A privacy notice is a statement by the Trust to patients, service users, visitors, carers, the public and staff that describes how we collect, use, retain and disclose personal information which we hold. It is sometimes also referred to as a Privacy Statement, Fair Processing Statement or Privacy Policy. This notice is part of our commitment to ensure that we process your personal information/data fairly and lawfully.


In the NHS we aim to provide you with the highest quality health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you.

This Privacy Notice tells you about the information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.  It also explains the choices you can make about the way in which your information is used and how you can opt-out of any sharing arrangements that may be in place.

Data processors

The Trust works with a number of authorised third-party partners, in order to deliver the services described on the Website and such authorised third-party partners are data processors (“Data Processors”) for the purposes of the Act.

Data controller

Derbyshire Healthcare NHS Foundation Trust is the data controller (“Data Controller”) for the purposes of the Act and can be contacted at Ashbourne Centre, Kingsway site, Derby DE22 3LZ.

The Trust is registered with the ICO:

  • Registration number: Z8416831
  • Date registered: 04 March 2004.

Information collected

You may send us, or we may ask you, or we are sent via a third party or we may create the following Information:

  • Your full name;
  • Your address and postcode;
  • Your contact information (such as your email address, telephone number and mobile telephone number);
  • General information about yourself (such as your personal or professional interests, your experience of our services and products or other services and products and your contact preferences);
  • Photographic and/or video materials featuring your name and likeness that you may post to our website or social media;
  • In the event that you apply for a job with the Trust, we will require further professional Information about your by way of a job application or your Curriculum Vitae; and
  • Special category data which is more sensitive, and can include your health, ethnicity, religion, sexual orientation, disability and biometric data including images.

The Trust may also collect certain information about your computer hardware and software, this includes:

  • Your IP address;
  • Browser type;
  • Operating system;
  • Access times; and
  • Referring website addresses.

Your health care record is used to ensure that:

  • health care professionals looking after you have accurate and up-to-date information about you to help them decide on any care you may require
  • full information is available should you see another doctor or be referred to a specialist or another part of the NHS
  • there is a good basis for assessing the type and quality of care you have received. This will lead to better care both for you and for other patients in the future
  • your concerns can be properly investigated if you need to complain.

How your records are used to help the NHS

Your records may be used for:

  • paying your GP or hospital for the care you have received
  • the audit of NHS accounts, Service Evaluation and Clinical Audit of the quality of services provided
  • reporting and investigating complaints, claims and untoward incidents
  • planning services to ensure we meet the needs of our population in the future
  • preparing statistics on our performance for the Department of Health
  • reviewing our care to make sure that it is of the highest standard
  • teaching and training health care professionals
  • conducting health research and development – please see ‘Research’ below.

Records will be kept in line with the Department of Health Records Management Code of Practice which determines the minimum length of time that records should be kept for.

SMS messages

SMS messages may be used by services for purposes directly relating to a patient’s care, for example:

  • To send appointment confirmations and reminders
  • For the sending of links to documents for completion by the patient (e.g. using SystmOne Communications Annexe)
  • For sending links to websites for further information about the service or patient self-care
  • For sending the ‘Friends and Family’ SMS messages to receive feedback on the service received.

If you do not want to receive SMS messages then please let the service know and they will ensure your record is updated accordingly.

How we use your information – legal aspects

Under the General Data Protection Regulations (GDPR), all organisations must ensure they have a clear legal basis for processing information.

When your information is used for your care and administrative purposes related to your care, we rely on Article 6(1)e and Article 9(2)h of the GDPR.

For research, in most instances we will rely on Article 6(1)e and Article 9(2)j of the GDPR if and when we use your information for research. If you have formally consented to take part in research, this will satisfy the common law duty of confidentiality. Where it has been impracticable to obtain your consent we will seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.

For secondary (indirect care) purposes, when there is a legal requirement that we provide specified data to NHS Digital for example, we rely on Article 6(1)c of the GDPR. In cases where the common duty of confidentiality cannot be satisfied through consent, we seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.

Your information rights

  • You have the right to know how we will use your personal information;
  • You have the right to see your health record – see the section on 'requesting a copy of your records', below;
  • You have the right to object to us making use of your information other than for your care;
  • You can ask us to change or restrict the way we use your information and we have to agree if possible;
  • You have the right to ask for the information we hold about you to be corrected or erased if it is incorrect.

If you object to how we are using your information, or wish us to restrict, erase or correct it, please first discuss this with the staff providing your care. You can also contact our Data Security and Protection team by emailing: dhcft.datasecurityandprotection@nhs.net

How we keep your information secure

Whenever information is used for your care, it will be handled in the strictest confidence. Derbyshire Healthcare NHS Foundation Trust (DHCFT) will:

  • only use the minimum amount of information necessary for the purpose.  Where possible, we will use information that does not identify you
  • ensure that anyone receiving information about you is under an obligation to keep it confidential and to only use the information for the specified purpose
  • have secure systems in place to help prevent unauthorised access to patient information
  • have audit trails available on electronic systems to ensure we can identify who has accessed your record.

