Data Requests & Your Privacy

Data request

Access your information

In the UK by law you have a right to access your information under what is called a Subject Access Request. Simply complete the online form below and ensure the requested documents are uploaded such as Photographic ID and address verification so we can ensure you are who you say you are. You may be telephoned by one of the team to check some details from the record only you would know for security. We by law have to process this within 30 days.

Please read the online Supporting Information page here as part of your application to learn how the process works, how long it will take and how you can make a complaint if you are not satisifed with the service.

Note: We will not release your information without the correct identification. Please read the Guidance on providing identification (ID) below.

Alternatively download the Online Data Request form here and email to or post to our address listed on our Contact Us details below.

Access someone else’s information (i.e if a Public Body / Police)

If you are not a public body (Police, Fire or GP etc.), executor of an individual’s estate or for any other reason you will usually need a Lasting Power of Attorney for Health and Wellbeing. Public bodies usually require a Court Order, or a special request previously known as a Section 29 to detect and prevent crime. If in doubt, simply complete online form below (Option 3) and one of the team will come back to you initially usually within 48 hours.

If the individual is deceased, your information request would fall under the Access to Health Records Act 1990 and more information can be found on the NHS website here.

In order to provide you with a copy of any personal information, or invoke your individual rights as outlined below, we require two forms of identification; one photographic and one that confirms your current address.

If you require any information outside the remit of Nottingham University Hospitals NHS Trust such as GP or Community Health information, please contact the relevant organisations directly.

Note: We will not release information without the correct identification or documentation. Please read the Guidance on providing identification (ID) below.

Contact Us

Data Protection Office

Nottingham University Hospitals NHS Trust
QMC campus
Derby Road

Tel: 0115 924 9924 extension 86838


Guidance on providing identification (ID)

The Data Protection Act 2018 gives you a statutory right of access to your personal records (manual or computer). In certain circumstances your records or part of your records may be withheld under the terms of the Act, but if that is the case this will be discussed with you.

  • You may wish to authorise someone else to make an application on your behalf.
  • If you have parental responsibilities, you may make an application to see your child’s notes, if they are less than 13 years old.


Proof of Identity

You must provide two types of identification. These may be:

  • Birth Certificate
  • Passport
  • Driving License
  • Staff ID badge (for members of staff only)

In addition, proof of address must be provided e.g. bank statement, utility bill and Tax certificate. If you wish to have information sent out to you, photocopies of identification information must be sent to Nottingham University Hospitals NHS Trust.


Identification documents to receive personal information:

An applicant should provide:

  • One form of personal photo ID and one document confirming their address must be provided from different sources.
  • If requesting on behalf of a child, we require evidence of parental responsibility.

Acceptable Photo Personal Identity Documents

  • Current UK, EU / other nationalities passports.
  • Passports of non-EU nationals containing UK stamps, a visa or a UK residence permit showing the immigration status of the holder in the UK*
  • Current UK (or EU / other nationalities) Photo-card Driving Licence (providing that the person checking is confident that non-UK Photo-card Driving Licences are genuine)
  • A national ID card and / or other valid documentation relating to immigration status and permission to work*

Where the applicant is not able to provide acceptable photographic ID the following must be provided: -

  • One form of non-photographic personal identification and one document confirming the address must be provided from different sources.
  • A passport sized photograph, endorsed on the back with a signature of a ‘person of standing’ who has known them for at least 3 years (e.g. magistrate, medical practitioner, officer of the armed forces, teacher, lawyer, civil servant)


