Skip to content
Suffering anxiety, depression, low mood or stress?

We can help! Free, confidential NHS talking therapy service to help you. For more details visit NHS Talking Therapies for anxiety and depression.

Privacy notice

Published: Tuesday 05 July 2022 | Updated: Tuesday 26 July 2022


What is a privacy notice?

This is a statement made by Rotherham Doncaster and South Humber NHS Foundation Trust to our patients, service users, visitors, carers and the public that describes how we collect, use, retain and disclose personal information which we hold. It is sometimes also referred to as a privacy statement, fair processing statement or privacy policy.

This privacy notice is part of our commitment to ensure that we process your personal information/data fairly and lawfully and forms part of our accountability and transparency to you under the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act 2018 (DPA).

We will collect, store and use personal data about you to provide you with healthcare services. Your personal data will also be used to plan our services and to make sure those services are as good as they can be.

We are the data controller, and our registered address is:

Woodfield House
Tickhill Road Site
Weston Road
Doncaster, DN4 8QN

Our Information Commissioner’s Office (ICO) registration number is Z5863970.

We take our duty to protect your personal data and maintain confidentiality very seriously. We are committed to taking all reasonable measures to ensure the security of the personal data we are responsible for, whether this is computerised or in paper form.

At Trust Board level we have a Senior Information Risk Owner (SIRO) who is accountable for the management of all the Trust’s information assets and a Caldicott Guardian who is responsible for the management of patient data and patient confidentiality. We have a Data Protection Officer (DPO) who ensures the Trust is accountable and compliant with the GDPR and DPA.

The Data Protection Officer can be contacted by:

  • Post: Woodfield House, Tickhill Road Site, Weston Road, Balby, Doncaster, DN4 8QN
  • Email:
  • Phone: 03000 211189

What information do we collect about you?

The health professionals caring for you keep records about your health, treatment and care you receive with the NHS. The information in the record may come from you, other care providers e.g. a GP, social care or hospital. The maintenance of these records will ensure that you receive the best possible care. They may be written down on paper or held on a computer, and include:

  • basic personal details about you such as your name, address, date of birth, next of kin etc.
  • contacts we have had with you such as appointments or clinic visits
  • notes and reports about your health, treatment and care
  • results of X-rays, scans and laboratory tests
  • relevant information from people who care for you and know you well, such as health professionals, relatives and carers

It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.

We will use the mobile telephone number you have provided us with to send appointments and reminders to you via SMS messaging unless you ask us not to.

The Trust also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing. If your information will be used for any secondary service, you will be notified of these. Under the data protection legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller, where the legitimate interests are supporting the running of the day to day operations of the organisation.


Our website utilises a standard technology called cookies to collect information about how our website is used and to record your preferences in order to give you the information you need during your visit. Information gathered through cookies allows us to monitor website traffic and to personalise the content of the site for you.

Web server log files

IP addresses are used by your computer/mobile device, i.e. smartphone, every time you are connected to the internet. Your IP address is a number that is used by computers on the network to identify your computer/mobile device. IP addresses are automatically collected by our web servers so that data (such as the web pages you request) can be sent to you. Web server log files are used to record information about our site, such as system errors. Log files do not contain any personal information or information about which other sites you have visited.

Why do we collect this information about you?

Your information is used to guide and record the care you receive and is vital in helping us to:

  • have all the information necessary for assessing your needs and for making decisions with you about your care
  • have details of our contact with you, such as referrals and appointments and can see the services you have received
  • can assess the quality of care we give you
  • can properly investigate if you and your family have a concern or a complaint about your healthcare

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

  • move to another area
  • need to use another service
  • see a different healthcare professional

Your information will also be used to help manage the NHS and protect the health of the public by being used to:

  • review the care we provide to ensure it is of the highest standard and quality
  • protect the health of the general public
  • manage the health service
  • ensure our services can meet patient needs in the future
  • investigate patient queries, complaints and legal claims
  • ensure the health care providers receive payment for the care you receive
  • prepare statistics on NHS performance
  • audit NHS accounts and services
  • undertake health research and development
  • help train and educate healthcare professionals

For these purposes we use the minimum amount of information necessary.

