About this privacy policy

Derbyshire Healthcare NHS Foundation Trust (the “Trust”) is committed to protecting the privacy of its users.

This privacy policy (the “Privacy Policy”) explains our policy regarding any personal data that you might supply to us (or that might be collected from you or received about you) when you visit our website or use certain services offered via the website (“Information”). The Information shall be used in accordance with the permissions granted by you and in accordance with GDPR and the Data Protection Act 2018.

Please note this Privacy Policy does not apply to your communications with any third party.

Coronavirus COVID-19 and Information sharing

Coronavirus has been added as a notifiable disease under the Health Protection (Notification) Regulations 2010. Therefore, there is now a duty on the Trust and its staff to notify suspected coronavirus cases to the ‘proper officer’ of the local authority for where the practitioner attended on the patient (i.e. the local health protection team).

In urgent cases, this may be made orally. In all cases a written notification must be made within three working days of the suspicion arising. This then triggers duties on the local authority to notify PHE and the local authority where the patient resides (if different).

As there is a legal obligation to make the notification, there is no need to obtain consent from the patient. However, where possible we will continue to use good practice and inform the patient that the notification is being made.

In this instance, the Trust will disclose the information under Article 9(2)(j) of GDPR (processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health), and confidential patient information can be lawfully disclosed in the public interest, without consent, where the benefits to an individual or to society outweigh both the patient’s and the public interest in keeping the information confidential.

The Trust may contact staff and service users with public health messages relating to Coronavirus by text, phone, letter or e-mail. The Information Commissioner's Office (ICO) does not class this contact as direct marketing, therefore we do not need your consent before contacting you. There is more information available here: 

Control of Patient Information (COPI)

The Secretary of State for Health and Social Care has issued health care organisations including Derbyshire Healthcare NHS Foundation Trust with a Notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to share confidential patient information with organisations entitled to process this under COPI for COVID-19 purposes.

The COPI notice and more information are available here:

Coronavirus (COVID-19): notice under regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 – general - GOV.UK (www.gov.uk)

Without another legal basis, any information Derbyshire Healthcare NHS Foundation Trust processes using the COPI notice will stop once the COPI notice has been withdrawn. Please see below further examples of how information is processed within our Trust and the legal basis used.

Mandatory staff COVID vaccination

On 6 January 2022, the Government made new legislation, approved by Parliament, which amended the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (“the 2014 Regulations”). This extends the scope of mandatory vaccination requirements for staff beyond registered care homes to health and wider social care settings in England. Individuals undertaking CQC regulated activities in England must be fully vaccinated against COVID-19 no later than 1 April 2022 to protect patients, regardless of their employer, including secondary and primary care. 

To monitor compliance with the regulations both now and as part of normal business, the Trust must collect information about vaccination status of eligible staff (including those that are being considered for employment) and/or any medical exemptions that might apply. 

Please download and read our Mandatory COVID Vaccination Privacy Statement for details of the information we must collect, and how that information will be processed and retained. 

Our privacy statement has been developed in line with the national documentation issued by NHS England, which can be found on the NHS England website.

Data processors

The Trust works with a number of authorised third-party partners, in order to deliver the services described on the Website and such authorised third-party partners are data processors (“Data Processors”) for the purposes of the Act.

Data controller

Derbyshire Healthcare NHS Foundation Trust is the data controller (“Data Controller”) for the purposes of the Act and can be contacted at Ashbourne Centre, Kingsway Site, Derby, DE22 3LZ.

The Trust is registered with the ICO:

  • Registration number: Z8416831
  • Date registered: 04 March 2004.

Our commitment to protecting your privacy

The Trust is committed to protecting your privacy. You can visit all pages on the website without asking for any information. 

We do not automatically store or collect any personal information about our visitors, neither do we store nor collect personal information from other sources, such as public records or private organisations.

We do collect information from the technology that is used to view our site which we use to analyse trends and administer the site. The data collected to enable us to do this is anonymous and does not identify you as an individual.

But sometimes the Trust does need Information to provide the services that you request. This document is designed to give you a clear explanation of the Trust’s data processing policies. Please see below for further information. If you have any questions or concerns relating to the Trust’s use of your Information and/or data protection, please contact the Data Controller at our registered office address above. 

By using the website you consent to Derbyshire Healthcare NHS Foundation Trust’s collection and use of your Information as described in this Privacy Policy. If we change this Privacy Policy we will post an updated version of this Privacy Policy on the website to keep you aware of what Information is collected, how it is used and under what circumstances we may disclose it.

