Data Requests & Your Privacy
Data Requests & Your Privacy
How to access your information (Known as a Subject Access Request (SAR))
You have the right to ask for a copy of your health records and any other personal information that we may hold about you, such as employment or training records.
Such requests will be dealt with as a SAR under Data Protection legislation. We are obliged to provide within 30 days unless an exemption applies.
Limited rights of access to health records of a deceased person are provided under the Access to Health Records Act 1990.
If you wish to make a SAR you can download an application form from the Downloads section on this page below/side, or you can ask for an application form by writing to using the address within the Contacts section below/side of this page.
Within the Downloads section you can:
- View an information leaflet explaining how the process works here (Or from the Downloads drop to the right / below depending on your device)
- Download the application form here (Or from the Downloads drop to the right / below depending on your device)
When you apply, you will be asked to specify the kind of information you wish to be made available to you, provide proof of your identity (such as a photocopy of a formal document with your name and address on it, for example, a utility bill or your driving licence or passport).
If your request is complex, please find support within the doanlaods section called Data Discovery - Data Protection Act - Subject Access Requests.
All completed application forms and supporting documentation should be posted in hardcopy format to to the address in the Contact section below/side of this page. If you require any assistance with completing the application form please contact us as per the Contact section below / side of this page.
If you make a subject access request and are not satisfied with the way in which we deal with it, you may ask us to review any decision we make. If you wish to undertake such a review you should write to the Data Protection Officer in the first instance using the email address within the Contacts section below/side of this page.
Any review will normally be under the control and direction of the Data Protection Officer and Caldicott Guardian, who is a senior clinician appointed by the Medical Director to take responsibility to ensure the protection of patient confidentiality throughout the Trust in accordance with your legal rights.
If you remain dissatisfied at the conclusion of any review, you may complain to the Information Commissioner, whose address is:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Or, if you feel we have failed to comply with the Act without good reason, you may apply to a Court. The Information Commissioner has produced a series of guidance about your subject access rights, which is available on the website.
Guidance on providing identification (ID)
The Data Protection Act 2018 gives you a statutory right of access to your personal records (manual or computer). In certain circumstances your records or part of your records may be withheld under the terms of the Act, but if that is the case this will be discussed with you.
- You may wish to authorise someone else to make an application on your behalf.
- If you have parental responsibilities, you may make an application to see your child’s notes, if they are less than 13 years old.
Proof of Identity
You must provide two types of identification. These may be:
- Birth Certificate
- Driving License
- Staff ID badge (for members of staff only)
In addition, proof of address must be provided e.g. bank statement, utility bill and Tax certificate. If you wish to have information sent out to you, photocopies of identification information must be sent to Nottingham University Hospitals NHS Trust.
If you wish to complain about any aspect of the manner in which your access request was handled, in the first instance please follow the steps below:
If you are still not satisfied with the response you receive you may refer your complaint to the Information Commissioner:
Identification documents to receive personal information:
An applicant should provide:
- One form of personal photo ID and one document confirming their address must be provided from different sources.
- If requesting on behalf of a child, we require evidence of parental responsibility.
Acceptable Photo Personal Identity Documents
- Current UK, EU / other nationalities passports.
- Passports of non-EU nationals containing UK stamps, a visa or a UK residence permit showing the immigration status of the holder in the UK*
- Current UK (or EU / other nationalities) Photo-card Driving Licence (providing that the person checking is confident that non-UK Photo-card Driving Licences are genuine)
- A national ID card and / or other valid documentation relating to immigration status and permission to work*
Where the applicant is not able to provide acceptable photographic ID the following must be provided: -
- One form of non-photographic personal identification and one document confirming the address must be provided from different sources.
