Herefordshire and Worcestershire Health and Care NHS Trust Privacy Policy

You can listen to this privacy notice as an audio recording or read the text below.

Herefordshire and Worcestershire Health and Care NHS Trust Privacy Notice 

Herefordshire and Worcestershire Health and Care NHS Trust is required to comply with the laws and regulations that apply to protecting your data and how it is used. These are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This privacy notice tells you how the trust uses your personal information when you contact us or use our services.

Our contact details 

Name: Herefordshire and Worcestershire Health and Care NHS Trust

Address: 2 Kings Court, Charles Hastings Way, Worcester, WR5 1JR

General phone number: 01905 760000

General inquiries contact:


We are the controller for your information . A controller decides on why and how information is used and shared.

Data Protection Officer contact details 

Our Data Protection Officer is Shaun Tudge and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at

How do we get information and why do we have it? 

The personal information we collect is provided directly from you for one of the following reasons: 

  • you have provided information to seek care – this is used directly for your care, to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
  • you have applied for a job with us or work for us
  • you have signed up to our patient participation group
  • you have made a complaint

  We also receive personal information about you indirectly from others, in the following scenarios:

  • from other health and care organisations involved in your care so that we can provide you with care
  • f rom family members or carers to support your care.

What information do we collect?

Personal information

Personal information is any information that can be used to identify a living person. For example an individual's email address, telephone number, or NHS number.

We currently collect and use the following personal information:

●       personal identifiers and contacts (for example, name and contact details)

●       photographic identity (photo ID) (for example, photographs of staff for ID badges or our website)

More sensitive information

The UK GDPR gives extra protection to more sensitive information known as ‘special category data’. Information concerning health and care falls into this category and needs to be treated with greater care. Data that relates to criminal offences is also considered particularly sensitive.

  We process the following more sensitive data (including special category data):

  • data concerning physical or mental health (for example, details about your appointments or diagnosis
  • data revealing racial or ethnic origin
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation
  • data revealing religious or philosophical belief
  • data relating to criminal or suspected criminal offences

Who do we share information with? 

  We may share information with the following types of organisations:

  • NHS England
  • planners of health and care services (such as Integrated Care Boards )
  • Other providers involved in your care, such as hospitals.
  • NHS 111, ambulance and/or other emergency services
  • General Practitioners (GP’s) in Herefordshire & Worcestershire
  • Child and adult safeguarding services
  • Social services
  • third party data processors (such as IT systems suppliers)

We may also share your information, where there is a lawful basis to do so, with:

  • NHS Improvement
  • Education services
  • Local authorities
  • Voluntary and Social care sector providers
  • Private sector organisations who are involved in your care
  • Care Quality Commission
  • Other National and Government agencies e.g. The National Confidential Inquiry into Suicide and Safety in Mental Health

In some circumstances we are legally obliged to share information. This includes:

  • when required by NHS England to develop national IT and data services 
  • when registering births and deaths
  • when reporting some infectious diseases
  • when a court orders us to do so
  • where a public inquiry requires the information

We will also share information if the public good outweighs your right to confidentiality. This could include:

  • where a serious crime has been committed
  • where there are serious risks to the public or staff
  • to protect children or vulnerable adults

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

The Connecting Care Record (formerly Herefordshire and Worcestershire Shared Care Record)

When you visit your GP or hospital, they can’t see all of your health and care information and you can be answering the same questions about the medicines you take, the treatment you’ve had, and whether you have any allergies. 

This is because they all use different computer systems to record your details and as these systems aren’t connected, the health and care organisations looking after you can’t see the information which the other holds on you. 

The Trust works with other health and social care organisations to share information that will form part of your Collaborative Care Care Record. The Connecting Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only to other health and care professionals in Herefordshire and Worcestershire, Birmingham and Solihull, and Coventry and Warwickshire when they are involved in your health or social care.

For more information on how your data is used on the Connecting Care Record and how to exercise your rights please see the full privacy notice on the Herefordshire and Worcestershire Integrated Care System (ICS) website.

Herefordshire and Worcestershire ccg - Shared Care Record

Is information transferred outside the UK? 

We do not routinely transfer information overseas, but if there is a need to do so we will ensure that the security and protections that are put in place are of an equivalent standard to those that we use internally when processing your information.

What is our lawful basis for using information?