Acceptable Non-Photo Personal Identity Documents

  • Full UK Birth Certificate – issued within 6 weeks of birth;
  • Current Full Driving License (old version); (Provisional Driving Licenses are not acceptable);
  • Residence permit issued by Home Office to EU Nationals on inspection of own-country passport;
  • Adoption certificate;
  • Marriage/Civil Partnership certificate;
  • Divorce or annulment papers;
  • Police registration document;
  • Certificate of employment in HM Forces;
  • Current benefit book or card or original notification letter from the Department of Work and Pensions (DWP) confirming legal right to benefit;
  • Most recent HM Revenues and Customs (previously Inland Revenue) tax notification;
  • Current firearms certificate;
  • Application Registration Card (ARC) issued to people seeking asylum in the UK (or previously issued standard acknowledgement letters, SAL1 or SAL2 forms);
  • GV3 form issued to people who want to travel in the UK without valid travel documents;
  • Home Office letter IS KOS EX or KOS EX2;
  • Building industry sub-contactor’s certificate issued by HM Revenues and Customs (previously Inland Revenue)


To confirm address, the following documents are acceptable:

  • Recent utility bill or a certificate from a supplier of utilities confirming the arrangement to pay for the services on pre-payment terms (note: mobile telephone bills should not be accepted as they can be sent to different addresses).
  • Utility bills in joint names are permissible; *
  • Local authority tax bill (valid for current year); *
  • Current UK photo card driving license (if not already presented as a personal ID document);
  • Current Full UK driving license (old version) (if not already presented as a personal ID document);
  • Bank, building society or credit union statement or passbook containing current address;
  • Most recent mortgage statement from a recognised leader;*
  • Current local council rent card or tenancy agreement;
  • Current benefit book or card or original notification letter from Department of Work and Pensions (DWP) confirming the rights to benefit;
  • Confirmation from an electoral register search that a person of that name lives at the claimed address; *
  • Court Order.*

*The date on these documents should be within the last 6 months (unless there is a good reason for it not to be e.g. clear evidence that the person was not living in the UK for 6 months or more) and must contain the name and address of the applicant.

Freedom of Information Requests (FOI)

Please view our dedication webpage below for submitting an FOI or complete the Online Data Request Form above:

Individual Rights Requests

If you wish to invoke your Individual Rights under the Data Protection Act 2018, this includes requesting an amendment or deletion to your personal information held by the Trust, please download and complete the form below (or wihtin the Downloads section) and email to

Please view the Guidance on providing ID information above.

Please read the NHS Amending pateint and service user records guidance below before submitting:

Can you charge me any fees?

The Freedom of Information Act and the associated Fees Regulations stipulate that we cannot levy a fee for information unless there is a statutory basis for doing so, or the amount of time taken to locate the information exceeds 18 hours. However, we are allowed to charge for disbursements related to the provision of information and any reformatting requested by the applicant provided we ensure that applicants are aware of any charges that may be made.

Our fees are based on The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, Statutory Instrument 2004 No. 3244.

No charges will be made for information accessed via our website. For any information that is provided in hard copy and where there are no statutory provisions our rates for photocopying, postage and reformatting will be as follows:

Photocopying and printing - 20p per copy

Postage - 2nd class postage

Reformatting - Calculated at £25 per hour plus the additional cost of reproduction in anything other than paper format.

Further information about the fees regulations can be found in the Ministry of Justice step-by-step guide to fees.


Assessing the appropriate limit

The Act provides for public authorities to either charge for or decline requests for information that would cost over what is referred to as the appropriate limit. With regards to NUH (and other public authorities) the appropriate limit is set at £450.

We are required to estimate whether a request is likely to breach the 'appropriate limit' and where it does, to notify you of the estimated costs and where available, the options to reduce those costs as may be required.


Calculation of fees

We will calculate the fees by estimating the time it will reasonably take to:

  • determine whether the information requested is held
  • locate the information or documents containing the information
  • retrieve such information or documents
  • extract the information from the document which contains it (including editing or redacting information)

The standard hourly rate that all authorities must use to calculate the staff costs of answering requests is £25 per hour.

There will be no fee to pay for requests for information that cost less than £450 or take less than 18 working hours to complete.

We are however, entitled to make a charge to recover the cost of reproduction of the information and postage (which are referred to as disbursement costs) and will do so if those costs exceed £15 in total.