- A passport sized photograph, endorsed on the back with a signature of a ‘person of standing’ who has known them for at least 3 years (e.g. magistrate, medical practitioner, officer of the armed forces, teacher, lawyer, civil servant)
Acceptable Non-Photo Personal Identity Documents
- Full UK Birth Certificate – issued within 6 weeks of birth;
- Current Full Driving License (old version); (Provisional Driving Licenses are not acceptable);
- Residence permit issued by Home Office to EU Nationals on inspection of own-country passport;
- Adoption certificate;
- Marriage/Civil Partnership certificate;
- Divorce or annulment papers;
- Police registration document;
- Certificate of employment in HM Forces;
- Current benefit book or card or original notification letter from the Department of Work and Pensions (DWP) confirming legal right to benefit;
- Most recent HM Revenues and Customs (previously Inland Revenue) tax notification;
- Current firearms certificate;
- Application Registration Card (ARC) issued to people seeking asylum in the UK (or previously issued standard acknowledgement letters, SAL1 or SAL2 forms);
- GV3 form issued to people who want to travel in the UK without valid travel documents;
- Home Office letter IS KOS EX or KOS EX2;
- Building industry sub-contactor’s certificate issued by HM Revenues and Customs (previously Inland Revenue)
To confirm address, the following documents are acceptable:
- Recent utility bill or a certificate from a supplier of utilities confirming the arrangement to pay for the services on pre-payment terms (note: mobile telephone bills should not be accepted as they can be sent to different addresses).
- Utility bills in joint names are permissible; *
- Local authority tax bill (valid for current year); *
- Current UK photo card driving license (if not already presented as a personal ID document);
- Current Full UK driving license (old version) (if not already presented as a personal ID document);
- Bank, building society or credit union statement or passbook containing current address;
- Most recent mortgage statement from a recognised leader;*
- Current local council rent card or tenancy agreement;
- Current benefit book or card or original notification letter from Department of Work and Pensions (DWP) confirming the rights to benefit;
- Confirmation from an electoral register search that a person of that name lives at the claimed address; *
- Court Order.*
*The date on these documents should be within the last 6 months (unless there is a good reason for it not to be e.g. clear evidence that the person was not living in the UK for 6 months or more) and must contain the name and address of the applicant.
Can you charge me any fees?
The Freedom of Information Act and the associated Fees Regulations stipulate that we cannot levy a fee for information unless there is a statutory basis for doing so, or the amount of time taken to locate the information exceeds 18 hours. However, we are allowed to charge for disbursements related to the provision of information and any reformatting requested by the applicant provided we ensure that applicants are aware of any charges that may be made.
Our fees are based on The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, Statutory Instrument 2004 No. 3244.
No charges will be made for information accessed via our website. For any information that is provided in hard copy and where there are no statutory provisions our rates for photocopying, postage and reformatting will be as follows:
Photocopying and printing - 20p per copy
Postage - 2nd class postage
Reformatting - Calculated at £25 per hour plus the additional cost of reproduction in anything other than paper format.
Further information about the fees regulations can be found in the Ministry of Justice step-by-step guide to fees.
Assessing the appropriate limit
The Act provides for public authorities to either charge for or decline requests for information that would cost over what is referred to as the appropriate limit. With regards to NUH (and other public authorities) the appropriate limit is set at £450.
We are required to estimate whether a request is likely to breach the 'appropriate limit' and where it does, to notify you of the estimated costs and where available, the options to reduce those costs as may be required.
Calculation of fees
We will calculate the fees by estimating the time it will reasonably take to:
- determine whether the information requested is held
- locate the information or documents containing the information
- retrieve such information or documents
- extract the information from the document which contains it (including editing or redacting information)
The standard hourly rate that all authorities must use to calculate the staff costs of answering requests is £25 per hour.
There will be no fee to pay for requests for information that cost less than £450 or take less than 18 working hours to complete.
We are however, entitled to make a charge to recover the cost of reproduction of the information and postage (which are referred to as disbursement costs) and will do so if those costs exceed £15 in total.
If there is a fee to pay, you will be notified in writing of the total cost with an explanation of how those costs have been calculated. The 20 day compliance time will be suspended and then will be reactivated when we receive your payment.
We will provide advice and assistance and discuss with you how the scope of the request could be narrowed in order to keep any fees as low as possible.
When we have issued a fees notice, you have three months to pay. We do not have to answer the request until payment has been received (section 9(2) of the Freedom of Information Act) and will consider the request to have been cancelled if payment has not been received within three months after the fees notice is issued.
If you do not agree with the Trust's decision that the cost of complying with the request would exceed the appropriate limit, you can ask the Information Commissioner to investigate.
Requests costing more than the appropriate limit
If a request would cost more than the 'appropriate limit' to answer, we not obliged to answer it. However, we will provide advice and assistance to you to see whether the question could be refined, or resubmitted in part, to bring it below the appropriate limit.
