logo waht new

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) came into force on 25 May, 2018, replacing the Data Protection Act 1998.
The GDPR is designed to strengthen and unify individuals' data protection. In simple terms, it means there will be a new set of standards to strengthen the control of people have over their personal data.An overview of GDPR can be found here.

Worcestershire Acute Hospitals NHS Trust Privacy Notice

Being honest and clear with patients and staff about how the Trust uses personally identifiable information is an important part of the way we provide healthcare. Personal Information is about you. We believe that it is very important to protect your information in all that we do, and use it in the way the law says we can. We take care to put in place controls to make sure your information is safe. We also do checks to make sure that our controls are working.

The EU General Data Protection Regulation (GDPR) gives everyone in the UK more rights around controlling their personal information. It asks all organisations to be really clear with patients, customers, clients and staff about what we do with personal information. The normal way to do this is in a Privacy Notice.


{slider What is a Privacy Notice?}

A Privacy Notice is a statement that describes how an organisation collects, uses, retains and shares personal information. It will also tell you about the rights you have around your information.

{slider What does our Privacy Notice tell you?}

  • Why we need your personal information,
  • The legal basis for collecting and holding your personal information,
  • How it will be used, and,
  • Who it will be shared with.

{slider What is Personally Identifiable Information?}

Personally identifiable information is any information that relates to an identified or identifiable living individual. It could be on paper, an IT system or video. In our Privacy Notice we also refer to it as ‘personal information’.

For example it could be: name, address, email, telephone number, NHS number, location, or any health related data. For members of staff, it will include items such as your length of service, salary details or hours of work.

{slider Who are we and what do we do}

Worcestershire Acute Hospitals NHS Trust provides hospital-based services from three main sites - the Alexandra Hospital in Redditch, Kidderminster Hospital and Treatment Centre, and Worcestershire Royal Hospital in Worcester.
We provide a wide range of services to a population of more than 575,000 people in Worcestershire as well as caring for patients from surrounding counties and further afield.

Last year we provided care to more than 232,644 different Worcestershire patients – that is 40% of the Worcestershire population received care at one of our hospitals. We employ nearly 6,000 people and around 800 local people volunteer with us helping to deliver care. We have an annual turnover of over £360 million.

Worcestershire Acute Hospitals NHS Trust is the ‘data controller’. This means that we decide why and how personal information is processed.

Our main contact address is: Worcestershire Royal Hospital, Charles Hastings Way, Worcester WR5 1DD

Our main contact telephone number is: 01905 763333

{slider Why do we hold your personal information?}

In short, we hold your information to help us provide your healthcare. We hold staff information to ensure that we know who works for us, and so we can pay and train them.

For example:

If you are a patient, we use your medical details to provide healthcare to you, and to ensure we join up your information (e.g. your patient notes, scans, x-rays, clinic appointments and A&E visits). We keep records of your allergies and health conditions to ensure we provide you with good care each time you visit us. The Trust keeps details of your next of kin / emergency contact incase we need to get in touch someone, if you are not able to do it yourself. We use your contact details to let you know about your healthcare. For example, we might send you a letter, call you on the phone, text or email you to let you know about an appointment or some results.

If you contact the Trust for a reason unrelated to direct healthcare, for example to make a complaint, or submit a press enquiry or a Freedom of Information request, we will use the information you provide to keep in contact with you, and to look in to or investigate your request.

If you visit our website, we use cookies to help make our website work more efficiently. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

If you use the free patient Wi-Fi service, this is provided in conjunction with BT and is also subject to their policies and procedures. All information relating to the BT terms and conditions of this service are available at https://www.btwifi.co.uk/terms-and-conditions. We may collect the following information: name, contact information including email address, device information including MAC address, length of browsing time using the Wi-Fi service, websites visited, wi-fi bandwidth utilisation. We use this information to understand your needs and provide you with a better service, keep records and provide statistics and analyse public flow through the hospital. We use traffic log cookies to identify which pages are being used on our website to help us analyse data about web page traffic and improve our website. We only use this information for statistical analysis purposes and then the data is removed from the system. Users can modify their settings to decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from using the free Wi-Fi service.

