Skip to the content

Privacy Notice

What is a Privacy Notice?

This is the Privacy Notice (also known as a 'Fair Processing Notice') for the University Hospitals of North Midlands NHS Trust (sometimes referred to as the 'Trust' or 'UHNM'), it describes what we do with the personal information we collect about you.  It tells you:

  • What information we collect about you
  • Why we collect information about you
  • How we use your information
  • Who we may share your information with
  • How long we store your information

UHNM is a data controller which means that the Trust decides the purposes for which any personal information is used.

Privacy Notice

University Hospitals of North Midlands

To comply with the Data Protection Act 2018 and the Information Commissioner's registration requirements, the Trust has to provide information for staff and patients about how it manages and handles identifiable data.  The following pages provides more information and the Data Security & Protection team are available to answer any queries.  You can contact the team here -


The Trust also has an information leaflet which can be downloaded and kept as a reference guide - How We Use Your Personal Information.  We are able to provide this information verbally if requested, just contact the PALs team.


We are the University Hospitals of North Midlands and we are the data controller. Our address for communications is:

Royal Stoke University Hospital

Newcastle Road




Tel: 01782 715444


We are registered to process personal and sensitive information under the Data Protection Act 2018 - our registration number is Z7476085


Page version control - v1 - 10.7.20

Covid-19 – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002
In order to manage and mitigate the spread and impact of the current outbreak of Covid-19, the Secretary of State for Health and Social Care has directed NHS Digital to collect and analyse data from providers and other organisations involved in managing the COVID-19 response and to disseminate information and analysis to other bodies for the purpose of planning and managing the response.
Under Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) organisations are required to process such confidential patient information:
Where the confidential patient information to be processed is required for a Covid-19 purpose and will be processed solely for that Covid-19 Purpose in accordance with Regulation 7 of COPI;
A Covid-19 Purpose includes but is not limited to the following:
understanding Covid-19 and risks to public health, trends in Covid-19 and such risks, and controlling and preventing the spread of Covid-19 and such risks;
identifying and understanding information about patients or potential patients with or at risk of Covid-19, information about incidents of patient exposure to Covid-19 and the management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from Covid-19;
understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19 and the availability and capacity of those services or that care;
monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services;
delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with Covid-19, including the provision of information, fit notes and the provision of health care and adult social care services; and
research and planning in relation to Covid-19.
This notice is in place with immediate effect until 30th September 2020; this notice will be reviewed on or before 30 September 2020 and may be extended further.

A Supplementary Privacy Notice has been drafted to cover the fair processing of data (including staff data in respect of COVID-19 testing) during COVID-19 and it can be found here.


Page version control - v1 - 10.7.20

In order to process personal information the Trust needs to have a legal basis to do so.
The primary purpose for which the Trust processes personal information is in order to support its healthcare activities as set out in the National Health Service and Community Care Act 1990, this is the Trusts source of 'Official Authority'.
The basis for the Trust processing your information is described in Article 6 (lawfulness of processing) and Article 9 (processing of special categories of personal data) of the General Data Protection Regulation.
The legal basis for using your data is dependent upon what we need to do with it, these are the legal basis we can use:
  • Consent – We would obtain freely given, specific and informed consent to process your personal data for some purposes.  Where consent is the legal basis for processing, patients should be aware that they are able to withdraw that consent at any time
  • Contract – The processing is necessary for a contract we have with an individual, for example a member of staff
  • Legal Obligation – The processing is necessary for us to comply with the law
  • Vital Interest – The processing is necessary to protect someone's life
  • Public Task – The processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law
  • If there is a safeguarding concern then data may be shared
In general, however, for the purpose of providing you with healthcare, the Trust relies on
  • Article 6(1)(e) - processing is necessary for the purposes of a task carried out in the public interest or in the authority of official authority vested in the data controller
  • Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment
Currently, the UK is experiencing a national emergency as a result of CoronaVirus or Covid-19.  As a health Trust we are required to provide information to the Government in relation to our patients and Covid-19.  We are allowed to do this legally as a result of Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI)
  • Where the confidential patient information to be processed is required for a Covid-19 purpose and will be processed solely for that Covid-19 Purpose in accordance with Regulation 7 of COPI;
Further information on this can be found on the Covid-19 details above.
Page version control - v1 - 10.7.20
Page Version Control - v1 - 10.7.20

Below are your rights as identified by the Data Protection Act 2018 in relation to the personal data that we hold.  If you wish to exercise any of these rights, please contact the Data Security & Protection Team at or by telephoning: 01782 676441.  The Trust will acknowledge your request within 2 days of receipt, explaining the process and projected timescale for completion.  We will keep you advised of any updates to this timescale, if required.