Improving health, care and services through planning and research

This Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending Accident and Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information is not needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit the NHS overview pages. On this web page you will:

  • see what is meant by confidential patient information
  • find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • find out more about the benefits of sharing data
  • understand more about who uses the data
  • find out how your data is protected
  • be able to access the system to view, set or change your opt-out setting
  • find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • see the situations where the opt-out will not apply

More information about how patient information is used:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

Mental Health Community Survey

The Mental Health Community Survey is an annual survey to look at the experiences of people who have received care in the community for a mental health condition. The survey has Confidentiality Advisory Group (CAG) approval. If you do not want to take part in the survey you can opt-out, more information on the national data opt-out page.

What our lawful basis is for processing your information under data protection legislation

For healthcare purposes

  • Article 6(1)(e) – public task: the processing is necessary to perform a task in the public interest, or our official functions, which have a clear basis in law
  • Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services

For the CCTV System

We have CCTV systems on site for the purposes of public and staff safety and crime prevention and detection. Images captured by CCTV will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner.

CCTV images or other data held may be used in some circumstances where incidents require investigation by the Data Controller. This information is processed under Article 6(1)(f) as processing may be necessary for the purposes of legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child or Article 6(1)(e) public task, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, dependent upon the specific processing which is necessary.

How we use your personal information

Your information will also be used to help manage the NHS and protect the health of the public by used to:

  • review the care we provide to ensure it is of the highest standard and quality
  • protect the health of the general public
  • manage the health service
  • ensure our services can meet patient needs in the future
  • investigate patient queries, complaints and legal claims
  • ensure the healthcare providers receive payment for the care you receive
  • prepare statistics on NHS performance
  • audit NHS account and services
  • undertake health research and development
  • help train and educate healthcare professionals

Who do we share your personal information with?

Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

Legal reasons to share information

A person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent. Examples of this are if:

  • there is a concern that you are putting yourself at risk of serious harm
  • there is concern that you are putting another person at risk of serious harm
  • there is concern that you are putting a child at risk of harm
  • we have been instructed to do so by a Court
  • the information is essential for the investigation of a serious crime
  • you are subject to the Mental Health Act (1983), there are circumstances in which your nearest relative must receive information even if you object
  • your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases

Health and social care professionals

You may receive care from other organisations, e.g. social care services, other NHS trusts etc, and therefore this Trust may need to share information to ensure consistent and appropriate care and support is provided. This is only shared if there is a genuine need to share or we have patient consent to do so.

We share information with the following partner organisations:

  • Other NHS Trusts and hospitals involved in your care.
  • Local Authorities.
  • Clinical commissioning groups – responsible for planning the health needs of their patients, and for paying to keep their local hospitals running. Information in computerised form is sent to Clinical Commissioning Groups, with your name and address removed, but including NHS numbers and postcodes. Exactly the same information is sent to the Office of National Statistics which produces information about the performance of hospitals. Other organisations such as specialist disease registries receive information about particular areas of healthcare. This is important to ensure that the NHS provides the best possible treatments both now and in the future.
  • Doncaster Integrated Care Record – an electronic record which allows health and care professionals in Doncaster to quickly and securely access medical information about you while they are caring for you. When you come into contact with health and social care services in Doncaster, staff will ask you for permission to view your Integrated Doncaster Care Record.
  • NHS Digital – on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services – we share information such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations. You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way. For information about how you can Opt-Out of sharing your data for research and development purposes only, please visit the NHS overview page.
  • NHS Digital Strategic Data Collection Service (SDCS) – if you are an inpatient within the Trust, you will be required to undertake a polymerase chain reaction (PCR) test and/or lateral flow devices (LFDs) for COVID-19. Every assisted LFD test result, positive, invalid and negative, will be logged by the relevant ward or department according to the Trust procedure. Collated results will be uploaded to the Strategic Data Collection Service (SDCS).
  • NHS improvement.
  • NHS England.
  • Care Quality Commission (CQC).
  • General Practitioners (GPs).
  • Ambulance Services.

