Patient and Public Privacy Notice

This Privacy Notice explains what we do with your personal information where we are providing, or have provided, care to you. It tells you:

  • the information we collect about you
  • how we use your information
  • how we store this information
  • how long we retain it
  • who we may share it with
  • for which legal purpose we may share it

You can read the different sections of the Privacy Notice in the drop down menus below.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

You can download a copy of our Privacy Notice:  2023-08-18 Privacy Notice (Patient) V3.pdf [pdf] 92KB


If you would like access to the Privacy Policy in other formats please contact our Interpreting Service, full details of which you will find in the Accessing our hospitals section of this website.

Why we collect personal data about you

Why we collect personal information about you

The staff caring for you need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care. 

Health records comprise of information relating to your physical and/ or mental health, created to support your care.  Health records consist of both electronically-held information, such as radiology images and test results, and paper records which have been scanned.  

Your records will information from throughout your contact with the Trust, including referral and discharge letters, observation charts, outpatient/inpatient clinical notes, and relevant information from people who care for you and know you well such as health professionals and relatives,  carers or guardians.

Our legal basis for processing personal information

The ways in which we use your information are governed by law.  NUH is a data controller and make key decisions about how your data is stored and shared.

Clinical (direct) care

When your information is used for care and administrative purposes related to your care it is processed for the purposes of “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under GDPR Article 6(1)(e) and the “provision of health or social care or treatment or the management of health of social care systems and services” under GDPR Article 9(2)(h).

Secondary (indirect care) purposes

When your information is used for secondary purposes such as audit and service improvement by the hospital it is processed for the purposes of “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under the GDPR Article 6(1)(e) and the “provision of health or social care or treatment or the management of health of social care systems and services” under the GDPR Article 9(2)(h).

When your information is processed to manage health emergencies such as COVID-19, the legal basis is ““the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under the GDPR Article 6(1)(e) and “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health” under the GDPR Article 9(2)(i). 

When there is a legal requirement that we provide specified data to NHS Digital for example, we rely on Article 6(1)(c)of the GDPR. In cases where the common duty of confidentiality cannot be satisfied through consent we seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.


In most instances we rely on Article 6(1)(e) and Article 9(2)(j) of GDPR if and when we use information for research. If you have consented to take part in research, this will satisfy the common law duty of confidentiality. Where it has been impracticable to obtain consent we will seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.

Personal information we need to collect about you & how we collect it

We collect personal information about you in a number of ways. This can be from referral details from your GP or another hospital, or directly from you or your authorised representative.

It is likely that we will hold the following basic personal information about you:

  • Your name
  • Your address (including correspondence)
  • Your telephone numbers
  • Your date of birth
  • Your gender
  • Your sex
  • Your next of kin contacts
  • Your GP details

We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred or maiden name.

In addition to the above, we may hold special category personal information about you which could include:

  • notes and reports about your health, treatment and care, including: 
    • your medical conditions (physical and mental)
    • results of investigations, such as X-rays and laboratory tests
    • future care you may need
    • personal information from people who care for and know you, such as relatives and health or social care professionals
    • other personal information, such as smoking status
  • your religion and ethnic origin
  • whether or not you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status)
  • where applicable, the date and cause of a person’s death in our hospitals

This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.


How do we use your personal information.

The healthcare professionals who are responsible for your care, may use your records to:

  • Confirm who you are when we contact you, when you contact us or when you are attending the hospital for your care.
  • Ensure the most suitable and appropriate decisions are made in relation to your care and treatment
  • Ensure your treatment is safe and effective.

CCTV/surveillance cameras

Security cameras are installed at various locations at Nottingham City Hospital, Queens Medical Centre and Ropewalk House to help prevent and detect crime, and for the protection of staff, visitors and patients and their property.

Body worn cameras may be used in line with the Trust CCTV Policy.

Requests for copies of recordings should be directed to the Data Protection Administration Office. The use of CCTV and any disclosure of images will be in accordance with the codes of practice issued by the Information Commissioner.

Who do we share your information with?

We may on occasions need to share relevant personal information with other NHS organisations and non-NHS providers of healthcare. 

Some examples are:

  • This Trust is part of a group of NHS hospitals in the East Midlands that have a shared radiology system. This enables healthcare professionals in hospitals in the East Midlands to access radiology records when necessary, to ensure consistent, safe and effective clinical care and treatment, irrespective of where patients receive care. For further information please read the EMRAD (radiology) privacy policy
  • The Trust participates in the Nottinghamshire Health and Care Portal / Interweave. The portal enables providers to electronically share health and social care information, such as hospital and GP attendances, test results, medication and care plans with other Nottinghamshire health and social care providers. With explicit consent, health and social care professionals, or staff who are supervised by health and social care professionals, will be able to access information to better coordinate and provide care.  Access to the portal is strictly controlled and the shared record is hosted by Nottingham University Hospitals NHS Trust in a secure data centre.
  • With the explicit consent of the patient, Macmillan holistic needs assessments are shared with the patient’s GP and community teams.
  • The Trust also includes and managed Nottingham Treatment Centre on the Queens Medical Campus. NUH holds records of any previous attendances at the Centre prior to this transfer as well as ongoing records.
  • When Children and Young People attend NUH information may be shared with relevant health care professionals e.g. Health Visitor, School Nurse.
  • Personal information, including health information will be shared with contracted service providers who are providing healthcare services for NUH.
  • If you have an appointment scheduled with NUH, your NHS number is provided to the NHS App so that you can access details of your NUH appointments via the NHS App.

