George Eliot Hospital NHS Trust processes data in line with the UK General Data Protection Regulations and the Data Protection Act 2018.

This Privacy Notice is designed to explain how we collect, use, and safeguard your personal information in accordance with Data Protection law. Please read this notice carefully to understand our practices regarding your personal data and how we handle it.

Personal information such as:

  • Name
  • Address
  • Date of birth
  • NHS number
  • GP
  • Next of kin

We may collect sensitive personal data such as:

  • Racial or ethnic origin (for monitoring purposes)
  • Genetic data and biometric data (for health purposes)
  • Data concerning health (for health purposes)
  • Data concerning your sex life or sexual orientation (for health purposes (where appropriate) or monitoring purposes)

Contacts we have had with you such as:

  • clinic visits
  • hospital admissions notes
  • reports about your health
  • any treatment and care you need
  • Details and records about you such as:
  • the treatment and care you receive
  • results of investigations
  • x-rays
  • scans and laboratory tests
  • relevant information from other health professionals
  • relatives or those who care for you and know you well

Please note phone calls to and from the Trust may be recorded for monitoring and training purposes.

To provide your care.

The doctors and other health professionals caring for you need to keep records about your health and the treatments you have received from the NHS and other healthcare providers, to be able to provide you with the most effective care. It is in your interests as a patient for a full and complete record to be collected, so that we have accurate, up to date information about you.

To help run our hospitals and improve our service we may also need to use some information about you to:

  • manage the healthcare services we provide
  • help investigate any complaints, claims or incidents
  • match data under the National Fraud Initiative
  • help us to plan new services
  • help us keep track of spending on our services
  • prepare performance statistics for the Department of Health and other regulatory bodies
  • assist in clinical audits of the quality of our services

After you attend one of our hospitals you may receive a text message asking you to rate how happy you were with your visit. This is a national service called the Friends and Family Test, and it gives NHS users an opportunity to give feedback on their experience.

When you receive a Friends and Family Test message by text, you will have the option to opt out of any future messages from this service if you wish to do so.

The Trust must have a lawful basis for processing your personal data.

For the majority of personal data held, our lawful basis under GDPR is Article 6(1)(e): For the performance of a task carried out in the public interest or in the exercise of official authority.

If you are a patient we will also be processing your health data. This is classed as special category, sensitive data and we need an additional legal basis for processing health information.

This legal basis is Article 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.’

In most cases you will be asked for consent to take part in any research project.  Any research project including personal identifiable information that does not seek consent will be approved by the NHS under section 251 approval.

The Trust may share anonymised data for research purposes with third parties.

The lawful basis for processing personal information is: 6(1)(a) the data subject has given consent to the processing of their personal data for one or more specific purposes. Or in cases where section 251 approval has been granted; 6(1)(e)  ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ 

The lawful basis for processing personal data is: 9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable  and specific measures to safeguard the fundamental rights and interests of the data subject …’

Other information:

A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support.

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

The lawful basis for processing personal information is:  6(1)(c) ‘…necessary for compliance with a legal obligation…

The lawful basis for processing personal data is: 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…

Other information:

Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008.

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”. 

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees. The purpose of the processing is to protect the child or vulnerable adult.

The lawful basis for processing personal information is:  6(1)(c) ‘…necessary for compliance with a legal obligation…

The lawful basis for processing personal data is: 9(2)(b) ‘ necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of protection law in so far as it is authorised by Union or Member State law..’

Other information:

  • This sharing is a legal and professional requirement and therefore there is no right to object.
  • The data will be shared with local safeguarding services.

We may record CCTV images of people entering, approaching, entering or passing our buildings to:

  1. help staff and visitors feel safer;
  2. act as a deterrent to offenders;
  3. allow the collection of evidence to help find and convict offenders.

Security staff may wear body worn cameras which can be activated to preserve evidence during incidents.

The lawful basis for processing personal information is:  6(1) (f) processing is necessary for the purposes of the legitimate interests pursued by a controller

CCTV data may be shared with third parties such as the police or courts where there is a legal basis to do so.

There may be rare occasions when the legal basis for processing your data is consent.

In order for the Trust to provide you with high quality health care services we are required to collect and use of your personal data. To support our clinical duties this data can sometimes be shared with relevant departments within the Trust, with other NHS organisations and authorities where required and, at times, it may also be used for training and auditing purposes.

We are committed to processing your personal data in accordance with the law.

The Trust is the Data Controller for any personal information you provide, if required, the Trust can provide you with information about why your personal data is being processed, how long the Trust will keep it for and who it may be shared with.

We may share information about you with the following agencies in order to support the delivery of your care:

  • Department of Health
  • Integrated Care Boards
  • Other providers involved in your care- such as hospitals
  • General Practitioners (GP’s)
  • Ambulance Service
  • Mental Health Services
  • Social services

We may also share your information, where there is a lawful basis to do so, with:

  • NHS England
  • Education services
  • Local authorities
  • Voluntary sector providers
  • Private sector organisations who are involved in your care

We may also share your information with others that need to use records about you to carry out the following:

  • Check the quality of treatment or advice we have given you;
  • Protect the health of the general public;
  • Manage the health service;
  • Help investigate any concerns or complaints you or your family have about your healthcare;
  • Carry out Research and Clinical Audits;
  • Conduct patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients.

We protect your information in the following ways:

Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.

Access controls - Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails - We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation - If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management - All healthcare records are stored confidentially in a secure location.

Legislation - There are laws in place to protect your information, including the General Data Protection Regulation and the Human Rights Act 1998.

Caldicott Guardian - Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the Trust is Dr Najam Rashid.

George Eliot Hospital NHS Trust is the Data Controller of data for the purposes of the DPA18 and GDPR.

The Trust has a Data Protection Officer (DPO), and if you have any concerns as to how your data is processed please contact the Data Protection Officer by email:

George Eliot Hospital NHS Trust is obliged to retain your data in accordance with the NHSX  Records Management Code of Practice 2021.

Under UK GDPR and the Data Protection Act you have a number of rights with regard to your personal data:

  • Right to request access to your information
  • Right to have incorrect information corrected
  • Right to data portability in some circumstances
  • Right to erasure in some circumstances
  • Right to limit the use of your data in some circumstances
  • Right to object to the use of your data in some circumstances
  • Rights in relation to automated decisions

The Information Commissioner’s Office has further information on your rights.

If you want to access copies of information about you held by the Trust, including your health record, please read the following information.

The definition of a health record is any record of information relating to someone's physical or mental health that has been made by (or on behalf of) a health professional.

Therefore, when you request copies of your health record please submit a single request and detail the specific health information you believe is held by an acute or secondary care service belonging to George Eliot Hospital NHS Trust.

Providing specific information such as dates, service attended and health professionals seen by you will ensure the Access to Health Records Team (AHR team) are able to deal with your request efficiently.

Please do not submit separate requests simultaneously. Simply state all of the information you require on one request form.

Details of how to make a request can be found here: Access to health records


Making a Request

These forms are not compulsory. You can submit your request in writing to the above address. However, the Trust has provided the forms for your convenience and advises forms will prevent delays in processing the request.

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact the Data Protection Officer via

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner’s Office for a decision. The Information Commissioner’s Office  can be contacted at: -

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or via their website.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care providing research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out visit

You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

George Eliot Hospital NHS Trust works with other health and social care organisations to share information that form part of your Integrated Care Record. The Integrated Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other health and care professionals in Coventry and Warwickshire, Birmingham and Solihull, and Herefordshire and Worcestershire when they are involved in your health or social care.

More information about the Coventry and Warwickshire ICR  is available on the website.