George Eliot Hospital NHS Trust processes data in line with the UK General Data Protection Regulations and the Data Protection Act 2018.

This Privacy Notice is designed to explain how we collect, use, and safeguard your personal information in accordance with Data Protection law. Please read this notice carefully to understand our practices regarding your personal data and how we handle it.

ICO Registration Number: Z7279219

George Eliot Hospital NHS Trust (GEH) is the Data Controller [and Data Processor] of data for the purposes of the DPA18 and GDPR. 

GEH as the Data Controller is committed to protecting the rights of individuals in line with the Data Protection Act 1998(DPA) and the new General Data Protection Regulation(GDPR).

George Eliot Hospital has a Data Protection Officer (DPO) and if you have any concerns as to how your data is processed please contact the Data Protection Officer by email:

Information Commissioner
Information Commissioner Advice about GDPR
GDPR Individual Rights

Personal information such as:

  1. Name
  2. Address
  3. Date of birth
  4. NHS number
  5. GP
  6. Next of kin

We may collect sensitive personal data such as: 

  1. Racial or ethnic origin (for monitoring purposes)
  2. Genetic data and biometric data (for health purposes)
  3. Data concerning health (for health purposes)
  4. Data concerning your sex life or sexual orientation (for health purposes (where appropriate) or monitoring purposes)

Contacts we have had with you such as:

  1. clinic visits
  2. hospital admissions notes
  3. reports about your health
  4. any treatment and care you need

Details and records about you such as:

  1. the treatment and care you receive
  2. results of investigations
  3. x-rays
  4. scans and laboratory tests
  5. relevant information from other health professionals
  6. relatives or those who care for you and know you well

Please note phone calls to and from the Trust may be recorded for monitoring and training purposes.

To provide your care.

The doctors and other health professionals caring for you need to keep records about your health and the treatments you have received from the NHS and other healthcare providers, to be able to provide you with the most effective care. It is in your interests as a patient for a full and complete record to be collected, so that we have accurate, up to date information about you.

To help run our hospitals and improve our service

We may also need to use some information about you to:

  • manage the healthcare services we provide
  • help investigate any complaints, claims or incidents
  • match data under the National Fraud Initiative
  • help us to plan new services
  • help us keep track of spending on our services
  • prepare performance statistics for the Department of Health and other regulatory bodies
  • assist in clinical audits of the quality of our services

After you attend one of our hospitals you may receive a text message asking you to rate how happy you were with your visit. This is a national service called the Friends and Family Test, and it gives NHS users an opportunity to give feedback on their experience.

When you receive a Friends and Family Test message by text, you will have the option to opt out of any future messages from this service if you wish to do so.

George Eliot Hospital NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public. 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • ·         improving the quality and standards of care provided
  • ·         research into the development of new treatments
  • ·         preventing illness and diseases
  • ·         monitoring safety
  • ·         planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit  On this web page you will:

  • ·         See what is meant by confidential patient information
  • ·         Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • ·         Find out more about the benefits of sharing data
  • ·         Understand more about who uses the data
  • ·         Find out how your data is protected
  • ·         Be able to access the system to view, set or change your opt-out setting
  • ·         Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • ·         See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is compliant with the national data opt-out policy.

 The Trust must have a lawful basis for processing your personal data.

For the majority of personal data held, our lawful basis under GDPR is Article 6(1)(e): For the performance of a task carried out in the public interest or in the exercise of official authority.

If you are a patient we will also be processing your health data. This is classed as special category, sensitive data and we need an additional legal basis for processing health information.

This legal basis is Article 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.’

Integrated Care Record

George Eliot Hospital NHS Trust works with other health and social care organisations to share information that will form part of your Integrated Care Record. The Integrated Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other health and care professionals in Coventry and Warwickshire, Birmingham and Solihull, and Herefordshire and Worcestershire when they are involved in your health or social care.

For more information on how your data is used on the Integrated Care Record and how to exercise your rights please see the full Privacy Notice or copy and paste this link

Who do we share information with?

We will share information with the following main partner organisations:

  • Other NHS Trusts, Hospitals that are involved in your care
  • Clinical Commissioning Groups and other NHS Bodies
  • General Practitioners (GPs)
  • Ambulance Trusts

Sharing with non-NHS organisations

For your benefit, we may also need to share information from your records with non-NHS organisations who are providing you with care or other services, such as social services or private healthcare organisations.

We may also be asked to share basic information about you, such as your name and parts of your address, which does not include special category information from your health records. Generally, we would only do this to assist another organisation to carry out their statutory duties (such as usages of healthcare services, public health or national audits)

Non-NHS organisations may include, but are not restricted to:

·         social services,

·         education services,

·         local authorities,

·         the police,

·         voluntary sector providers and

·         Private sector providers.

Where do we obtain your information from?

The Trust will collect data about you in a numbers of ways. The main method of collection is from you directly. The Trust also receives information from other NHS bodies and services.

Transfers outside the European Economic Area

The Trust will ensure that personal confidential data, even it would constitute fair processing, will not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the European Economic Area to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects.

We protect your information in the following ways:


Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community. Staff must undertake annual mandatory training in information governance and data security awareness.

DSP Toolkit

All NHS Trusts are required to complete an annual assessment of compliance with Data Protection and Security. Details of the assessments can be found here.

Access controls

Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails

We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.


If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management

All healthcare records are stored confidentially in a secure location.

Caldicott Guardian

Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the George Eliot Hospital NHS Trust is Dr Catherine Free.

Records are retained in accordance with national guidance from the Department of Health and Social Care and the Records Management Code of Practice for Health and Social Care 2016. Records including confidential information are securely destroyed in line with this code of practice.

The Trust does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

We aim to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint through the Trust’s Complaints Procedure, which is available on our web site, or you can write to:

Data Protection Officer
George Eliot Hospital
College Street
CV10 7DJ


If you remain dissatisfied with the Trust’s decision following your complaint, you may wish to contact:

Information Commissioner’s Office
Wycliffe House
Water Lane

Their web site is at


Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

a) Processed lawfully, fairly and in a transparent manner in relation to individuals;

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”


Personal Data

"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

  • name
  • identification number
  • social media posts
  • location data
  • online identifier

Special category of personal data

"Special category of personal data" means information which is thought to be "extra sensitive" such as ethnicity, sexual orientation and religion.

Data controller

"Data controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.


"Processing" means anything that is done to the personal data we hold.


"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information.

Special Categories

What's new?

Special category data is broadly similar to the concept of sensitive personal data under the 1998 Data Protection Act. The requirement to identify a specific condition for processing this type of data is also very similar.

One change is that the GDPR includes genetic data and some biometric data in the definition. Another is that it does not include personal data relating to criminal offences and convictions, as there are separate and specific safeguards for this type of data within GDPR.

What’s different about special category data?

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. In order to lawfully process special category data, both a lawful basis must be identified and a separate condition for processing special category data. These do not have to be linked.

This is because special category data is more sensitive, and so needs more protection. For example, information about an individual’s: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation. In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.

What are the conditions for processing special category data?

There are ten conditions for processing special category data in the GDPR itself, but the Data Protection Bill will introduce additional conditions and safeguards.

The condition for processing special category data must be determined before you begin this processing under the GDPR and you should document it.

(a) the data subject has given explicit consent to the processing of their personal data for one or more specified purposes;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services with a health professional;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Special categories of data:

  • Racial/Ethnic origin
  • Political opinions
  • Religious/philosophical beliefs
  • Health
  • Trade Union
  • Genetic or biometric data
  • Sex life/Sexual orientation