If after providing such advice the request would still cost more than the appropriate limit to answer, we will inform you no later than the 20-day limit for answering requests with one of three outcomes:
- we can decide not to provide the information
- we can answer and charge a permitted fee calculated in accordance with the Fees Regulations, or
- we can answer without charging
Where we receive a number of requests from either the same person or different people asking for the same or similar information within a short time of each other, we may consider aggregating these requests to take an overall view of the resources which would have to be committed to answering all of the requests.
When can you aggregate requests?
We can only aggregate requests in the following circumstances:
- two or more requests for the same information have been made
- they must be either from the same person, or from 'different persons who appear to be 'acting in concert or in pursuance of a campaign'
- they have been received within a space of 60 consecutive working days
Environmental Information Regulations 2005
Environmental information is exempt from the information the Freedom of Information Act by virtue of section 39, and is dealt with under the Environmental Regulations 2005 regime.
Unlike Freedom of Information, there is no 'appropriate limit' in the Regulations, and there is no requirement under regulation 12(4)(b) to answer a request that is 'manifestly unreasonable'. This would apply to requests which would have an unreasonable resource impact on us.
We cannot make a charge for allowing you:
- access to any public registers or lists of environmental information; or
- to examine the information (at a place chosen by the public authority)
For all other situations, charging is at our discretion. The Environmental Information Regulations (EIR) 2005 state that public authorities may charge for environmental information and this charge should be "reasonable". An EIR request will be treated in exactly the same way as an FOI request if it falls below the appropriate limit of £450.
Disbursement costs for photocopying, printing and postage may be charged if they exceed £15. You will be notified in writing if there is a fee to pay.
Unlike FOIA, a request for environmental information cannot be refused if it exceeds the appropriate limit. In such cases, we will consider the request on its own merits and agree a course of action with you, which may include a reasonable charge being made for the information. Again, you will be notified in writing if there is a fee to pay.
For further information see: Information Commissioner's Guidance Environmental Information Regulations - Charging for environmental information.
A mixed request is a case in which part of the information requested is regulated by one access to information regime, and other parts by other regimes.
Maximum fees will be determined according to each separate regime. For example, where a request is for a mixture of your own personal data, and other information to which the Freedom of Information Act applies, then the maximum fee will be the sum of the maximum subject access fee under the Data Protection Act and the maximum fee for providing the remainder of the information calculated under the freedom of information regime.
Re-use of public sector information regulations
The information featured on this website is the copyright of Nottingham University Hospital NHS Trust unless otherwise indicated. You may re-use the information on this website free of charge in any format. Re-use includes copying, issuing copies to the public, publishing, broadcasting and translating into other languages. It also covers non-commercial research and study. Re-use is subject to the following conditions. You must:
- acknowledge the source and our copyright in cases where you supply the information to others
- reproduce the information accurately
- not use the information in a misleading way
- not use the information for the principal purpose of advertising or promoting a particular product or service.
- you may establish links to this website
How do you use my data in clinical research?
Using your data in our research
Using your data
Protecting your information
Our research is only possible because patients, families, carers and the public take part.
Using data collected from you, or about you or about whole populations of people with similar diseases or characteristics as you is an essential part of our research. We understand that sharing your data with us is an important decision.
So we make sure that at every stage of our research, we protect your privacy, confidentiality and dignity.
Our researchers are specially trained, qualified and authorised to work with your data. We handle and store data in the most secure ways possible. We will only use your data for clincal research.
We will only use your personal data with the proper approvals, regulations and safeguards in place. In order to use your data we will work in one of the following ways:
- Ask you to agree (consent) to take part in a research trial and explain to you how your data will be used
- Ask the independent Confidentiality Advisory Group (CAG) for approval of our research where it ius not possible to ask for indivuals to give their agreement (consent)
- Anonymise the data (to make sure that an individual cannot be identified) to enable us to do research on a bigger scale, with information from thousands of people
More information about using your data in research
The video above summarises how the NHS uses data to save lives and improve treatment and care; we are grateful to the Understanding Patient Data initiative for these resources.
You will find more information and resources on the Understanding Patient Data website.
Our commitment to you
At NUH we make the following commitments about the data we keep about you and the way that we protect it. We will:
- Keep the right information to provide services and fulfil our legal responsibilities to you
- Keep your records safe, secure and accurate
- Only keep your information for as long as necessary
- Collect, store and use the information you provide to the data protection standards and the laws that govern data protection
Excellence in data analytics
We are working with our partners in the University of Nottingham to develop the skills and capabilities to analyse extremely large amounts of data for research.
What is the NHS Data Opt Out?