We are committed to protecting your privacy and will only process personal confidential data in accordance with the General Data Protection Regulation (GDPR), UK Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998. 

DHCFT is a Data Controller under the terms of the General Data Protection Regulations (GDPR). We are legally responsible for ensuring that all personal confidential data that we collect and use i.e. hold, obtain, record, use or share about you is done in compliance with the Data Protection Principles.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Sharing your information

If you receive care from other organisations, such as Social Care or voluntary healthcare providers, there may be a need to share information about you so that everyone involved in your care can work together for your benefit. Information about you will only be used or passed on to others involved in your care.

DHCFT works in partnership with a number of NHS and Non-NHS organisations across Derbyshire to deliver joined up integrated services to users. DHCFT is part of the Derbyshire Partnership Forum and is signed up to their overarching Information Sharing Protocol which is available on their website.

To ensure you receive safe and effective care, information about your health and treatment will be shared with other organisations caring for you. Information will only be shared for the purpose of direct care and will only be viewed by individuals who are directly involved in your care. In order to support the sharing of information to provide you with the best treatment, Derbyshire health and social care organisations, including DHCFT, have developed the Derbyshire Shared Care Record. More information can be found on the Joined Up Care Derbyshire website.

Organisations providing care are increasingly working together to ensure patients receive the most appropriate treatment at the earliest opportunity. In order to support this, we may share your information with, or receive information from, another organisation in order to determine if you can receive treatment more quickly. Please be assured that this information is being shared for direct care purposes only and all organisations will treat your information confidentially.

If you do not want your health record to be shared with other services involved in your care, please ensure you inform the service(s) caring for you. You can choose to exclude parts of your record from being shared, or you can opt out of sharing your record altogether. You can also change your mind at any time about whether you wish to share your record.

If you ask us not to share information about you with another person or organisation, we will respect your wishes unless there are exceptional circumstances. Not sharing information may mean that we have to alter the level of care we provide to you but this will be explained. The final decision will normally rest with you.

There are exceptional circumstances where information about you will be shared, even if you do not give us permission to do so. These are where information is shared for legal reasons or in the public interest. Circumstances where information may be shared without your permission include:

  • Where it is required by law, for example the notification of births, deaths and some infectious diseases;
  • Where a court order has been issued requesting the information;
  • Where there is a serious risk of harm to you or other individuals;
  • Where a child is believed to be at risk of harm (Children’s Act 1989);
  • Where information is required for the prevention, detection or prosecution of a serious crime;
  • Where information you have supplied to us is about a serious crime that has been committed, such as murder, manslaughter, rape, treason or kidnapping (Police and Criminal Evidence Act 1984);
  • Where information you have supplied to us is about suspected terrorism (Anti-terrorism, Crime and Security Act 2001 and Terrorism Act 2000);
  • Where the disclosure is necessary in any legal proceedings.

Use of patient data to improve NHS services

DHCFT, like all NHS organisations, uses information about your care in order to review the quality of care. This enables us to be sure that standards are being met and helps us to improve the quality of care that we provide.  This activity is carried out by clinical teams and may also involve Service Evaluation and Clinical Audit / other non-clinical Trust staff who are experts in data collection. The Trust oversees all of this activity through its authorisation processes. Our Caldicott Guardian is responsible for keeping the confidentiality of patient information safe. No patients can ever be identified in any subsequent reporting of results, unless we have previously asked and got your permission.

If you do not want your records or data to be used for Service Evaluation and Clinical Audit, please inform the service(s) caring for you.


All NHS organisations are expected to participate and support health and care research. The Health Research Authority sets standards for NHS organisations to make sure they protect your privacy and comply with the law when they are involved in research.

DHCFT has a research innovation group dedicated to ensuring we apply the strictest governance around your information in relation to research.

Wherever possible, DHCFT will use information that does not identify individuals. Where identifiable information is required, DHCFT will always gain your consent before using your information for research purposes. A member of your care team may review your care records to determine if you are suitable to take part in a research study, before contacting you for your consent to take part in the research.

Further information for patients on health research can be found on the Health Research Authority website. Here, you can also find more information on Data Protection in relation to research.

National Data Opt Out

DHCFT is compliant with the national data opt-out policy. Visit the NHS England Digital website to find out more about the National Data Opt Out.

Requesting a copy of your records

You have the right to ask for a copy of all records about you under the General Data Protection Regulations:

  • DHCFT will provide a copy of the information free of charge. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
  • DHCFT may also charge a reasonable fee to comply with requests for further copies of the same information.
  • We must comply with your request within one month of receipt. However, we may extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.

Reporting fraud

We are committed to ensuring your Information is secure. As part of our efforts to protect your Information, the Trust will never send you emails asking for your personal Information.

If you do receive such an email or are asked to disclose this information by someone claiming to work for The Trust please report the communication to our Data Controller using the following methods:

  • Using the ‘contact us’ page or
  • By writing to the Data Controller at our registered office address: Ashbourne Centre, Kingsway Site, Derby, DE22 3LZ.

