Skip to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. Hide this message

About us

Patient privacy notice

Why are we collecting your information?

This Privacy Notice has been written to inform you that York Teaching Hospital NHS Foundation Trust (the Trust) processes information about you in order to provide health care services. Your clinical care team and other health and care professionals caring for you, keep records about your health and any treatment and care you receive from the NHS. These help ensure that you receive the best possible care from us. The Trust may also use information to:

  • Review the care we provide to ensure it is of the highest standard and quality
  • Ensure our services can meet service user needs in the future
  • Investigate service users’ queries, complaints and legal claims
  • Prepare statistics on the Trust’s performance
  • Audit Trust accounts and services
  • Undertaking heath research and development (with your consent - you may choose whether or not to be involved and using anonymous data where possible)
  • Helping to train and educate healthcare professionals
  • Text you details of your upcoming appointments
  • To contact you about other services which may help with your health conditions.

Who do we collect your information from?

Much of the information we use will be collected directly from you or your family members. We also use information received from:

  • GPs
  • Other NHS bodies
  • Other Care Providers, such as private sector providers
  • Ambulance trusts
  • Local Authorities
  • Police

Who are we?

The Trust is a ‘Data Controller’, this means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

The Trust has appointed Rebecca Bradley (Head of Information Governance) to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the Trust is compliant with Data Protection legislation and to oversee data protection procedures. The DPO contact details are:

York and Scarborough Teaching Hospital NHS Foundation Trust
York Hospital
Wigginton Road
York
North Yorkshire
YO31 8HE
yhs-tr.Information.Governance@nhs.net

What Information are we collecting?

  • Basic information about you, such as name, address, date of birth, NHS number and next of kin details
  • Contacts we have had with you, such as day care clinics and/or home visits
  • Notes and reports about your health and any treatment and care you need
  • Details and records about the treatment and care you receive
  • Relevant information from other health and social care professionals, local authorities, voluntary organisations, relatives or those who care for you and know you well.

We may also process special categories of information that may include:

  • Nationality, racial and/or ethnic origin
  • Religious or philosophical beliefs
  • Health information: e.g. results of x-rays, scans and laboratory tests
  • Notes and reports about your health, treatment and care.
  • Sex life or sexual orientation

What is our lawful basis for processing your information?

Any personal data we process is done so in accordance with the UK GDPR. The Health and Social Care Act 2012 and the Care Act 2014 are the laws that tell us we have to keep records about the care and treatment you receive. Our lawful basis for processing are:

  • Article 6(1)(d) Vital Interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Article 6(1)(e) Public Task: the processing is necessary to perform a task in the public interest, or our official functions, which have a clear basis in law.

Where we process your special category information our lawful basis are:

  • Article 9(2)(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  • Article 9(2)(h) Health and Social Care purposes; Schedule 1, Part 1 (c) medical diagnosis, (d) the provision of health care or treatment, or (f) the management of health care systems or services or social care systems or services.
  • Article 9(2)(i) The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or high quality and safety of health care and medicinal products or devices.
  • Article 9(2)(j) The processing is necessary for archiving purposes in the public interest, Schedule 1, Part 1 scientific or historical research purposes or statistical purposes in accordance with Article 89 (1)

We do not need your consent to use your personal information for the delivery of direct care because we have a public task to do this. We use personal information because it is necessary for us to use this to carry out our activities as an NHS organisation.

How long do we keep your information for?

The Trust follows NHS Digitals recommended retention schedule which can be found in the Records Management Code of Practice for Health and Social Care

Who do we share your information with?

We will share information with the following main partner organisations:

  • Other NHS trusts, hospitals that are involved in your care
  • Integrated Care Boards and other NHS bodies
  • General practitioners (GPs)
  • Ambulance trusts

You may be receiving care from other service providers as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit as part of your care.

Therefore, we may also share your information with:

  • Social Care services
  • Education services
  • Local Authorities
  • Voluntary and private sector providers working with the NHS

We also share with National Auditing bodies

Do we transfer your information outside the UK?

The majority of the information we collect is held in the UK. In some circumstances we may transfer your information outside of the UK, for example where servers are held in the EU. We will take all reasonable steps to make sure your data is not processed in a country that the UK government does not see as ‘safe’. If we do need to send your data out of the EU we will ensure that necessary safeguards are in place.

National Fraud Initiative

The Trust participates in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. This is necessary to comply with a legal obligation (GDPR Article 6(1)(c)) and does not require consent under the data protection legislation. For further information, please see the National Fraud Initiative Privacy Notice.

National Data Opt Out

You have a choice about whether you want your confidential patient information to be used anonymously for research and planning. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-datamatters

What rights do you have over your data?

Under GDPR data subjects have the following rights in relation to the processing of their personal data:

  • to be informed about how we process your personal data. This notice fulfils this obligation
  • to request access to your personal data that we hold, and be provided with a copy of it
  • to request that your personal data is amended if inaccurate or incomplete
  • to request that your personal data is erased where there is no compelling reason for its continued processing
  • to request that the processing of your personal data is restricted
  • to object to your personal data being processed

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above. To put in a Subject Access Request please contact:

01904 725680
Yhs-tr-subjectaccesssgh@nhs.net

If you do not want to receive text messages from the Trust, there is an opt out option for this.

If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the Trust has handled your personal data. You can do so by contacting:

First Contact Team
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
casework@ico.org.uk // 0303 123 1113

Version 14 - 15/04/2023

Two female receptionists on the phone at a desk smiling

Feedback

Chinese Poland

View all languages >

Our Trust is asking visitors to help protect patients from highly contagious winter infections by not visiting friends and relatives in hospital, when they have been unwell or in close contact with someone with flu or norovirus.  Full details here.