NHS Data Opt Out
Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments.
In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.
As a result of these changes, you can choose whether your confidential patient information is used for clinical research and planning.
Your health records
Your health records contain a type of data called confidential patient information. This data can be used to help with research and planning.
You can choose to stop your confidential patient information being used for research and planning. You can also make a choice for someone else like your children under the age of 13.
Your choice will only apply to the health and care system in England. This does not apply to health or care services accessed in Scotland, Wales or Northern Ireland.
What is confidential patient information?
Confidential patient information is when two types of information from your health records are joined together.
The two types of information are:
· something that can identify you
· something about your health care or treatment
For example, your name joined with what medicine you take.
Identifiable information on its own is used by health and care services to contact patients and this is not confidential patient information.
How we use your confidential patient information
Your individual care
Health and care staff may use your confidential patient information to help with your treatment and care. For example, when you are a patient at NUH, your clinical team will look at your records for important information about your health.
Research and planning
Confidential patient information might also be used to:
· plan and improve health and care services
· research and develop cures for serious illnesses
You can stop your confidential patient information being used for research and planning. Find out how to make your choice.
If you’re happy with your confidential patient information being used for research and planning you do not need to do anything.
Any choice you make will not impact your individual care.
Information in other formats and languages
What is a Caldicott Guardian?
Caldicott Guardians are experts on confidentiality issues and access to patient records. Dame Fiona Caldicott recommended such posts in her 1997 report into how patient information was used (and should be protected) in the health service, and in its increasingly complex information systems: "A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information."
The NUH Caldicott Guardian is readily available to give advice on any concerns you may have about a case or activity.
Our Caldicott Guardian:
Dr Jeremy Lewis
Consultant in Acute Medicine
Nottingham University Hospitals NHS Trust
Tel: 0115 924 9924 ext 66113
How it works
The Caldicott report sets standards for management of confidentiality and access to personal information in the NHS.
Two key preconditions for confidentiality of information are its integrity and its security. Integrity is achieved by ensuring the accuracy and completeness of information through proper processing. Security is achieved by effective protection against inappropriate access or disclosure.
The eight 'Caldicott' principles apply specifically to patient-identifiable information. The Caldicott Guardian has a responsibility to oversee an ongoing process of audit, improvement and control of application of the principles.
Principle 1: Justify the purpose(s) for using confidential information
Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.
Principle 2: Use confidential information only when it is necessary
Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.
Principle 3: Use the minimum necessary confidential information
Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.
Principle 4: Access to confidential information should be on a strict need-to-know basis
Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.
Principle 5: Everyone with access to confidential information should be aware of their responsibilities
Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.
Principle 6: Comply with the law
Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.
Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
Principle 8: Inform patients and service users about how their confidential information is used
A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.
Caldicott Guardians and the Data Protection Act 2018
The Act is the key legislation covering all aspects of information processing. This includes security and confidentiality of personal information. The Caldicott requirements provide the framework to put the Data Protection Act into operation.
Privacy Notice - How do you use and manage my information?
Privacy Notice - How do you use and manage my information?
Data Protection legislation requires that data controllers (NUH in this case) provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information.
The information in this section of our website, and in the pages shown in the menu to the right/below, explains why we collect data about you, and how it is used and stored.
The Trust has an Appropriate policy Document (APD) you can download from the Downloads section on this page.
Privacy Notice (EMRAD (Radiology))
Privacy Notice (EMRAD (Radiology))
The East Midlands Radiology Consortium (EMRAD) aims to deliver timely and expert radiology services to patients across the East Midlands, regardless of where they are being treated.
The services provided by EMRAD include imaging tests like x-rays and scans in the following NHS hospital trusts:
- Chesterfield Royal Hospital NHS Foundation Trust
- Kettering General Hospital NHS Foundation Trust
- Northampton General Hospital NHS Trust
- Nottingham University Hospitals NHS Trust
- Sherwood Forest Hospitals NHS Foundation Trust
- United Lincolnshire Hospitals NHS Trust
- University Hospitals of Derby and Burton NHS Foundation Trust
- University Hospitals of Leicester NHS Trust
A key benefit for patients is that clinicians, and other staff who support your care, can access your complete radiology imaging record, including scans, reports and clinical opinions, regardless of where they are based in the East Midlands, which enables clinicians to provide more care closer to patients’ homes.
It will also help to avoid unnecessary appointments and duplicate or repeat scans.