As data subjects (both patients and staff) you have the right to:


  • Access – You have the right to ask us for copies of the personal information we hold about you, details about how to do this are included in the section How to Access your Information.
  • Rectification – You have the right to ask us to correct any information you think is inaccurate or incomplete, this is subject to certain safeguards however, for more information please click here
  • Erasure – You have the right to ask us to erase your information in certain circumstances, for more information about this please click here
  • Restrict processing – You have the right to limit the way the Trust uses your personal data if you are concerned about the accuracy of the data or how it is being used where appropriate, for more information please click here
  • Object to processing – You have the right to object to the use of your information in some circumstances, for more information please click here
  • Data portability – You have the right to ask that we transfer any electronic information you have given us to another organisation, or give it to you on certain occasions.
  • Automated processing - You have the right NOT to be subject to decision-making on the basis of any automated processing.


Page Version Control - v1 - 10.7.20

The Trust has appointed a Data Protection Officer who is responsible for information and advising UHNM on data protection regulations and national law. The Data Protection Officer can be contacted by:


The Trust undertakes Data Protection Impact Assessments (DPIA) on any projects which require the use of identifiable information.

These are available to view via the Freedom of Information process by contacting

The Trust holds personal information on you in a variety of formats, including paper records, electronically, in video files and audio files. The personal information that the Trust may hold about you includes:

For Patients

  • Names, including preferred or maiden name
  • Address
  • Telephone number(s)
  • Date of birth
  • NHS number
  • Email address
  • Your next of kin contact details
  • GP details
  • Power of Attorney status
  • Financial details, where we provide healthcare to private patients
  • Visual images, personal appearance and behaviour, for example CCTV images, images captured from drones and body-worn cameras are used as part of building security
  • Whether you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status)

Further data that we may collect which is called special category data because this is more sensitive information:

  • Healthcare records which includes:
    • Notes and reports about treatments and care
    • Details regarding any contact we have had through appointments, telephone calls and home visits
    • Details regarding medical conditions (physical and mental health)
    • Results of investigations, for example x-rays and laboratory tests
    • Future / current care needs
    • Details regarding agencies, healthcare professionals and relatives involved in your care
  • Religion
  • Racial or Ethnic origin
  • Sexual orientation
  • Genetic and biometric information
  • Sex life information

Information we hold and process for staff, volunteers, job applicants and others:

  • Employee details, job applicants, apprentices, complainants, enquirers, survey respondents, suppliers, professional experts, consultants, people captured in closed circuit television images
  • Information is also held on job applicants for the purposes of processing their application and ensuring equality and patient safety
  • Information on staff, volunteers and apprentices may be shared with third parties that provide services to the trust and in order to comply with statutory requirements and to facilitate the running of the Trust.
  • Staff, Volunteers and apprentices need to be aware however that their information will be processed as part of their contract / agreement with the Trust. This will be fully explained to you by The Human Resources team and / or your manager.
  • Staff, volunteers and job applicants should contact the Trust Human Resources department for further information on how their information is processed.
Page version control - v1 - 10.7.20

In order for us to give you the best possible care we collect personal and confidential information, this can come from your GP, referrals, healthcare professionals involved in your care and yourself. Your information may be used to:

  • Provide healthcare services and treatment
  • Provide chaplaincy and pastoral care services
  • Ensure that money is used properly to pay for the services it provides
  • Investigate complaints, legal claims or important incidents
  • Make sure services are planned to meet patients' needs in the future
  • Review the care given to make sure it is of highest possible standard
  • To manage specialised services
  • To improve the efficiency of our healthcare services by sharing information with other organisations (sometimes non-NHS/Social care) such as Age UK, Revival and/or Vast, for example, for a specific, justified purpose which is approved by UHNM's Caldicott Guardian
  • Check and report to our regulators on how well we are performing
  • Patient survey's for service improvements
  • Research (consent will always be sought to use your data for this purpose)
  • To manage service workload by e-mailing appointment reminders for example (where we have been provided with an e-mail address)

If you apply for a job or are employed with the Trust we will collect your personal information.


