The types of patient information
The Trust holds a range of information about each patient including:
- Personal identifiers: name, date of birth, NHS number
- Personal characteristics: ethnicity, gender
- Contact details: address, telephone number, email address
- Next of kin details
- Details of:
- referrals, clinic appointments and admissions,
- health diagnosis and treatment plans, and
- investigations including scans, x-rays, pathology tests
By providing the Trust with contact details, patients are consenting to the Trust using these details as a means of communicating about care, i.e. letter, text, voice-mail or email communication.
To help us keep accurate information about you please tell us if your personal details change so that we can update them. If you need to update your details, please inform the clinic or ward staff during your next visit, or contact your consultant’s secretary.
We also process pseudonymised national Hospital Episode Statistics (HES) data obtained from NHS Digital about individuals from across the country.
We also have duties under common law, Information provided in confidence will therefore only be used for the purpose it was obtained or consented to by the patient.
Why we use this information
Information is held to provide appropriate care and treatment, whether privately funded or NHS funded. Our staff, including doctors, nurses, and other healthcare professionals, use your information to:
- Assess your health and make decisions about ongoing care, treatment, and health protection.
- Ensure that your care is safe and effective.
- Effectively work with other professionals who are providing your care.
NHS organisations are expected to participate and support health and care research. University Hospitals of Derby & Burton is research active, and your information may be used to support this. Please visit our Research webpages for more information (opens in new window) >
Patient information may also be used to help us to:
- Carry out clinical audit
- Make sure our services meet patient’s needs in the future
- To obtain feedback about your experience, through our Friends & Family questionnaire in order make changes/improve services
- Investigate concerns, complaints, claims or untoward incidents
- Provide statistics on NHS performance and activity
- Train and educate our staff (you have the right to choose whether to be involved personally)
- Receive payment for the care we provide.
- Conduct health research and development
Lawful basis
Data protection law requires us to have a ‘lawful basis’ for using people’s data.
The lawful basis for processing patient data is UK GDPR Article 6.1(e) Public Task - processing is necessary for us to perform a task in the public interest or for official functions. For private patients we also use Article 6.1(b) Necessary for the performance of a contract. For processing special category data the condition is Article 9.2(h) - processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment.
The lawful basis for processing HES data is Article 6.1(e) for the performance of a task carried out in the public interest and special category data Article 9.2(g) processing is necessary for reasons of substantial public interest.
For statistics and research data the lawful basis is Article 9.2(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes in accordance with Article 89(1) and DPA Schedule 1 part 1(4).
Read more about patient information and health and care research (opens in new window) >
Sharing your information
Your information may be shared with other organisations or individuals depending on your circumstances:
- GPs, other NHS health & social care staff or private sector providers for the purpose of providing direct care. These teams may include healthcare professionals (doctors, nurses, pharmacists, physiotherapists, and occupational therapists), administrative support staff, pathology staff and radiology staff. This enables relevant discussions as ‘a team’ for the benefit of the patient’s care, across care settings.
- Department of Health for the purposes of planning, managing, and auditing healthcare services
- National disease, treatment, or genetic registries, such as the National Disease Registration Service (opens in new window) >
Health law sets out a duty for information to be shared where it facilitates care for an individual and it is legal to do so. Confidential information is shared with other health professionals who are involved in the direct care of a patient. You may receive care from other organisations. We may need to share your information with social services, education services, local authorities, voluntary sector providers (with your consent) to help with the management/support of your care and work together for your benefit. We will only pass on information if there is a genuine need.
Shared Care Records
Organisations providing care are increasingly working together to ensure patients receive the most appropriate treatment at the earliest opportunity. This is particularly important following the coronavirus pandemic where waiting lists are high, and patients may be able to be seen more quickly in a different organisation. To support this, we may share your information with, or receive information from, another organisation to determine if you can receive treatment more quickly. If quicker or more appropriate treatment is possible then you will be contacted with further information on the options available to you. Please be assured that this information is being shared for direct care purposes only and all organisations will treat your information confidentially.
The Trust is also a member of the East Midlands Radiology Consortium (EMRAD) which aims to deliver timely and expert radiology services to patients across the East Midlands, regardless of where they are being treated.