Information collected

You may send us, or we may ask you, or we are sent via a third party or we may create the following Information:

  • Your full name;
  • Your address and postcode;
  • Your contact information (such as your email address, telephone number and mobile telephone number);
  • General information about yourself (such as your personal or professional interests, your experience of our services and products or other services and products and your contact preferences);
  • Photographic and/or video materials featuring your name and likeness that you may post to our website or social media;
  • In the event that you apply for a job with the Trust, we will require further professional Information about your by way of a job application or your Curriculum Vitae; and
  • Special category data which is more sensitive, and can include your health, ethnicity, religion, sexual orientation, disability and biometric data including images.

The Trust may also collect certain information about your computer hardware and software, this includes:

  • Your IP address;
  • Browser type;
  • Operating system;
  • Access times; and
  • Referring website addresses

The Trust may, in limited circumstances, disclose your Information to third parties. These third parties may be other health care providers who will assist with patient care;

  • In the event that you apply for a job with the Trust we may share your Information with third-party agents whom we use to assist us in the recruitment process; 
  • A third party or parties may be involved if the Trust is under a duty to disclose or share your Information to comply with any legal obligation or in order to enforce or apply the Trust’s terms and conditions and other agreements or protect the rights, property, or safety of our patients, staff, or others. This includes exchanging information with other companies and organisations for fraud protection.

How your Information is used

The Trust and/or our partners may use your Information in the following ways:

  • To provide a health care service where necessary including safeguarding;
  • To ensure that the content on our website is presented in the most effective manner for you and your computer;
  • To enable you to use the interactive features of our website;
  • To contact you as members or interested parties;
  • For our internal record keeping;
  • To contact you to answer any queries you may have;
  • In the event that you apply for a job with The Trust we will use any Information you submit by way of a job application or your Curriculum Vitae solely to assess your suitability for employment by us and to carry out any subsequent interview process. 

When your Information is used we will use one or more of the following legal bases:

Where you have provided consent

We may use and process your personal information where you have consented for us to do so for the following purpose:

  • to supply information about the Trust, its activities, reports and news.

Your data will not be passed, sold or given to any third parties for the purposes of marketing. You may withdraw your consent for us to use your information in any of these ways at any time. Please see the “Withdrawing your consent” section.

Where required to perform a CONTRACT with you

We may use and process your personal Information where it is necessary for the performance of a contract with you or in order to take steps at your request before entering into a contract with you including for the following purposes:

  • As members of staff;
  • As members of the Trust;
  • As contractors and sub-contractors

Where it is in your VITAL INTEREST

We may use your personal information without your consent if we otherwise reasonably believe that the processing of your personal information will prevent or reduce any potential harm to you. It is in your vital interests for us to use your personal information in this way.

Where required to comply with our LEGAL OBLIGATIONS

We will use your personal information to comply with our legal obligations including: (i) to assist HMRC, to prevent and detect fraud, to secure the effective and efficient delivery of NHS and related services, for benefits and tax administration and as part of an appeal. (ii) to identify you when you contact us; and (iii) to verify the accuracy of data that we hold about you.


The Trust will not be using legitimate interest as a basis for using your personal information.

As part of our PUBLIC TASK

We will use your personal information as necessary for the performance of a task carried out in the public interest and in the exercise of official authority. The Trust may also use your personal information to conduct research. The official authority is the Health and Social care (Community health and Standards) Act 2003. Your health data will be processed by the Trust using this legal basis. 

Special categories of personal data

Personal data concerning health is a special category of personal data. The Trust will use your personal data under a special part of the new law: Article 9(2)(h) which includes “medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems”.

The Trust will also use your personal information containing health for reasons including:

  • Waiting list management
  • Performance against national targets
  • Activity monitoring
  • Local clinical audit
  • Production of datasets for commissioning purposes and national collections
  • Responding to a public health emergency.

The Trust might also use special categories of personal information for research. This might include medical data, ethnicity, faith, gender and biometric information.  For this we will use part 9(2)(j) of the law which allows us to conduct proportionate research or statistical purposes.

When using your special categories of personal data we will use it in accordance with UK law and provide suitable and specific measures to safeguard your fundamental rights and interests.

Supporting direct care

We use your personal information to provide healthcare to you, and to help with that healthcare (for example, booking and managing your appointments). Your information may be used for clinical audit, where the team involved in your care will check the quality and results of the treatment provided. Your information may also be used to investigate incidents and complaints.

Supporting other medical uses

We may use information about you, and the healthcare that you have received, to improve the care that we provide to all patients. This includes medical research, monitoring and improving our services, and for medical purposes where we believe the public will benefit. We also take part in national schemes which collect data from NHS organisations all over the country. The department where you are being treated will give you information about any local or national schemes for the type of care that you are receiving. 