You may be receiving care from other people as well as the NHS, for example social care services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it.

Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

  • social care services
  • education services
  • local authorities
  • voluntary and private sector providers working with the NHS

We will not disclose your information to any other third parties unless we:

  • have your permission
  • have an appropriate legal basis to do so
  • have good reason to believe that failing to share the information will put you or someone else at risk of serious harm or abuse
  • hold information that is essential to prevent, detect, investigate or punish a serious crime

We would never share your personal information for marketing or insurance purposes.

Do we use any data processors?

Communications and engagement

Purpose for processing

This Trust offers various services to the public giving them the opportunity to engage with us. This could be providing people with the latest news and information from the Trust, opportunities, events and details on how to get involved and surveys.

We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received or if the information is useful to them. We will never ask you to provide any personal data in response to a survey. Any personal data received in responses is removed before responses are collated, analysed or disseminated.

When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this. Personal data collected for the above purposes is only processed with the explicit consent of the data subject unless it becomes apparent that we are required to process the personal data due to statutory obligations such as investigating a complaint.

Lawful basis

Article 6(1)(a) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Sources of the data

The personal data is provided by data subjects when signing up to receive one of our newsletters or interest in an engagement event, either via our website or by completing one of our sign-up forms at one of the stakeholder events that we hold from time to time.

Categories of personal data

We only require you to provide us with your name and email address or residential address so that we can send you our publications. Information regarding your gender, sexual orientation, marital status and disabilities is collected so that we can ensure that our patient involvement groups are representative of the population we serve. We may also use it to send you targeted information or news. However, it is not mandatory to provide this information.

Invoice Validation

Purpose for processing

Invoice validation is an important process. It involves using your NHS number to see who is responsible for your care, in order for us to invoice the correct commissioners to recover the income back for the care that has taken place.

This Trust is an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption which enables them to process patient identifiable information on behalf of this Trust without consent for the purposes of invoice validation – Confidentiality Advisory Group CAG 7-07(a)(b)(c)/2013.

Lawful basis

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Sources of the data

We are the provider who submit invoices to NHS Shared Business Services for the Commissioners for validation and payment.

Categories of personal data

The data required for effective invoice validation can be found in Appendix B, of “Who Pays? Information Governance Advice for Invoice Validation“.

Recipients of personal data

Commissioners who the Trust has invoiced for the charges related to your care. This Trust only shares personal data via NHSE England’s published list of accredited commissioner emails addressed – this data includes your NHS number and GP code at the time the service was accessed.

Safeguarding concerns and reviews

Purposes for processing

We are dedicated in ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and thoroughly applied with the wellbeing of all, at the heart of what we do.

Lawful basis

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Article 9(2)(g) – processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Some Article 9 conditions require a corresponding Schedule 1 condition from the DPA 2018 for special category data. (See DPA 2018 Part Two, 18 Safeguarding of children and of individuals at risk).

Categories of personal data

The data collected by this Trust staff including hosted bodies, in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographics and contact details, this is likely to be special category information (such as health information).

Sources of the data

The Trust will either receive or collect information when someone contacts the organisation with safeguarding concerns or we believe there may be safeguarding concerns.

Recipients of personal data

The information is used by the Trust when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as local authorities, the police, care homes, healthcare professional (i.e. their GP or mental health team).


Purposes for processing

The Trust have a statutory duty to the improvement of quality and delivery of services, therefore use incident events, investigations, evidence and reports relating to incidents under various policy and procedural structures.