Visit the East Midlands Imaging Network (known as EMRAD) website (opens in new window) >
To support the sharing of information to provide you with the best treatment, different regions have Shared Care Records. This means details about your needs, and how you receive care, will be shared with partner organisations involved in your care. Performance information is depersonalised and shared with our commissioners (those who pay for the care you receive) for the purpose of capacity management. This information sharing is in addition to information sharing required to support the provision of safe care, and is about managing the resources of health and social care colleagues, to work better together. The approach is to enable connection of teams across traditional organisational boundaries, and enable the delivery of part of the NHS Long Term plan: access NHS website for NHS Long Term plan (opens in new window) >
Depending on where you live and receive care, the Trust shares with the Staffordshire or Derbyshire shared care record. More information about Derbyshire can be found here: Access Joined Up Care Derbyshire website (opens in new window) >. More information about Staffordshire can be found here: Access Staffordshire ICS Website (opens in new window) >
Can I object to sharing?
Shared Care Records are designed to share information between professionals quickly to improve the quality and efficiency of your care. By withdrawing, you understand that you will not benefit from these improvements. You can also change your mind at any time about whether you wish to share your record. If you wish to opt out of the automatic sharing of your health record from this Trust to Shared Care Records:
For purposes beyond your care, you can ‘opt out’ from sharing. The Trust is compliant with the National Data Opt-out Policy. To find out more about the National Data Opt-out, please visit the NHS Digital website (opens in new window) >
There may be times when we need to share your information without your consent and regardless of your National Data Opt-out status when required to do so by law, i.e.
- Organisations with statutory investigative powers – i.e. Care Quality Commission, GMC, Health Service Ombudsman.
- when there is a risk of harm to you or others,
- where we believe the reasons for sharing are so important that they override our obligation to confidentiality (i.e. to support the investigation of a serious crime)
- where we have been instructed to do so by a court
- where we are legally required to do so to control infectious diseases.
How we use your information
Our Trust uses patient information in various formats. Some information is used in printed form, for example identity labels, drug charts, pathology test order forms. Other information is used electronically, for example on smartphones, tablet computers, laptops, or special devices like scanners.
The Trust uses computerised processing of electronic patient data. Processed information can be shared with clinical stakeholders, subject to our Information Governance Policy and controls. This processing is limited to:
a) Improving clinical and personal records to ensure the information held is accurate
b) Ensuring the data held reflects the reason for attendance, admission, or employment
c) Maintaining up to date records for information relevant to an individual’s personal, clinical and employment guidelines and circumstances in practice at that time
d) Secure data mining and where required, cleansing for research and statistical purposes to improve data quality, and is actioned for mutual benefit for the individual and the Trust
How long we keep your information for
We will retain your information for at least as long as required by the NHS Records Retention Schedule. In general health records must be stored for 8 years, but for some types of information the period is shorter or longer than this.
Storage space on Trust sites is limited so paper records are sent to offsite secure archiving facilities.
Your legal rights about your information
You have the legal right to confidentiality and a range of other rights under the Data Protection Act 2018.
- The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice and patient leaflets.
- The right of access – many of our patients can view their information via a Patient Portal. If you are eligible for this, you will receive a message about registering with Patient Knows Best (PKB). Only if you choose to register with this service will the Trust upload your health information to the portal. It is your choice how much information you can access via PKB; information is not shared more widely. Visit Online Patient Portal page >. Other information can be requested from the Medical Records Department. Visit Medical Records page >.
- The right to rectification – this is your right to have your data corrected if it is inaccurate or incomplete. You will need to tell us what you believe to be incorrect and we will then check with the person who recorded the information. We will correct factual mistakes and provide you with a copy of the corrected information. If you are not happy with an opinion or comment that has been recorded, we will add your own comments to the record so they can be viewed alongside any information you believe to be incorrect.
- The right to erasure – you have a ‘right to be forgotten’ where the Trust will delete your data, but this only applies where there is no compelling reason to continue processing your data. Your health record is retained in accordance with NHS national guidance, and because of our legal obligation to keep health records, it is extremely rare that we destroy or delete records earlier than the recommended retention period. However, if you believe you have compelling grounds for having all or part of your record erased you should contact our Data Protection Officer. The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.
- The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue relating to your health record that requires us to restrict processing, we will investigate your concerns. Please note it will not be possible to restrict processing while you are receiving care and treatment at the hospital.
- The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process. At present we do not process any personal data that meets this requirement.
- The right to object – this is your right to object to the hospital processing your health data because of your situation. Because of our obligation to keep health records it is extremely rare that we stop processing data if patients wish to continue to be treated by the Trust. If you believe you have compelling grounds for us to stop processing your data, you should contact our Data Protection Officer. The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.
- Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. While the hospital may use systems to determine how well a patient is, it does not replace our staff’s clinical judgements when making decisions about your care.
Questions or complaints
If you wish to discuss any other issues regarding your data wish to make a complaint please contact our Data Protection Officer via:
If you are still unhappy with the outcome of your enquiry you can write to: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF - Telephone: 01625 545700