If you apply for a job at the Trust, all of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfill legal or regulatory requirements if necessary. Worcestershire Acute Hospitals NHS Trust is the data controller for the information you provide during the process unless otherwise stated. All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfill legal or regulatory requirements if necessary. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for. We do not collect more information than we need to fulfill our stated purposes and will not retain it for longer than is necessary. The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.

{slider What we do with your Personal Information}

What we do with your Personal Information

Patient records are used to directly manage and deliver healthcare to you to ensure that:

  • the staff involved in your care have accurate and up to date information to assess and advice on the most appropriate care for you
  • staff have the information they need to be able to assess and improve the quality and type of care you receive
  • appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or healthcare provider

Staff personal information is processed for the purposes of:

  • staff administration and management (including payroll and performance)
  • pensions administration
  • business management and planning
  • education, training and development requirements
  • health administration and services
  • information and databank administration
  • business management and planning, including accounting and auditing
  • conducting performance reviews, managing performance and determining performance requirements
  • complying with health and safety obligations
  • equal opportunities monitoring

What we may do with your Personal Information

Patient personal information we collect may also be used to:

  • remind you about your appointments and send you relevant correspondence
  • review the care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research, for example the Friends and Family Test (FFT)
  • support the funding of your care, e.g. with commissioning organisations
  • prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
  • help to train and educate healthcare professionals
  • report and investigate complaints, claims and untoward incidents
  • report events to the appropriate authorities when we are required to do so by law
  • review your suitability for research studies or clinical trials
  • contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.

Staff personal information we collect about you may also be used:

  • for crime prevention and prosecution of offenders
  • sharing and matching of personal information for national fraud initiatives
  • to monitor your use of information and communication systems to ensure compliance with IT policies
  • when dealing with legal disputes involving you or other employees, workers and contractors, including accidents at work
  • when gathering evidence for possible grievance or disciplinary hearings

{slider How long we will keep your personal information for}

The length of time we hold your personal information for will depend on what kind of information it is. The Trust has a Records Management Policy which sets out categories of information, and how long we keep the information for.

pdf Coporate Records Management Policy and Procedure (WAHT CG 127) (940 KB)

pdf Corporate Records Management Retention Schedule Appendix 12 (1.39 MB)

In accordance with the NHS Retention Schedule there are national rules around the retention and destruction of patient records, which sets out the appropriate length of time each type of NHS records is retained.

For more information, please visit the NHS Digital website.

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

{slider Your Information Rights}

There are 8 rights under the GDPR; the relevant rights to this Privacy Notice are considered below.

Right to be informed

The Trust must let you know what personal information we hold about you, in clear plain language. This Privacy Notice is our main way of letting you know these details. The Trust has produced ‘signposting’ posters to make sure you know where to come to look at the Privacy Notice. You will also be aware of the information which forms part of your patient record through communication with our staff.

If you apply for a job with the Trust, or work for the Trust, then you will be aware of the personal information you have provided as part of this process or contract.

Right of access

If you are a patient or an employee, you have a right to obtain a copy of your personal information. If you are a patient, you may want a copy of your medical notes. If you are a job applicant or employee, you may want a copy of your file. The process of asking for access to your personal information is known as a Subject Access Request.

Our Subject Access Request Policy is available here:

pdf Subject Access Request Policy 2018 (195 KB)

To complete a Subject Access Request, please submit the relevant form:

Health Records

document GDPR Application Form for Health Records (58 KB)

Employment and occupational health records

document GDPR Application Form for Employment and Occupational Health Records (59 KB)

Complaints and PALs

document GDPR Application Form for Complaint and PALS (58 KB)

Incident investigation

document GDPR Application Form for Incident Investigation (58 KB)

Right to rectification

You have the right to have your personal information corrected if it is inaccurate or incomplete.

Contemporaneous records will not be altered or amended unless the information is proven to be incorrect or misleading as to any matter of fact. Where there is a difference of opinion between the maker/holder of the record and the person (or their legal representative if the person is under 13 years of age or lacks capacity) to whom the information relates then an addendum should be added to the record, at the point where the information is being contended, indicating that the person has challenged the accuracy of the information and their reasons for this.