The Trust monitor patient healthcare and the way in which their information is handled within care homes or services provided which the Trust fund; this is to assess the quality of care given to patients, and close monitoring of staff delivering these services. Where there may be concerns identified an investigation is carried out. It is important to carry out quality assurance visits to ensure the correct processes are being adhered to, patients are getting the best service and the correct paperwork is being completed. This information is shared with healthcare providers and care homes so that services and care can be reviewed and maintained at a high level.

In order to promote quality and compliance, the Trust has several reporting protocols for incidents and provides investigation and learning to improve systems and services they commission.

A part of this monitoring allows the Trust to review hospital discharge data so that delayed transfers of care are identified and so that the Trust can assess how these can be reduced for more efficiency.

Lawful basis

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Categories of personal data

NHS Number and other personal details, including relevant healthcare records and information about the concerns, including others involved or impacted by the event are used by the Trust to facilitate concerns/incident investigations.

Sources of the data

Data received in order to fulfil the duties relating to concerns or an investigation will be received directly from the organisation in concern or the reporting organisation, such as a care home or provider.

Recipient of personal data

Information relating to outcomes will be sent back to the relevant providers.

Medicines optimisation

Purpose for processing

The Trust has a duty to secure continuous improvement in the quality of services provided to individuals for or in connection with the prevention, diagnosis or treatment of illness. Taking that into account, the Pharmacy Team supports the Trust with commissioning services that make best use of available medicines. Your personal data will be used to fulfil this duty in respect of promoting cost-effective use of medicines as well as implementing projects or actions to optimise the use of medicines to improve outcomes, enhance patient safety and improve capacity within the local health economy.

Lawful basis

  • Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Source of data

Data used to fulfil the above duties is received directly from the primary and secondary healthcare providers for which the Trust has responsibility for.

Categories of data

Typically, clinicians and pharmacists will require access to patient information including NHS Number and medication lists.

Recipients of personal data

Personal data is shared between the Trust and local healthcare providers including GP Practices. They do this to facilitate the implementation of recommendations by the Pharmacy Management Team.

Recipients and third party disclosures

Rotherham Health Record

The Rotherham Health Record is an electronic system for sharing your health information in a secure way with health and care staff who provide care directly to you. This gives them access to the most up-to-date information so that they can provide better and quicker care. Health and care professionals, including doctors and nurses, who are directly providing your care, will see a summary of your existing records – such as those held by your GP, hospital or social care provider – to allow them to make the right decisions with you and for you.

South Yorkshire Fire and Rescue Safe and Well Referral Scheme

South Yorkshire Fire and Rescue (SYFR) will deliver a programme of Safe and Well Referral visits to complete HSCs in partnership with RDaSH to households in South Yorkshire. The visits will be targeted at residents of all ages who may present a higher risk of injury and/or fatalities as a result of house fires. This may be due to lack of awareness or due to behaviours that may be a cause for concern to themselves and others with regards to fire risk or may present any associated health risks that may increase the risk or fire such as hoarding or drug/alcohol dependencies. Referrals will be made from RDaSH to SYFR for a HSC visit, this referral process will ensure we can support vulnerable residents in our communities.


Airmid is a patient facing app that allows patients to take control of their own healthcare and engage with their own care team. The app allows video consultations where clinicians can contact patients remotely and allows for bidirectional data flow.

TPP SystmOne

With modules for every healthcare setting from primary care to hospitals, social care and mental health, SystmOne provides clinicians and health professionals with a single shared Electronic Health Record (EHR) available in real time at the point of care. With SystmOne, patient data can be shared securely across services—promoting efficiency and standardisation. Most importantly it enables services to improve the patient experience and deliver safer patient care. As a complete clinical and administrative solution, SystmOne helps services fully digitalise healthcare and work innovatively. SystmOne mobile working allows clinicians to work, irrespective of location and even when there is no network connection available, including schools and the patient’s home.