When information is shared outside the team that cared for you, we take out any details that would identify you, unless we have your permission or specific authority from the Secretary of State for Health or the Health Research Authority.

What is research and why is it important?

Without medical research there would be no new medicines or tests, improved treatments, or better ways of providing healthcare. Sometimes research takes place in the laboratory and sometimes we need you to get involved.
The aim of research is to:

  • develop new treatments and medicines
  • prevent illnesses
  • improve quality of life
  • improve our understanding of medical conditions
  • understand the emotional and physical support you need if you’re living with a medical condition.

There is also evidence to suggest that when healthcare organisations engage in research, it is likely to have a positive impact on their performance and patient outcomes. As such, the Trust is proud to be a research-active organisation and it is dedicated to supporting clinical research. Its staff may view health records in order to offer new research opportunities to patients and carers, to support the development of treatments and improve the way the Trust delivers healthcare.

This Trust only participates in research where there is an agreed, clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval and be in line with the principles of Article 89(1). Identifiable data will be shared with researchers either with explicit consent – Article 6.1(e) and 9(2)(h) – or, where the law allows, without consent – Articles 6.1(e) and 9(2)(j)  and 9(2)(h). For further information please see our Data Protection or Research parts of the website. 

Your data subject rights

You have a number of rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received your request.

Accessing your personal information

You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address at the end of this policy. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

Correcting and updating your personal information

The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you. 

In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us in any of the contact details in this policy.

Please note that while The Trust will endeavour to make the updates as promptly as possible, communications may be sent using the original details until the changes have been processed.

Withdrawing your consent

Where we rely on your consent as the legal basis for processing your personal information, as set out under “How we use your personal information” in Section 4, you may withdraw your consent at any time by contacting us using the details at the end of this policy. If you would like to withdraw your consent to which you previously opted in, you can also do so by contacting us either by telephone, post or e-mail. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.

Objecting to our use of your personal information and automated decisions made about you

Where we rely on our public task as the legal basis for processing your personal information for any purpose(s), as mentioned in the “How we use your personal information” section, you may object to us using your personal information for these purposes by emailing or writing to us at the address at the end of this policy. Except for the purposes for which we are sure we can continue to process your personal information, we will temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.  Your right to object will not apply where the information is being used for research or statistical purposes. 
You may also contest a decision made about you based on automated processing by contacting the data protection department.

Erasing your personal information or restricting its processing

In certain circumstances, you may ask for your personal information to be removed from our systems by emailing or writing to us at the address at the end of this policy. Unless there is a reason that the law allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.

You may also ask us to restrict processing your personal information in the following situations:

  • where you believe it is unlawful for us to do so;
  • where you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.

In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for your health, for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

Transferring your personal information in a structured data file

Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with your contract, as set out under “How we use your personal information”, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine-readable form, such as a CSV file. 

You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

Marketing use

From time to time, and where you have given your permission to do so, the Trust may wish to contact you with information regarding other information about the Trust.

If you decide you do not want to receive those marketing communications, you can unsubscribe using the following methods: 

  • By writing to the Data Controller at our registered office address: Ashbourne Centre, Kingsway Site, Derby, DE22 3LZ 
  • On each marketing communication there will also be an opportunity for you to unsubscribe.

Our retention of your information 

The Trust follows the standard NHS approved procedure for records management which can be found on the NHS England website.

National data opt-out programme

Our organisation is currently compliant with the national data opt-out and is able to apply your choice to any confidential patient information it uses or shares for the purpose beyond your individual care. You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out, please visit the NHS Your Data matters website.

On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can change your mind about your choice at any time. Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Storing your information

The Information that the Trust collects from you may be transferred to and stored at a destination outside the Trust by a third party. The Trust has taken all steps reasonably necessary to ensure this data is stored and processed in line with GDPR and this Privacy Policy.

Website security/cookies

Our website may contain links to other websites run by other organisations which we do not control. This policy does not apply to those other websites and apps‚ so we encourage you to read their privacy statements. We are not responsible for the privacy policies and practices of other websites and apps (even if you access them using links that we provide) and we provide links to those websites solely for your information and convenience. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or promises about their accuracy, content or thoroughness. Your disclosure of personal information to third party websites is at your own risk.
In addition, if you linked to our website from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.


We use cookies on our Website for analysis and to help administer the site. The data collected to enable us to do this is anonymous and does not identify you as an individual.

Captcha cookies 

We use Google reCAPTCHA in order to verify whether or not you are a human when submitting data to the website. Most of the time, this will only be present on pages containing forms. 