If there is a fee to pay, you will be notified in writing of the total cost with an explanation of how those costs have been calculated. The 20 day compliance time will be suspended and then will be reactivated when we receive your payment.

We will provide advice and assistance and discuss with you how the scope of the request could be narrowed in order to keep any fees as low as possible.

When we have issued a fees notice, you have three months to pay. We do not have to answer the request until payment has been received (section 9(2) of the Freedom of Information Act) and will consider the request to have been cancelled if payment has not been received within three months after the fees notice is issued.

If you do not agree with the Trust's decision that the cost of complying with the request would exceed the appropriate limit, you can ask the Information Commissioner to investigate.


Requests costing more than the appropriate limit

If a request would cost more than the 'appropriate limit' to answer, we not obliged to answer it. However, we will provide advice and assistance to you to see whether the question could be refined, or resubmitted in part, to bring it below the appropriate limit.

If after providing such advice the request would still cost more than the appropriate limit to answer, we will inform you no later than the 20-day limit for answering requests with one of three outcomes:

  • we can decide not to provide the information
  • we can answer and charge a permitted fee calculated in accordance with the Fees Regulations, or
  • we can answer without charging


Aggregating requests

Where we receive a number of requests from either the same person or different people asking for the same or similar information within a short time of each other, we may consider aggregating these requests to take an overall view of the resources which would have to be committed to answering all of the requests.


When can you aggregate requests?

We can only aggregate requests in the following circumstances:

  • two or more requests for the same information have been made
  • they must be either from the same person, or from 'different persons who appear to be 'acting in concert or in pursuance of a campaign'
  • they have been received within a space of 60 consecutive working days


Environmental Information Regulations 2005

Environmental information is exempt from the information the Freedom of Information Act by virtue of section 39, and is dealt with under the Environmental Regulations 2005 regime.

Unlike Freedom of Information, there is no 'appropriate limit' in the Regulations, and there is no requirement under regulation 12(4)(b) to answer a request that is 'manifestly unreasonable'. This would apply to requests which would have an unreasonable resource impact on us.

We cannot make a charge for allowing you:

  • access to any public registers or lists of environmental information; or
  • to examine the information (at a place chosen by the public authority)

For all other situations, charging is at our discretion. The Environmental Information Regulations (EIR) 2005 state that public authorities may charge for environmental information and this charge should be "reasonable". An EIR request will be treated in exactly the same way as an FOI request if it falls below the appropriate limit of £450.

Disbursement costs for photocopying, printing and postage may be charged if they exceed £15. You will be notified in writing if there is a fee to pay.

Unlike FOIA, a request for environmental information cannot be refused if it exceeds the appropriate limit. In such cases, we will consider the request on its own merits and agree a course of action with you, which may include a reasonable charge being made for the information. Again, you will be notified in writing if there is a fee to pay.

For further information see: Information Commissioner's Guidance Environmental Information Regulations - Charging for environmental information.


Mixed requests

A mixed request is a case in which part of the information requested is regulated by one access to information regime, and other parts by other regimes.

Maximum fees will be determined according to each separate regime. For example, where a request is for a mixture of your own personal data, and other information to which the Freedom of Information Act applies, then the maximum fee will be the sum of the maximum subject access fee under the Data Protection Act and the maximum fee for providing the remainder of the information calculated under the freedom of information regime.


Re-use of public sector information regulations

The information featured on this website is the copyright of Nottingham University Hospital NHS Trust unless otherwise indicated. You may re-use the information on this website free of charge in any format. Re-use includes copying, issuing copies to the public, publishing, broadcasting and translating into other languages. It also covers non-commercial research and study. Re-use is subject to the following conditions. You must:

  • acknowledge the source and our copyright in cases where you supply the information to others
  • reproduce the information accurately
  • not use the information in a misleading way
  • not use the information for the principal purpose of advertising or promoting a particular product or service.
  • you may establish links to this website

Further information about the public sector re-use information regulations can be found on the office of public sector information website.

How do you use my data in clinical research?