If you believe there is something in your patient or staff record which needs rectifying or updating – such as a change in address or new phone number, please notify the reception staff at your point of care. If you are an employee then please log on to ESR and amend your personal details, or let your line manager know. If you need another way to get in touch, please email This email address is being protected from spambots. You need JavaScript enabled to view it. with full details of your suggested amendment.

Right to erasure

For personal information in health records, and staff records, this right is generally not applicable. Where there is a law we have to comply with so we can perform our role in healthcare or as an employer, we do not have to erase this personal information.


{slider What does the law say about your personal information?}

  • If you are a patient or emergency contact, we can collect and use your information because we are using it for your treatment, or to organise your care. We may also be required to use your information as part of nationally mandated statistical returns.
  • If you are a patient, the law says we can use your information to invite you to take part in patient surveys. It is in the public interest to know what our patients think about the services we provide – it helps us to make our services better. If you do not want to take part, please just let us know.
  • If you work for the Trust, we use your information to look after you at work. This includes things like making sure you are paid, keeping a log of annual leave and any sickness, and making sure you have done your training.
  • If you are using the free wifi in our hospitals, you will be asked to say yes or no (consent) to your information being used and shared with BT. The Trust are then allowed to use and share your information as described if you say ‘yes’.
  • If you volunteer for the Trust, you will be asked to say yes or no (consent) to your information being held by the Trust.

{slider Lawful basis of processing}

For patients in relation to personal information related to the treatment or administration of health services, or for identified ‘next of kin’. For provisions of patient information as part of nationally required statistical returns

Article 9(2)(h)

“Article 9 Processing of special categories of personal data

  1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical believes, or trade union member ship, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited

  2. Paragraph 1 shall not apply is one of the following applies:...
    (h) processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member state law or pursuant to contract with a health processional and subject to the conditions and safeguards referred to in paragraph 3:..

  3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies.”

The Member state law referred to in Article 6(3) is the common law duty of confidentiality which applies to all NHS staff. For more information on the common law duty of confidentiality please visit the Department of Health website.

For patients in relation to personal information used for nationally mandated surveys

Article 6(1)(e)

“Article 6 Lawfulness of processing

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:...
    (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

For job applicants, and people employed by the Trust, whether paid or unpaid, either directly or through a third party:

Article 6 (1)(b)

“Article 6 Lawfulness of processing

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:...
    (b) processing is necessary for the performance of a contract to which the data subject is part or in order to take steps at the request of the data subject prior to entering into a contract;”

For users of the free Trust wifi

Article 6 (1)(b)

“Article 6 Lawfulness of processing

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:...
    (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes”

For people who volunteer for Worcestershire Acute Hospitals NHS Trust

Article 6 (1)(b)

“Article 6 Lawfulness of processing<

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:...
    (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes”

{slider Who helps the Trust with processing personal information?}

The Trust has various arrangements and contracts in place to help us provide our services. This can be for different reasons. For example: the Trust may not have the skills or knowledge for our employees to do the task; the company may do the task for all NHS Trusts; or it might provide us with the best service at the best price to do it this way.

The Trust are responsible for making sure any third party who processes your personal information is doing so in the right way. This means safely, securely, legally and confidentially. Third parties can only do what the Trust tells them with the data – they can not use it for anything else.

Our main IT systems are supported by large companies who provide systems for gathering and keeping patient information. Examples would be Xerox, Allscripts, Computacentre, NHSmail, Bluespier, and Northgate.

For workforce Personal Information, SBS administer the Trust payroll. In order for them to do this, we share personal staffing information with them. NHS Jobs administer our vacancies and recruitment, so if you apply for a job with us, this is where your will enter your details. The Trust remains the ‘data controller’ in both these cases.

Current list of data processors

spreadsheet Completed Data Collection Sheet April 2017 (35 KB)

The Trust is currently conducting a ‘data mapping’ exercise to ensure that we have all known processes documented. This document will continue to be updated as we gather this information.