QUIT programme

QUIT is a smoking cessation support programme being implemented across several trusts in the South Yorkshire and Bassetlaw ICS, including RDaSH. The main service this programme will provide is smoking cessation and abstinence support for smoking in-patients and staff. Several Tobacco Treatment Advisors (TobTAs) will be recruited to deliver the service. Tobacco treatment advisors will be alerted if any smokers are admitted and will proactively contact them. New information will cover only smoking-related aspects, such as patient’s smoking habits, any intervention prescribed, tracking data on the abstinence/ quitting progress.

Oxehealth Digital Care Assistant

The Oxehealth system is the technology platform that is deployed into mental health wards to support clinicians. The Oxehealth service will be implemented across all RDaSH adult and older peoples’ mental health wards and PICU wards. It uses an optical sensor (camera + infrared illumination in a secure housing on the wall) to monitor a patient in a room 24/7. With this system clinicians can take medical grade cardio-respiratory measurements remotely, access cardio-respiratory trends from the last 24 hours to understand if a resting patient’s physical health may be deteriorating, receive real-time alerts to high-risk activity, prompting a safety check, and view objective patient activity reports to support clinical decision making. Using this technology in clinical areas will support safe delivery of care and can enhance and improve processes and proactively manage and prevent incidents.


QbTest is an objective test that measures core ADHD symptoms: activity, attention and impulsivity. The test results are instantly analysed and presented in a report that compares a patient’s results with a group of people of the same age and gender who do not have ADHD. It is the most advanced ADHD management system, designed for more accurate diagnosis and treatment follow up.

Rotherham Health App

Subtrakt Health, via Black Pear. Rotherham Health App is an appointment booking/patient registration for Rotherham Improving Access to Psychological Therapies (IAPT) service. The app will allow users to book, cancel and amend an appointment.

Rotherham CAMHS automated booking

Choose and book system within SystmOne for self-referral.

Palliative Care Co-ordination System (EPaCCS)

EPaCCS enables the recording and sharing of a patient’s care preferences and key details about their care at the end-of-life. As it is electronic it can easily be shared 24/7 between all of the clinicians and carers involved in the patient’s care across organisational and geographical boundaries. The EPaCCS record is a summary record, intended to provide an easily accessible view of the information that carers need in an end-of-life setting. More information about EPaCCS.

SY Police and Multi-Agency Tasking and Coordination (MATAC)

Information is shared between RDaSH Aspire and SY Police to assist in reducing domestic abuse.

SY Police and Aspire Drug and Alcohol Services

Information is shared between SY Police and RDaSH Aspire Drug and Alcohol Services for the diversion of adult offenders from the formal criminal justice system through the use of out of court disposals with drug and alcohol recovery conditions. One of the conditions of the caution could be that the offender attends a set number of meetings with the Alcohol and Drug Recovery Services and engages with them on a rehabilitative/diversionary plan. The Alcohol & Drug Recovery Services will report back whether the offender has met the condition or not to a centralised secure SYP email.


AccuRx is software that interfaces with SystmOne to allow secure transmission and recording of text messages, patient video conferences, digital documents and photographs. Healthcare providers can communicate more efficiently with their patients and with each other in order to deliver top quality care. One-way SMS messages can be sent to patients, digital documents can be sent, saving time and video consultations can be done without the need for an app.

Akrivia health platform

Akrivia health platform enables research and service improvement opportunities by making previously inaccessible data from electronic medical records (EMR) in mental health services available to healthcare organisations in a safe and secure manner.

CCI Credit Management

The Trust may supply information to the Trust’s authorised debt collector, CCI Credit Management, in order to recover any monies owed to the Trust by employees.

The data shared will be date of birth, National Insurance Number, former names, contact numbers, email addresses, next of kin and any other information required. The legal basis for sharing this information is Article 6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. If the contract is breached then it becomes necessary in some cases to pursue monies for the performance /fulfilment of the contract.

ISOSEC Virtual Smartcard

The use of virtual smartcards for system authentication, currently supported by physical smartcards authentication.