Using your data in our research

Using your data

Protecting your information

Our research is only possible because patients, families, carers and the public take part.

Using data collected from you, or about you or about whole populations of people with similar diseases or characteristics as you is an essential part of our research. We understand that sharing your data with us is an important decision.

So we make sure that at every stage of our research, we protect your privacy, confidentiality and dignity. 

Our researchers are specially trained, qualified and authorised to work with your data. We handle and store data in the most secure ways possible. We will only use your data for clincal research.

We will only use your personal data with the proper approvals, regulations and safeguards in place. In order to use your data we will work in one of the following ways:

  • Ask you to agree (consent) to take part in a research trial and explain to you how your data will be used
  • Ask the independent Confidentiality Advisory Group (CAG) for approval of our research where it ius not possible to ask for indivuals to give their agreement (consent) 
  • Anonymise the data (to make sure that an individual cannot be identified) to enable us to do research on a bigger scale, with information from thousands of people

More information about using your data in research

The video above summarises how the NHS uses data to save lives and improve treatment and care; we are grateful to the Understanding Patient Data initiative for these resources.

You will find more information and resources on the Understanding Patient Data website.

Our commitment to you

At NUH we make the following commitments about the data we keep about you and the way that we protect it. We will:

  • Keep the right information to provide services and fulfil our legal responsibilities to you
  • Keep your records safe, secure and accurate
  • Only keep your information for as long as necessary
  • Collect, store and use the information you provide to the data protection standards and the laws that govern data protection
  • Comply with the NUH Privacy Policy and the General Data Protection Regulation (GDPR), which requires that the way we manage your personal data is fair, lawful and transparent.

Excellence in data analytics

We are working with our partners in the University of Nottingham to develop the skills and capabilities to analyse extremely large amounts of data for research.

We are also working nationally as part of information collaborations and new developments in research data to improve healthcare across the country.  

What is the NHS Data Opt Out?

NHS Data Opt Out

Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments.

In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.

As a result of these changes, you can choose whether your confidential patient information is used for clinical research and planning.

Quick links

How confidential patient information is used

When your choice does not apply

Make your choice

Your health records

Your health records contain a type of data called confidential patient information. This data can be used to help with research and planning.

You can choose to stop your confidential patient information being used for research and planning. You can also make a choice for someone else like your children under the age of 13.

Your choice will only apply to the health and care system in England. This does not apply to health or care services accessed in Scotland, Wales or Northern Ireland.

What is confidential patient information?

Confidential patient information is when two types of information from your health records are joined together.

The two types of information are:

·       something that can identify you

·       something about your health care or treatment

For example, your name joined with what medicine you take.

Identifiable information on its own is used by health and care services to contact patients and this is not confidential patient information.

How we use your confidential patient information

Your individual care

Health and care staff may use your confidential patient information to help with your treatment and care. For example, when you are a patient at NUH, your clinical team will look at your records for important information about your health.

Research and planning

Confidential patient information might also be used to:

·       plan and improve health and care services

·       research and develop cures for serious illnesses

Your choice

You can stop your confidential patient information being used for research and planning. Find out how to make your choice.

If you’re happy with your confidential patient information being used for research and planning you do not need to do anything.

Any choice you make will not impact your individual care.

Information in other formats and languages

This information is also available in other languages and formats.

What is a Caldicott Guardian & Data Protection Officer?

Caldicott Guardian

Caldicott Guardians are experts on confidentiality issues and access to patient records. Dame Fiona Caldicott recommended such posts in her 1997 report into how patient information was used (and should be protected) in the health service, and in its increasingly complex information systems: "A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information."

The NUH Caldicott Guardian is readily available to give advice on any concerns you may have about a case or activity.


Our Caldicott Guardian:

Dr Jeremy Lewis
Caldicott Guardian
Consultant in Acute Medicine
Nottingham University Hospitals NHS Trust
QMC campus
Derby Road

Tel: 0115 924 9924 ext 66113


How it works

The Caldicott report sets standards for management of confidentiality and access to personal information in the NHS.