Cookie Source Path Purpose Expiry
Google (www.google.com /recaptcha  Provides risk analysis to Google spam protection. 6 months


Reporting fraud

We are committed to ensuring your Information is secure. As part of our efforts to protect your Information, the Trust will never send you emails asking for your personal Information.

If you do receive such an email or are asked to disclose this information by someone claiming to work for The Trust please report the communication to our Data Controller using the following methods:

  • Using the ‘contact us’ page or
  • By writing to the Data Controller at our registered office address: Ashbourne Centre, Kingsway Site, Derby, DE22 3LZ

Changes to this policy

We may review this policy from time to time and any changes will be notified to you by posting an updated version on our website and/or by contacting you by email. Any changes will take effect 7 days after the date of our email or the date on which we post the modified terms on our website, whichever is the earlier. We recommend you regularly check for changes and review this policy when you visit our website. If you do not agree with any aspect of the updated policy, you must promptly notify us and cease using our services.

Requests for information or complaints

If you have any questions, suggestions or complaints about the processing of your personal information or wish to contact us to amend/update your information or if you wish to access the information we hold about you, please contact us using the details below:

Records Management Team IM&T and Records
East Wing Kingsway House
Kingsway Hospital
DE22 3LZ

Email: dhcft.accesstoahealthrecord@nhs.net

If you have any queries or concerns about how we use your information, please speak to the staff involved in your care. More detailed questions about how we use your information which cannot be discussed or resolved by a member of staff can be discussed with the Patient Experience Team on 01332 623751 or 0800 027 2128.

Our Trust Data Protection Officer can be contacted using details below:

IM&T & Records Department
Derbyshire Healthcare NHS Foundation Trust
Kingsway House East Wing Room 017 | Kingsway Hospital| DE22 3LZ
Telephone: (01332) 623700   Email: dhcft.dpo@nhs.net 

Complaining to the UK data protection regulator

You have the right to complain to the Information Commissioner’s Office (ICO) if you are concerned about the way we have processed your personal information. Please visit the ICO’s website for further details or use the contact details below. 
Information Commissioner’s Office
Wycliffe House
Email: www.ico.org.uk/global/contact-us/email 
Website: www.ico.org.uk/


The content of this website is the copyright of Derbyshire Healthcare NHS Foundation Trust unless stated otherwise.  You may only download material for your personal use, private study, research or in-house use.  You must not copy, distribute or publish any material from this website unless formal permission is obtained from the copyright holder. 


While we have tried to compile accurate information on this site – and to keep it updated – we cannot guarantee that it is 100% complete or correct.

The information provided on this site does not constitute professional advice and is subject to change.


Links from this website are only provided for your information and convenience. We cannot accept responsibility for the link sites available through this website or the information found on them.  A link does not imply we endorse a particular site.  Neither does not linking to a site imply lack of endorsement.

Please note that Derbyshire Healthcare NHS Foundation Trust is not responsible for the privacy policies of other websites. We advise you to read the privacy statements of other sites when you leave Derbyshire Healthcare NHS Foundation Trust webpages.


We cannot guarantee uninterrupted access to this website, or the sites it links to.  We cannot accept responsibility for any damages which arise from the loss of use of this information.

Privacy Statement 

Our privacy statement below discloses the privacy practices for this website.

Collection and use of information 

Derbyshire Healthcare NHS Foundation Trust does not collect or keep any personal information about site users as a matter of course.

We will only retain any personal information you provide via the website feedback forms to assist us with your enquiry or complaint. This information is treated confidentially – in the same way, as your medical records would be. The information you provide will only be shown to such of our employees who need it to deal with your comments or enquiry.

Any confidential information you provide to us is governed by our Data Protection Policy and codes of conduct.

Logged information 

We use records of the number of visitors our site has to analyse trends, or administer the site and to see what pages visitors use.  These records do not contain personal information.

Anonymous access

You can access and browse this site without disclosing your personal identifiable information.

We do not automatically store or collect any personal information about our visitors, neither do we store nor collect personal information from other sources, such as public records or private organisations.

We do collect information from the technology that is used to view our site which we use to analyse trends and administer the site. The data collected to enable us to do this is anonymous and does not identify you as an individual.

Computer viruses

Every reasonable effort has been made to ensure that the information held on this website is free from computer viruses or other contamination. However, it is recommended that content downloaded from this site is checked by your own anti-virus checking system prior to use.

Derbyshire Healthcare NHS Foundation Trust cannot accept liability for any damage caused to computer systems and/or data contained therein by any product, including viruses, in content downloaded from this website.

Notification of changes

Any changes to this disclaimer or the privacy statement below will be posted on our homepage so that our visitors are always aware of what information we collect and how we use it.