Under a legal obligation we share personal information with the Data Services for Commissioners Regional Offices who de-identify the information before sharing it with commissioning organisations. 

Who might we share your information with?

We may need to share information with other non-NHS organisations from which you receive care, such as Social Services or private care homes. However, we will not disclose information to third parties unless there are specific circumstances, such as when the health or safety of others is at risk, where current legislation permits or requires it or where we have explicit consent.

There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

There may also be situations where we are under a duty to share your information due to a legal requirement. This includes, but is not limited to:

  • Disclosure under a court order.
  • Sharing with the Care Quality Commission for inspection purposes.
  • Sharing with the police for the prevention or detection of crime.
  • Where there is an overriding public interest to prevent abuse or serious harm to others.
  • Where the law requires it.
  • To comply with Confidentiality Advisory Group approvals under Section 251 of the NHS Act 2006, which permits the collection of health information for patients with specific conditions without consent for the benefit of research and other important activities.  
    • Examples include the National Cancer Registration and Analysis Service, the Trauma Audit and Research Network, the National Congenital Anomaly and Rare Disease Registration Service, Inflammatory Bowel Disease Registry, UK Renal Registry and the NHS Patient Survey Programme. If you wish to opt out of your information being used for these purposes, please contact the Trust’s Data Protection Officer.
  • Notifications of:
    • new births
    • diagnosis of infectious diseases such as meningitis or measles (but not HIV or AIDS) which may put other people at risk

The personal information we collect about you may also be used to:

  • remind you about appointments and send you relevant correspondence.  This might be done by a contracted service provider which may result in your personal information being shared with them
  • review care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research, for example Friends and Family test
  • support the funding of your care, e.g. with commissioning organisations
  • prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
  • help train and educate healthcare professionals
  • report and investigate complaints, claims and untoward incidents which may involve sharing your personal data with NHS Resolution and / or external legal advisors
  • review your suitability for research studies or clinical trials
  • contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
  • contact you with regards to Trust membership
  • contact you to provide spiritual, religious and emotional support to all patients, regardless of faith, as part of our holistic approach to patient care

Where possible, we will always look to anonymise/ pseudonymise personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.

Your rights

The Data Protection Act 2018 gives individuals certain rights in relation to their personal data, including the right to:

  • Request access to personal data we hold about you, e.g. in health records (see
  • Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards. 
  • Refuse/ withdraw consent to the sharing of your health records (in certain circumstances); 
    • In limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
  • Request your personal information to be transferred to other providers on certain occasions.
  • Object to the use of your personal information 
    • In certain circumstances you may also have the right to "object" to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment.
  • Challenge any decisions made without human intervention (automated decision making).
  • Ask us to restrict the use of your information where appropriate

NHS Data Opt Out

You can choose whether your confidential patient information is used for clinical research and planning.

You can find more information on the NHS Data Opt Out in this section of our website: and on the NHS Digital national website:

How we maintain your records

Your personal information is held in both paper and electronic (including audio recordings, electronic databases etc.) formats, for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process information in accordance with Data Protection legislation. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:

  • Maintain full and accurate records of the care we provide to you.
  • keep records about you confidential and secure.
  • provide information in a format that is accessible to you.

Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the Trust's Record Management Policy This varies depending on the type of information.  Typically, your health record is held for 8 years following the end of treatment, or death. Records for some patients, e.g. children’s records, are kept much longer.  Our policy on the Retention and Disposal of Health Records is available here.

We will always try to keep your information confidential and only share information when absolutely necessary. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.


How do I update the personal information you have about me? 


It is essential that we have your correct details to ensure the appropriate care, treatment and follow up is provided to you.  If you change your name, address, phone number, or GP, please let our staff know so that your records can to be updated. You should also tell us if any of your information we hold is incorrect by contacting us on the Contact Details provided on the Your Data and Privacy page.

Useful contacts

Nottingham University Hospitals Data Protection Team

If you have any questions or concerns, please contact the Data Protection Officer, Marc Wilson.

  • Post: Data Protection Officer, Data Protection Administration Office, Nottingham University Hospitals, Queen’s Medical Centre, Derby Road, Nottingham, NG7 2UH

Information Commissioner

If after exhausting our internal processes you believe that we have not complied with the data protection legislation you may wish to seek advice from the Information Commissioner.

Post:               Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel:                 0303 123 1113 (local rate)

Tel:                  01625 545 700 (national rate)


Information about EMRAD

When you have a scan (X-ray, CT, MR, or Ultrasound) in our hospitals, it is stored on an electronic system that is shared with seven other hospital Trusts in the East Midlands, collectively known as EMRAD. Access to your full scan history will enable healthcare professionals in those hospitals to access your radiology record when necessary.

This will help you by:

  • Bringing the best possible medical expertise to your case by sharing scans for review.
  • Saving time by reducing delays in sharing data.
  • Receiving consistent, safe and effective clinical care and treatment, irrespective of where you receive your care in the East Midlands.


Have our website read to you

Natural reader logo NaturalReader is a Text to Speech software with natural sounding voices. This easy to use software can convert any written text such as MS Word, Webpage, PDF files, and Emails into spoken words. NaturalReader can also convert any written text into audio files such as MP3 or WAV for your CD player or iPod.

You can download the free version of the software onto your computer and have the site read aloud to you.

or click here for more information about NaturalReader.