Two key preconditions for confidentiality of information are its integrity and its security. Integrity is achieved by ensuring the accuracy and completeness of information through proper processing. Security is achieved by effective protection against inappropriate access or disclosure.

The eight 'Caldicott' principles apply specifically to patient-identifiable information. The Caldicott Guardian has a responsibility to oversee an ongoing process of audit, improvement and control of application of the principles.

Principle 1: Justify the purpose(s) for using confidential information

Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.

Principle 2: Use confidential information only when it is necessary

Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.

Principle 3: Use the minimum necessary confidential information

Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.

Principle 4: Access to confidential information should be on a strict need-to-know basis

Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.

Principle 5: Everyone with access to confidential information should be aware of their responsibilities

Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.

Principle 6: Comply with the law

Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.

Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality

Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

Principle 8: Inform patients and service users about how their confidential information is used

A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information - in some cases, greater engagement will be required.

Caldicott Guardians and the Data Protection Act 2018

The Act is the key legislation covering all aspects of information processing. This includes security and confidentiality of personal information. The Caldicott requirements provide the framework to put the Data Protection Act into operation.


Data Protection Officer (DPO)

More information on the role of a DPO can be found below:


Privacy Notice (Patient) How do you use and manage my information?

The data protection law changed to the Data Protection Act 2018. Which now uncompases the UK General Data Protection Regulation (GDPR) to protect your data and rights as a data subject.

Data Protection legislation requires that data controllers (NUH in this case) provide certain information to people whose information (personal data) they hold and use. A Privacy Notice is one way of providing this information. 


Privacy Notice (Employee)

You can view and read the staff privacy notice here:  Staff Privacy Notice.pdf [pdf] 526KB 

Privacy Notice (EMRAD (Radiology))

Privacy Notice (EMRAD (Radiology))

The East Midlands Radiology Consortium (EMRAD) aims to deliver timely and expert radiology services to patients across the East Midlands, regardless of where they are being treated.

EMRAD Services

The services provided by EMRAD include imaging tests like x-rays and scans in the following NHS hospital trusts:

  • Chesterfield Royal Hospital NHS Foundation Trust
  • Kettering General Hospital NHS Foundation Trust
  • Northampton General Hospital NHS Trust
  • Nottingham University Hospitals NHS Trust
  • Sherwood Forest Hospitals NHS Foundation Trust
  • United Lincolnshire Hospitals NHS Trust
  • University Hospitals of Derby and Burton NHS Foundation Trust
  • University Hospitals of Leicester NHS Trust

A key benefit for patients is that clinicians, and other staff who support your care, can access your complete radiology imaging record, including scans, reports and clinical opinions, regardless of where they are based in the East Midlands, which enables clinicians to provide more care closer to patients’ homes.

It will also help to avoid unnecessary appointments and duplicate or repeat scans. 

Further Information about EMRAD

When you have a scan (X-ray, CT, MR, or Ultrasound) in our hospitals, it is stored on an electronic system that is shared with seven other hospital Trusts in the East Midlands, collectively known as EMRAD. Access to your full scan history will enable healthcare professionals in those hospitals to access your radiology record when necessary.

This will help you by:

  • Bringing the best possible medical expertise to your case by sharing scans for review.
  • Saving time by reducing delays in sharing data.
  • Receiving consistent, safe and effective clinical care and treatment, irrespective of where you receive your care in the East Midlands.

Privacy Policy

You can read and download a copy of the EMRAD privacy policy here.

How to make a complaint

If you wish to complain about any aspect of the manner in which your access request was handled, in the first instance please follow the steps below:

If you are still not satisfied with the response you receive you may refer your complaint to the Information Commissioner if it is in relation how data is handled or proceeed within the Trust:

Can you help us improve our website?

Please help us to improve the Nottingham University Hospitals website by filling in this short six question survey.

Complete the website survey

*If you have filled in this survey, press the X in the top right corner