Herefordshire and Worcestershire Health and Care NHS Trust Privacy Policy

Herefordshire and Worcestershire Health and Care NHS Trust is required to comply with the laws and regulations that apply to protecting your data and how it is used. They are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Purpose of our Privacy Notice

Herefordshire and Worcestershire Health and Care NHS Trust appreciates the trust you place in us when you share your personal information and we take your confidentiality and privacy rights very seriously. We believe that being open and honest with you about how your information is used and kept safe is extremely important.

In our Privacy Notice we will explain how we collect, use, store and protect your personal information. We will also explain what rights you have with regards to your personal information and how you can exercise those rights.

Who we are and what we do

Herefordshire and Worcestershire Health and Care NHS Trust provides NHS services in Herefordshire and Worcestershire including mental health and community care.

We deliver a wide range of services in a variety of settings, including in people’s homes, care homes, schools, community centres and our inpatient facilities including our five community hospitals.

We provide services to people across all age groups, from health visiting for new born babies and their families, to services which support older people with complex health and social care needs.

What is personal information?

‘Personal information’ means any information relating to an identified or identifiable living person. This includes things like: your name, address, date of birth, sex, NHS number and telephone number. The Trust also collects and uses personal information that is called ‘special category’ information and this includes things like: your physical or mental health information, racial, ethnic or sexual origination.

Purposes and the legal basis for the processing

The Trust processes personal information for a number of different reasons The main reason the Trust uses personal information is for providing direct care and administrative purposes. The Trust has a statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence, the UK GDPR and the Data Protection Act 2018. For common law purposes, sharing information for direct care is on the basis of implied consent, which may also cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectations.

Under the UK GDPR for the processing of personal data in the delivery of direct care and for administrative purposes, the UK GDPR Article 6 condition for lawful processing that applies is:

  • 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

Personal data concerning health are ‘special categories’ of personal data; and the UK GDPR Article 9 condition for the lawful processing of personal data for direct care and administrative purposes is:

  • 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Local administrative purposes include:

  • waiting list management
  • performance against national targets
  • activity monitoring
  • local clinical audit
  • production of datasets to submit for commissioning purposes and national collections
  • local clinical supervision
  • teaching and training
  • patient surveys and communication
  • Stakeholder briefings

You have the right to refuse/withdraw your consent to information sharing at any time. Please contact the Trust if you wish to withdraw your consent. A person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other people. In these rare circumstances we are not required to have your consent.

Examples of this could be

  • in order to comply with a court order
  • to protect yours, or someone else’s life
  • for safeguarding purposes
  • if your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
  • to prevent or detect serious crime
  • if you are subject to the Mental Health Act, there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • in the legitimate interests of the Trust e.g. if it were necessary in order to defend ourselves in court
  • where the Trust is required to participate in national fraud detection exercises, such as the Cabinet Office's bi-annual National Fraud Initiative
  • Quality surveys, such as NACEL (National Audit of Care at the End of Life)

Where we do this we will process your personal and/or special category in compliance with the lawful conditions set out in the UK GDPR Articles 6 and 9. If we want to process your information for other purposes that are not described above then we will seek your consent to do so before we process it.

Please be assured that the information in your patient record will only be used for purposes that benefit your care - we will never share it for marketing or insurance purposes.

Full details of how we process your personal information can be found in our Record of Processing Activities (ROPA) information on the Trust website.

Who we share your information with

To help give you the best care possible, sometimes we will need to share information about you and your health. This information is shared to make sure we and other colleagues know enough about your needs to support you.

We may share your information with the following types of organisations:

  • Other NHS organisations, including NHS Trusts, NHS 111, ambulance and/or other emergency services
  • Child and adult safeguarding services
  • Social services and local authorities
  • Care Quality Commission and other regulatory authorities
  • Voluntary and community sector

Where we share your information, we will have appropriate technical and operational measures in place. There will be either a contract and/or an information sharing agreement in place. We will only share your information where we are satisfied that there are sufficiently secure arrangements in place with the other organisation(s).

National Data Opt-out Programme

Herefordshire and Worcestershire Health and Care NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending a Minor Injuries Unit or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn't needed. You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. Find out more or to register your choice to opt out. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: NHS Health Research Authority - Patient information and health and care research (which covers health and care research) and Understanding Patient Data - What you need to know (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement. Health and care organisations have until 30 September 2021 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

Sharing Overseas

The Trust does not routinely transfer information overseas, but if there is a need to do so we will ensure that the security and protections that are put in place are of an equivalent standard to those that we use internally when processing your information.

How long do we keep your information for?

The Trust will only keep your information for as long as necessary and in accordance with the Records Management Code of Practice 2020. The code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes (for example your contact information or home address) during your relationship with us.

Your Rights

There are eight rights under the UK GDPR; the relevant rights are considered below.

Right to be Informed - Our Privacy Notice is our main way of letting you know what personal information we hold about you and who we share it with etc. We have endeavoured to be as open and as honest as we can in our Notice, ensuring that we use concise, easily understood information that is written in clear and plain language.

If there are any parts of our Privacy Notice that you do not understand then please get in touch with our Data Protection Officer. The contact details are below.

Right of Access – You have the right to request access to or a copy of your personal data which the Trust holds about you.  More information on how to do this is available on the access to health records pages on the Trust website.

Right to rectification – You have the right to request that The Trust corrects any personal data if it is found to be factually inaccurate or out of date.

Right to Erasure – You have the right to request your personal data is erased. Note – information contained in health records will not be erased as it forms part of a legal document and it was collected for the purposes of direct care.

Right to restrict processing – You have the right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on any further processing.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have robust procedures in place to manage any suspected personal data breaches, and will notify you and any applicable regulator of a breach where we are legally required to do so.

Who to contact for more information

The Trust’s Data Protection Officer is Rob Neill – Head of Information Governance.

If you have any questions about our Privacy Notice or how we use your personal information, please get in touch.

Write to us at:

Herefordshire and Worcestershire Health and Care NHS Trust

2 Kings Court

Charles Hastings Way



Tel: 01905 760000

Visit the Trust website

If you wish to know more about your rights, have any concerns or wish to escalate an issue then please contact the UK’s Supervisory Authority, the Information Commissioner's Office (ICO):

Information Commissioner's Office

Wycliffe House

Water Lane




Visit the Information Commissioner’s Office website

Call the ICO on: 0303 123 1113


Herefordshire and Worcestershire Health and Care NHS Trust is registered with the Information Commissioner's Office (the UK’s Supervisory Authority). Our Registration Number is Z2745227.

HWCHT Privacy Notice

HWCHT Privacy Notice - Children

HWCHT Privacy Notice for Employees

Privacy Notice Poster 

Your Information - what you need to know

How is my information shared

Your Information - what you need to know - Poster