Deloitte Connect

Online external and internal audits conducted on finances.

Integra Centros

Processing of payroll data to obtain accurate costing details to the relevant departments, and the collection of monies from individuals.

Courageous Success

The Courageous Success programme allows individuals to provide feedback on their value preferences in both work and non-work situations so that they can operate with greater confidence as individuals and leaders. Feedback is provided from the answers in order to help develop leadership skills/styles.

VoiceAbility advocacy

RDaSH will provide information to VoiceAbility for the purpose of identifying newly admitted patients to enable them to offer their independent mental health advocacy services.

This agreement is only concerned with patients detained under or subject to the MHA.

We will ensure your individual rights are respected.

The right to be informed

Of how your data will be used. This applies to both patient and staff data.

The right of access

To your personal data, and this is commonly referred to as a subject access request. Individuals can make a subject access request verbally or in writing, and we have one month to respond to a request.

This is a free service, although there are specified examples where a fee may be applicable, such as:

  • where the request is manifestly unfounded or excessive
  • if an individual requests further copies of their data following a request

We can charge a reasonable fee covering our admin costs.

The right to rectification

To have inaccurate personal data rectified or completed.

The right to erasure

Often referred to as the right to be forgotten and is not absolute. The right does not apply to special category data if processing is necessary for the provision of health or social care; or for the management of health or social care systems or services.

The right to restrict processing

To require organisations to restrict processing where:

  • accuracy is contested by the individual
  • processing is unlawful and the subject opposes erasure
  • the organisation no longer needs the data, but the subject requires it to be kept for legal claims
  • the individual has objected, pending verification of legitimate grounds

The right to data portability

To receive personal data about them in a commonly used and machine readable format. This right is only available where the processing is based on consent and the processing is automated. Please note that this is not the legal basis for the majority of our processing, therefore with regards to most of the data held by this Trust, this right does not apply.

The right to object

  • To processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
  • To direct marketing (including profiling).
  • To processing for purposes of scientific/historical research and statistics.

Rights in relation to automated decision making and profiling

When making a decision solely by automated means without any human involvement this is known as automated individual decision making and any automated processing to evaluate certain things about an individual is known as profiling, although it can also be part the same process.

We can only carry out solely automated decision-making that has legal (or similarly significant) effects on you, where the decision is:

  • necessary for the entry into or performance of a contract
  • authorised by Union or Member state law applicable to the controller
  • based on your explicit consent

If so, we must ensure we give you information about the processing and introduce simple ways for you to request human intervention or challenge a decision. We must also carry out regular checks to make sure that our systems are working as intended.

How can you access your personal information?

You have a right to see the information we hold about you, both on paper or electronic, except for information that:

  • has been provided about you by someone else if they have not given permission for you to see it
  • relates to criminal offences
  • is being used to detect or prevent crime
  • could cause physical or mental harm to you or someone else

Your request must be made in writing and we will request proof of identity before we can disclose personal information.

If you would like to request a copy of your records, please contact Information Governance.

  • Post: Information Governance, Woodfield House, Tickhill Road Site, Weston Road, Balby, Doncaster, DN4 8QN
  • Email:
  • Phone: 03000 211189

Do we send your data to other countries?

Sometimes your data may be processed outside of the UK, in most circumstances it will remain within the European Economic Area (EEA) and will have the same protection as if processed within this country. When this is outside the EEA we will identify the data protections in place prior to transfer.

How do we keep your information safe?

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format.