Personal information may be transferred to, and processed in, countries other than the country in which you live by companies who help us process information.  These countries may have data protection laws that are different to the laws of your country and, in some cases, may not be as protective.

The Trust, and the companies we work with, have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information. This requires any companies doing this to protect personal information they process from the European Economic Areas in accordance with European Union data protection law. 

Any relevant Standard Contractual Clauses can be provided on request. The Trust continues to keep any such transfers under close review by the WAHT GDPR Working Group, to ensure processing is in line with this Privacy Notice. 

{slider Who does the Trust share information with?}

Patient information

The Trust shares patient personal information with a range of organisations or individuals for a variety of lawful purposes, including:

  • With General Practitioners (GPs) and other NHS staff (hospitals, community services or ambulance services) for the purposes of providing direct care and treatment to the patient, including administration;
  • With social workers or to other non-NHS staff involved in providing healthcare;

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

  • When the patient has given their explicit consent to the sharing;
  • When the patient has implicitly consented to the sharing for direct care purposes;
  • When there is a Court Order or a statutory duty to share patient data;
  • When there is a statutory power to share patient data;
  • When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006

Where patient information is shared with other non-NHS organisations, or for reasons other than direct patient care, it is good practice for an information sharing agreement to be drawn up to ensure that information is shared in a way that complies with all relevant legislation. The main Information Sharing Protocols for the Trust are available here.

spreadsheet Privacy Notice Sharing Protocols 2018 (13 KB)

{slider Where to go if you have questions}

Our Data Protection Officer is Kimara Sharpe (Company Secretary). The Data Protection Officer is in charge of making sure the Trust is meeting its obligations under the new data protection law. She reports in to the Chief Executive on data protection matters, and has the power to independently raise any concerns about data protection in the Trust.

If you have any questions about this Privacy Notice, how we use your personal information or the new GDPR, you can:

Write to us at:
Worcestershire Royal Hospital, Charles Hastings Way, Worcester WR5 1DD

Call us on 01905 763333

Or email us on: This email address is being protected from spambots. You need JavaScript enabled to view it.

Contacting the Information Commissioners Office

If you continue to have concerns, or wish to escalate any issue, please contact the ICO (the UK Supervisory Authority):

Write to the ICO at: Information Commissioner's Office, Wycliffe House
Water Lane, Wilmslow, Cheshire, SK9 5AF

Call the ICO on: 0303 123 1113

Or email the ICO: This email address is being protected from spambots. You need JavaScript enabled to view it.

{slider Acronyms and Terminology}

Data Controller – a person (or organisation) who decides the purposes for which and the manner in which processing happens.

Data Processor – any person (other than an employee of the data controller) who processes the data on behalf of the controller.

GDPR – General Data Protection Regulation. European law which enhances data protection rights for all people living in the European Union.

ICO – Information Commissioners Office. The ICO are the ‘Supervisory Authority for the United Kingdom.

PALS – Patient Advice and Liaison Service

Personally Identifiable Information / Personal Information / Personal Data – any information relating to an identified or identifiable natural (living) person. An identifiable person is one whose identity can be established by reference to an identifier such as a name, an identification number, location data, social media posts, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.  ‘Special categories’ of personal data means information which is thought to be ‘extra sensitive’ such as ethnicity, sexual orientation and religion.

Privacy Notice - a statement that describes how an organisation collects, uses, retains and shares personal information. It will also tell you about the rights you have around your information.

Processing – in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set if operations on the information or data including organisation, adaptation, alteration, retrieval, disclosure, transmission, erasure or destruction of the data.

Pseudonymisation - the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information.

WAHT – Worcestershire Acute Hospitals NHS Trust. The healthcare provider referred to in this Privacy Notice.


Changes to this privacy notice

We reserve the right to update this privacy notice at any time. We will ensure that we provide clear communication on the Trust website when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.



4ward is our Trustwide culture change programme which is helping us build a more positive, supportive workplace for the benefit of our patients and colleagues. At its heart are our four 4ward Behaviours.