Page version control - v1 - 10.7.20

Your health records may be held in both paper and / or electronic format; we will keep your health records for specified periods of time, in accordance with the Records Management Code of Practice for Health and Social Care 2016.

Although there are exceptions and certain conditions affecting the length of time we will keep a health record, in general however, this means that we will keep an adult health record for 8 years after the last entry; we will keep a child's health record until the child reaches 26 years of age.  

Page version control - v1 - 10.7.20

We may share your personal information with other NHS organisations in order to provide you with the best possible healthcare, for example: other NHS Trusts, Ambulance Service, GPs, etc.
There may also be the need to share your information with non-NHS organisations that are involved in your care, for example: Social Services, Private Care Homes, Local Councils, Voluntary and Private Sector Providers, Charities, community pharmacies etc.
There are situations where the Trust has a duty to share your information due to a legal requirement. These situations include, but are not limited to:
  • Disclosure to the Police for the prevention and detection of crime
  • Prevention and detection of fraud
  • Disclosure under a Court Order
  • Disclosure & Barring Service – for employment/recruitment purposes
  • In the public interest to prevent abuse or serious harm to others
  • Our obligation under a Duty of Contract with:
    • Clinical Commissioning Groups
    • NHS Digital
    • Public Health England
    • Care Quality Commission
    • Third parties contracted via NHS England
    • Other Commissioning Support Providers
Any sharing of your personal information with other organisations is always governed by specific legislation and transferred in accordance with the requirements of the legislation and the NHS Confidentiality Code of Conduct. If you have any questions regarding the sharing of your data please contact
Due to the current restrictions on patient visiting as a result of the COVID-19 epidemic, we have put into place a process for patients' relatives to receive up to date information on their relatives and friends.
This involves the patient providing staff with a 'password' which friends and relatives can quote when ringing for updates.  Full information is provided to the patient on admission, alternatively patients can contact the PALs team - who will be able to provide further information.
Page version control - v1 - 10.7.20

Under the Data Protection Act 2018 and General Data Protection Regulation one of your rights is that you can make a request for a copy of all or a specific piece of information the Trust holds about you, how and why we process your information and who we share your information with.

For Data held in your health record

For data held in your health record you will need to make a formal request to the Health Records team, more information can be found on the Health Records page. For further information please see Access to Health Records Leaflet.pdf

The team can be contacted at the following email address:  

For Data held in your staff record

For your staff record you need to make your request to your Line Manager or contact the HR Department

For Data not in held in your health or staff record

Quite often, patients and staff members request personal data information (such as e-mails held on the Trust servers)  which do not form part of your health or staff record, for example, where this request is made as part of a Complaint or a general Subject Access request, the relevant team will liaise with the Information Security team.  Alternatively, a request can be made direct through the personal data request process by emailing


Page version control - v1 - 10.7.20

The Information Commissioners Office (ICO) is an independent body which regulates the Trust under Data Protection and Freedom of Information legislation.
The Trust is registered with the ICO and the registration number is: Z6476085
You can contact the ICO by:
Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF
Telephone: 0303 123 1113
Changes to this Privacy Notice
We will keep this privacy notice under regular review. This notice was last updated on October 2019.
The Information Commissioner's Office has made a statement about their working arrangements as a result of the Coronovirus Epidemic.  You can read their updated information here.

Changes to this Privacy Notice

We will keep this privacy notice under regular review. This notice was last updated on October 2019.


Page version control - v1 - 10.7.20

How the NHS and care services use your information

University Hospitals of North Midlands (UHNM) is one of many organisations working in the health and care system to improve care for patients and the public). 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn't needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. 


Page version control - v1 - 10.7.20

UHNM is working collaboratively with other partners in the region (GP Practices, Local Authorities, other Hospital Trusts (Acute, Community and Mental Health) as well as Commissioning Groups to create an integrated care record.

