ICO on: 0303 123 1113
Or email the ICO: This email address is being protected from spambots. You need JavaScript enabled to view it.
Acronyms and Terminology
Data Controller – a person (or organisation) who decides the purposes for which and the manner in which processing happens.
Data Processor – any person (other than an employee of the data controller) who processes the data on behalf of the controller.
GDPR – General Data Protection Regulation. European law which enhances data protection rights for all people living in the European Union.
ICO – Information Commissioners Office. The ICO are the ‘Supervisory Authority for the United Kingdom.
PALS – Patient Advice and Liaison Service
Personally Identifiable Information / Personal Information / Personal Data – any information relating to an identified or identifiable natural (living) person. An identifiable person is one whose identity can be established by reference to an identifier such as a name, an identification number, location data, social media posts, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person. ‘Special categories’ of personal data means information which is thought to be ‘extra sensitive’ such as ethnicity, sexual orientation and religion.
Privacy Notice - a statement that describes how an organisation collects, uses, retains and shares personal information. It will also tell you about the rights you have around your information.
Processing – in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set if operations on the information or data including organisation, adaptation, alteration, retrieval, disclosure, transmission, erasure or destruction of the data.
Pseudonymisation - the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information.
WAHT – Worcestershire Acute Hospitals NHS Trust. The healthcare provider referred to in this Privacy Notice.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time. We will ensure that we provide clear communication on the Trust website when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.