Changes to this policy

We may review this policy from time to time and any changes will be notified to you by posting an updated version on our website and/or by contacting you by email. Any changes will take effect 7 days after the date of our email or the date on which we post the modified terms on our website, whichever is the earlier. We recommend you regularly check for changes and review this policy when you visit our website. If you do not agree with any aspect of the updated policy, you must promptly notify us and cease using our services.

Requests for information or complaints

If you have any questions, suggestions or complaints about the processing of your personal information or wish to contact us to amend/update your information or if you wish to access the information we hold about you, please contact us using the details below:

Records Management Team IM&T and Records
East Wing Kingsway House
Kingsway Hospital
Derby DE22 3LZ

Email: dhcft.accesstoahealthrecord@nhs.net

If you have any queries or concerns about how we use your information, please speak to the staff involved in your care. More detailed questions about how we use your information which cannot be discussed or resolved by a member of staff can be discussed with the Patient Experience Team on 01332 623751 or 0800 027 2128.

Our Trust Data Protection Officer is Alex Rose and can be contacted using details below:

IM&T & Records Department
Derbyshire Healthcare NHS Foundation Trust
Kingsway House East Wing Room 017, 
Kingsway Hospital 
Derby DE22 3LZ

Telephone: 01332 623700  
Email: dhcft.dpo@nhs.net 

Complaining to the UK data protection regulator

You have the right to complain to the Information Commissioner’s Office (ICO) if you are concerned about the way we have processed your personal information. Please visit the ICO’s website for further details or use the contact details below. 

Information Commissioner’s Office
Wycliffe House

ICO contact information
Website: www.ico.org.uk


The content of this website is the copyright of Derbyshire Healthcare NHS Foundation Trust unless stated otherwise.  You may only download material for your personal use, private study, research or in-house use.  You must not copy, distribute or publish any material from this website unless formal permission is obtained from the copyright holder. 


While we have tried to compile accurate information on this site – and to keep it updated – we cannot guarantee that it is 100% complete or correct.

The information provided on this site does not constitute professional advice and is subject to change.


Links from this website are only provided for your information and convenience. We cannot accept responsibility for the link sites available through this website or the information found on them.  A link does not imply we endorse a particular site.  Neither does not linking to a site imply lack of endorsement.

Please note that Derbyshire Healthcare NHS Foundation Trust is not responsible for the privacy policies of other websites. We advise you to read the privacy statements of other sites when you leave Derbyshire Healthcare NHS Foundation Trust webpages.


We cannot guarantee uninterrupted access to this website, or the sites it links to.  We cannot accept responsibility for any damages which arise from the loss of use of this information.

Privacy statement 

Our privacy statement above discloses the privacy practices for this website.

Collection and use of information 

Derbyshire Healthcare NHS Foundation Trust does not collect or keep any personal information about site users as a matter of course.

We will only retain any personal information you provide via the website feedback forms to assist us with your enquiry or complaint. This information is treated confidentially – in the same way, as your medical records would be. The information you provide will only be shown to such of our employees who need it to deal with your comments or enquiry.

Any confidential information you provide to us is governed by our Data Protection Policy and codes of conduct.

Logged information 

We use records of the number of visitors our site has to analyse trends, or administer the site and to see what pages visitors use.  These records do not contain personal information.

Anonymous access

You can access and browse this site without disclosing your personal identifiable information.

We do not automatically store or collect any personal information about our visitors, neither do we store nor collect personal information from other sources, such as public records or private organisations.

We do collect information from the technology that is used to view our site which we use to analyse trends and administer the site. The data collected to enable us to do this is anonymous and does not identify you as an individual.

Computer viruses

Every reasonable effort has been made to ensure that the information held on this website is free from computer viruses or other contamination. However, it is recommended that content downloaded from this site is checked by your own anti-virus checking system prior to use.

Derbyshire Healthcare NHS Foundation Trust cannot accept liability for any damage caused to computer systems and/or data contained therein by any product, including viruses, in content downloaded from this website.

Website security/cookies

Our website may contain links to other websites run by other organisations which we do not control. This policy does not apply to those other websites and apps‚ so we encourage you to read their privacy statements. We are not responsible for the privacy policies and practices of other websites and apps (even if you access them using links that we provide) and we provide links to those websites solely for your information and convenience. We specifically disclaim responsibility for their content, privacy practices and terms of use, and we make no endorsements, representations or promises about their accuracy, content or thoroughness. Your disclosure of personal information to third party websites is at your own risk.

In addition, if you linked to our website from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.


We use cookies on our website for analysis and to help administer the site. The data collected to enable us to do this is anonymous and does not identify you as an individual.

Captcha cookies 

We use Google reCAPTCHA in order to verify whether or not you are a human when submitting data to the website. Most of the time, this will only be present on pages containing forms. 

Cookie Source Path Purpose Expiry
Google (www.google.com /recaptcha  Provides risk analysis to Google spam protection. 6 months

Notification of changes

Any changes to this disclaimer or the privacy statement below will be posted on our homepage so that our visitors are always aware of what information we collect and how we use it.