This will be a central repository of information that each organisation can access (for their own patients only) so that clinicians will have a complete picture of a patients' needs, medications etc.

More information on this initiative (which will be launched shortly) can be found by accessing the One Health and Care website by clicking the link on the right hand side of this page


Page version control - v1 - 10.7.20

In some circumstances it may be necessary to transfer your personal information overseas.  If this is required, information will only be shared within the European Economic Area (EEA) unless additional safeguards have been put in place to protect your information.

Any transfers that do take place will be made in full compliance with all aspects of Data Protection legislation and if this is to happen then you will be informed by the Trust beforehand.


Page version control - v1 - 10.7.20

The Trust makes use of CCTV systems, including body worn cameras and images captured from drones which are used as part of our building security for crime prevention in line with the Information Commissioners CCTV code of practice. You have a right of access if you wish to request your data captured on CCTV.​


Page version control - v1 - 10.7.20

If you have any questions about our privacy notice or information we hold about you please contact our Information Governance Team :

Email: or alternatively contact the Trusts Data Protection Officer at

If you would like to make a complaint about how your information is being used you can discuss your concerns with our Patient Advice and Liaison Service (PALS) (Email: or you can contact our complaints department (Email

The PALS offices are located at;

At Royal Stoke the PALS office is situated inside the main building entrance,  which is open 9:00am to 4:00pm Monday to Friday (excluding bank holidays).

At County Hospital the PALS office is situated inside the main entrance which is open 9:00am to 5:00pm Monday to Friday (excluding bank holidays).

The contact information for both office is below;

Royal Stoke Hospital Telephone: 01782 676450 / 01782 676455 / 676435

County Hospital Telephone: 08000 407060 / 08000 721 646

If you want to contact us in writing please use the below address;

Chief Executive OR Chief Nurse

University Hospitals of North Midlands

Trust Headquarters

Royal Stoke University Hospital

Newcastle Road

For further information please see the complaints leaflet.


The University Hospitals of North Midlands Trust is committed to the Freedom of Information Act 2000.


However, the NHS is facing unprecedented challenges relating to the coronavirus (COVID-19) pandemic at the current time.  Understandably, our resources have been diverted to support our front-line colleagues who are working tremendously hard to provide care for our patients, and to those in need of our services.


We strive to be transparent and to work with an open culture.  However, at this time whilst care of our patients and the safety of our staff takes precedent, it is likely that responses to some requests for information will be delayed.  We apologise for this position in advance and will endeavour to provide you with as much information as we can, as soon as we are able.


The Information Commissioner's Office has recognised the current situation in the NHS.


Page version Control - v1 - 10.7.20

The Trust will often engage with other organisations on projects which may involve sharing patient data.  Such sharing is always undertaken in a lawful way, according to the Data Protection Act (2018).  We include below links to the projects currently approved:


One Health & Care (an Integrated Care Record) -

Team Prevent (for staff Occupational Health) -

COVID-19 – Supplementary Privacy Notice -

Keele University -

Smart with your Heart (NHS Test Bed project for Heart Failure patients; Cardiac Re-hab patients and Community Heart patients):

Florence 'FLO' -

Recap Health - 


Fair Processing - Research 

Fair Processing Notice for Staff

Fair Processing Notice for Children

Page Version Control - v3 - 10.7.20

The Trust uses a number of different methods to communicate with our patients.  Usually we will write to you, however there may be occasions when we use alternative methods.  This could be for a variety of reasons including the need to make contact swiftly (for example if a clinic appointment needs to be re-scheduled).  We may use a text message, we may telephone you, we may send an e-mail, as part of the One Health and Care project (see information on this project above) we may send electronic appointment letters or, on occasions, we may contact you by video conferencing.  Patients should also be aware that during the current COVID-19 Pandemic, staff may be making contact whilst working remotely. 

All of these different ways of making contact have been reviewed by the Data Security & Protection team and the Trust can assure our patients that we only use the most secure methods and will make patients aware of the method being used before making contact.

If you have any questions about how we contact our patients, please contact that Data Security & Protection Team (

Page version control - v1 - 10.7.20

Your duty to inform us of changes

It is important that you keep us updated of any changes to your personal information to ensure that all the information we hold is accurate and current.​