Lawful basis for using information for the provision of individual care and administrative purposes :

We process personal information for a number of different reasons but the main reason that we use personal information are for providing direct care and for administrative purposes. We have a statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to the common law duty of confidentiality, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 

Personal information

Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is: 

6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority …'

More sensitive data

For ‘special category data’, such as data concerning health and care  the UK GDPR Article 9 condition for the lawful processing of personal data for direct care and administrative purposes is:

9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Local administrative purposes include:

  •           waiting list management
  •           performance against national targets
  •           activity monitoring
  •           local clinical audit
  •           production of datasets to submit for commissioning purposes and national collections
  •           local clinical supervision
  •           teaching and training
  •           patient surveys 

You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in you receiving care.

However, a person’s right to confidentiality is not absolute and there may be other circumstances where we must share information from your patient record with other people. In these rare circumstances we are not required to have your consent.

Examples of this could be;

  • in order to comply with a court order
  • to protect someone’s life
  • for safeguarding purposes
  • if your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
  • to prevent or detect serious crime
  • if you are subject to the Mental Health Act, there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • in the legitimate interests of the Trust e.g. if it were necessary in order to defend ourselves in court
  • where the Trust is required to participate in national fraud detection exercises, such as the Cabinet Office's bi-annual National Fraud Initiative
  • Quality surveys, such as NACEL (National Audit of Care at the End of Life).

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because: 

  • you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
  • we have a legal requirement to collect, share and use the data
  • for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

Lawful basis for processing information outside of provision of individual care :

Personal information

Under the UK General Data Protection Regulation (UK GDPR) Article 6, other lawful basis we rely on for using personal information include:

(a) We have your consent - this must be freely given, specific, informed and unambiguous.  

(b) We have a contractual obligation - between a person and a service, such as a service user and privately funded care home.

(c) We have a legal obligation - the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.

(e) We need it to perform a public task - a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law.

(f) We have a legitimate interest

More sensitive data

Under UK GDPR Article 9, the lawful basis we rely on for using information that is more sensitive (special category):

(b) We need it for employment, social security and social protection reasons (if authorised by law). See this list for the most likely laws that apply when using and sharing information in health and care.

(f) We need for a legal claim or the courts require it.

(g) There is a substantial public interest (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(h) To provide and manage health or social care (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(i) To manage public health (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

(j) For Archiving, research and statistics (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

How do we store your personal information?

We will only keep your information for as long as necessary and in accordance with the NHS Records Management Code of Practice 2021 retention schedule. The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes (for example your email address) during your relationship with us.

What are your data protection rights?

There are 8 rights under the UK GDPR; the relevant rights to this Privacy Notice are considered below.

Right to be Informed - This Privacy Notice is our main way of letting you know what personal information we hold about you and who we share it with etc. We have endeavoured to be as open and as honest as we can in this Notice, ensuring that we use concise, easily understood information that is written in clear and plain language. If there are any parts of this Privacy Notice that you do not understand then please get in touch with our Data Protection Officer. The contact details are below.

Right of Access - You have the right to ask us for copies of your personal information (known as a subject access request )

More information on how to do this is available on the access to health records pages on the Trust website .

Right to rectification - You have the right to request that we correct any personal data if it is found to be factually inaccurate or out of date. You also have the right to ask us to complete information you think is incomplete.

Right to Erasure - You have the right to request your personal data is erased in certain circumstances. Note: information contained in health records will not be erased as it forms part of a legal document and it was collected for the purposes of direct care.

Right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

Right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances .

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at if you wish to make a request.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

National data opt-out

Herefordshire and Worcestershire Health and Care NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending a Minor Injuries Unit or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • p reventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit .

You can change your mind about your choice at any time

You can also find out more about how patient information is used at: NHS Health Research Authority - Patient information and health and care research (which covers health and care research).

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at  

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

Herefordshire and Worcestershire Health and Care NHS Trust is registered with the Information Commissioner's Office (the UK’s Supervisory Authority). Our Registration Number is Z2745227

The ICO’s address is:    

Information Commissioner’s Office

Wycliffe House

Water Lane





Helpline number: 0303 123 1113

ICO website:


Date of last review:

07 June 2024

Next review scheduled:

September 2024

Other Formats available :

The Trust website also details how to  get in touch if information is required in an alternative format (e.g. easy read, braille). Further information can be accessed via the link below:

Accessibility statement - Herefordshire and Worcestershire Health and Care NHS Trust | Herefordshire and Worcestershire Health and Care NHS Trust (

A copy of this Privacy Notice can be downloaded below and printed: