Skip to main content

Your information, your rights

Your information

You have rights to do with information that is recorded and held about you. These rights are protected by the Data Protection Act (2018) (DPA) and General Data Protection Regulation (2016) (GDPR).

As a healthcare provider we may collect information regarding your contact with our services. This information about your physical and or mental health is part of your health record.

Data Protection Act (2018) (DPA) and General Data Protection Regulation (2016) (GDPR)

Under the GDPR, we have a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it. More detail about how we collect, process, transfer and store your data can be found in our privacy notices below.

Our Information Governance team have created this page to provide you with information as to why Rotherham, Doncaster and South Humber NHS Foundation Trust collects information about you and how we will use this information; as well as how you are able to access your personal health record under a subject access request.

See how this trust has ensured compliance with the law and what we plan to do to ensure continuous compliance.

What are my rights in relation to my data?

Under the Data Protection Act (2018) and general data protection regulation, you have specific rights in relation to your data; you can make these requests at any time. Your rights are as follows:

Right to be informed

Rotherham, Doncaster and South Humber NHS Foundation trust (RDaSH) has a duty to provide you with information in relation to how your personal and special category data (more sensitive personal data) is collected, stored and processed. This is provided within our privacy notice on this page.

Right of access to information or subject access

You can request a copy of the information RDaSH holds about you by emailing the IG team at

This information is ordinarily available to you free of charge once you provide appropriate ID. However, there are certain circumstances whereby we can make a charge for this service. But only if the request is deemed ‘manifestly unfounded or excessively repetitive.’

We have 30 calendar days to respond to your request. In certain circumstances a response may not be able to be provided in such a time scale; however we will write to you and inform you of this as soon as possible.

Right to rectification and erasure

You have the right to request the rectification of inaccurate personal data and the right to request the erasure of your personal data. However, the rights to rectification and erasure are not an absolute right and it may be necessary for RDaSH to continue to process your personal data for lawful and legitimate reasons. If you wish to make such a request, please contact

Right to object to, or restrict processing

You have the right in certain circumstances to ask RDaSH to stop processing your personal data. You can also request not to receive information from the trust. However, the right to object to, or restrict processing is not an absolute right and it may be necessary in certain circumstances for RDaSH to continue to process your personal data for lawful and legitimate reasons.

If you wish to object to your information being processed, to receiving information from the trust, or wish to have information rectified or erased, please send your request in writing via email to

Rights in relation to automated decision making and profiling

RDaSH does not use your information to make automated decisions about you, nor to undertake profiling.

Right to data portability

You have the right to get your personal data from an organisation in a way that is accessible and machine-readable, for example as a secure file to be exchanged via e-mail, or an encrypted CD-Rom.

You also have the right to ask an organisation to transfer your data to another organisation. They must do this if the transfer is, as the regulation says, “technically feasible”. Within RDASH, as well as probably other NHS organisations this known as a continuation of care.

Who do I contact if I have any concerns about my data?

To safeguard your information and to support your rights, RDaSH has appointed a data protection officer (DPO). The role of the DPO is to monitor internal compliance with data protection legislation and inform and advise staff, patients, carers and the public in relation to data protection.

The DPO can be contacted at

If you have a concern about any aspect of your care or treatment at this hospital or about the way your records have been managed, you can also contact the following:

For concerns related to mental or physical health services:

Patient advice and liaison service (PALS)

Rotherham Doncaster and South Humber NHS Foundation trust
Woodfield House
Tickhill Road Site
Tickhill Road

Alternatively, if you have a complaint about our processing of your personal data:

The office of the information commissioner
Wycliffe House
Water Lane


Below are some useful definitions:

Data controller

The organisation which determines the processing of personal data. The data controller is the legally responsible organisation.

Data processor

An organisation which the data controller appoints to provide a service on its behalf. The data processor must follow the legal instruction of the controller.

Data subject

The individual who personal data is about. The individual must be identifiable from the data

Data protection officer

The person appointed by the data controller as the single point of contact for data protection enquiries. The data protection officer acts independently and monitors compliance with data protection obligations.

Data processing

The activities which relate to personal data. Data processing includes:

  • obtaining, recording or holding the information
  • organisation, adaption or alteration
  • retrieval, consultation or use
  • disclosure by transmission, dissemination or otherwise making available
  • alignment, combination, blocking, erasure or destruction of the information or data

Information commissioners office (ICO)

The regulator of information rights in the United Kingdom. More information can be found on the ICO website (opens in a new window).

Personal data

Data which relates to an individual and enables them to be identified.

Special category data

This personal data is more sensitive, and so needs more protection, for example:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life
  • sexual orientation

Privacy notices

Below are a list of privacy notices in use by the trust.

A privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services. It is a statement that describes how the organisation collects, uses, retains and discloses personal information and is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy.

National data opt-out

Information about your health and care helps us to improve your individual care, speed up your diagnosis, plan your local services and research new treatments.

The national data opt-out was introduced in May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her review of data security, consent and opt-outs (opens in new window).

Patients can view or change their national data opt-out choice at any time by using the online service at NHS your NHS data matters website (opens in new window) or by calling 0300 3035678.

To find out more about how this trust uses your information please see trust privacy notice.

Individual clinical services, specific use of information

  • adult mental health*
  • children’s and young persons mental health (CAMHS)*
  • older people’s mental health*
  • children, young people and families (CYP and F)*
  • drug and alcohol (adults)*
  • drug and alcohol plus sexual health (young people)*
  • Doncaster care integrated services (DCIS)*
  • forensics*
  • NHS talking therapies*
  • memory services*
  • St Johns hospice*

*currently under development

Who is responsible for your data?

Senior information risk officer (SIRO)
Richard Banks, Director of Health Informatics

Caldicott guardian
Dr Graeme Tosh, Executive Medical Director

Data protection officer (DPO)
Caroline J Britten, Head of Information Governance


Contact the Information Governance team

Information Governance
Tickhill Road Site
Tickhill Road

Page last reviewed: April 05, 2024
Next review due: April 05, 2025


Report a problem