  • This Trust is registered with the Information Commissioner’s Office (ICO).
  • All of the information systems used by our Trust are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information.
  • The security controls adopted by the Trust are influenced by a number of sources including the 10 National Data Guardian Standards and guidelines produced by NHS Digital and other government standards.
  • We have very strict rules about who can and cannot use our computers. We also put restrictions in place as to which records staff can access.
  • Our computers and networks are protected against hackers and unauthorised access.
  • Any information about you that is sent electronically to another healthcare provider or service is sent securely (encrypted).
  • Every time someone accesses your information an audit trail is created.
  • All employees and our partner organisations are legally bound to respect your confidentiality. All staff must comply with our security operating procedures. Any breach of these is treated seriously, and could result in disciplinary action, including dismissal.
  • Under the NHS Confidentiality Code of Conduct, all staff are required to protect information, inform you of how your information will be used and allow you to decide if and how your information can be shared. This will be noted in your records.
  • All Trust employees are required to undertake annual training in data security and protection.
  • Teaching clinicians – some medical files are needed to teach student clinicians about rare cases. Without such materials, new doctors and nurses would not be properly prepared to treat you.
  • Clinical placements – clinical placements for students commonly take place within the NHS. Students, such as student nurses, medical students and social work students, could be receiving training in the service that is caring for you. This may be when you are an inpatient, in a community setting such as a day hospital, or when you are being visited by health or social care staff at home.
  • If staff would like a student to be present they will always ask for your permission before that meeting or episode of care. The treatment or care you receive will not be affected if you refuse to have a student present during your episode of care.
  • Occasionally, for assessment purposes, students may request that their supervisor be present. You may refuse this if it makes you feel uncomfortable.

How long do we keep your information?

All records held by the NHS are subject to, and kept in line with the retention periods in, the Records Management Code of Practice for Health and Social Care Act 2021. The code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it. Read the  Trust’s Records Management Policy.


The Data Protection Act 2018 requires organisations to notify with the Information Commissioner to describe the purpose for which they process personal information. These details are publicly available on the Information Commissioner’s Office website.

How do you make a complaint?

If you are not happy how your data or request has been handled, please:

  • speak to your health professional, i.e. key worker, support worker, consultant, etc
  • visit our information governance page, telephone them on 03000 211189, or email at
  • email the Trust’s Data Protection Officer at, if you have any further queries about the uses of your information
  • access our make a complaint web page
  • get further advice or report a concern directly to the Information Commissioners Office (ICO), the UK’s independent authority, via the data protection complaints page or telephone them on 0303 123 1113

What about information about the Trust itself?

The Freedom of Information Act 2000 provides any person with the right to obtain information held by this Trust, subject to a number of exemptions. If you would like to request information from us, please contact the Information Governance Team:

  • Post: Woodfield House, Tickhill Road Site, Weston Road, Balby, Doncaster, DN4 8QN
  • Email:
  • Phone: 03000 211189

Where can you find more information?

Data Protection Impact Assessments

Data protection law introduced a new obligation to do a Data Protection Impact Assessment (DPIA) before carrying out types of processing likely to result in high risk to individuals’ interests. A DPIA is a process to help identify and minimize the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

We publish a log of completed DPIAs and any requests for the full DPIAs can be sent to

The new Data Protection Legislation supports your right to have your privacy respected and your data protected. It gives you easier access to the personal information the Trust holds about you, if you wish to check or change it. It is designed to give you confidence that this information is accurate, up to date and well managed.

Definition of terms

Data controller

The organisation which determines the processing of personal data. The data controller is the legally responsible organisation.

Data processor

An organisation which the data controller appoints to provide a service on its behalf. The data processor must follow the legal instruction of the controller.

Data subject

The individual who personal data is about. The individual must be identifiable from the data.

Data Protection Officer

The person appointed by the data controller as the single point of contact for data protection enquiries. The Data Protection Officer acts independently and monitors compliance with data protection obligations.

Data processing

The activities which relate to personal data. Data processing includes:

  • obtaining, recording or holding the information
  • organisation, adaption or alteration
  • retrieval, consultation or use
  • disclosure by transmission, dissemination or otherwise making available
  • alignment, combination, blocking, erasure or destruction of the information or data

Information Commissioner’s Office (ICO)

The regulator of information rights in the United Kingdom. Visit the ICO website for more information.

Personal data

Data which relates to an individual and enables them to be identified.