Information Governance

Your information

This Privacy Notice has been written to describe to patients, service users, visitors, carers, the public and staff how we collect, use, retain and disclose personal information which we hold.  This privacy notice is part of our communication to ensure that we process your personal information fairly and lawfully, based upon the Data Protection Act 2018 that ensures the implementation of the EUs General Data Protection Regulation 2016 (GDPR) into UK law, collectively referred to as Data Protection Legislation.

You can read more information on your healthcare records here.

Who we are

Royal Surrey NHS Foundation Trust (RSFT) is a single-site hospital, based in Guildford, which serves a population of more than 330,000 across south west Surrey.

We are a tertiary cancer centre, offering state of the art diagnostic and treatment services to a population of up to 2 million.

We have five divisions led by management and clinician partnerships:

  • Medicine and Access.
  • Women and Children.
  • Surgery.
  • Oncology.
  • Diagnostics and Clinical Support Services.

We also attract referrals from across the country for some specialties including urology and our Minimal Access Therapy Training Unit (key-hole surgery) is one of only three such training units in the UK.

In partnership with Procare Community we also provide the adult community services, care to patients in the community. They include services like district nursing, podiatry, rehabilitation beds, therapists and Minor Injuries Unit at Haslemere Hospital and operate across the sites at Haslemere Hospital, Milford Hospital, Cranleigh Hospital, Jarvis Centre and the Beacon Centre.

Further information about the Trust can be found on our website.

The Trust is registered with the Information Commissioner’s Office, the UK’s Independent body set up to uphold information rights, including your rights on your information. Our registration number is Z486353X.

Our Caldicott Guardian who is responsible for protecting the confidentiality of patient and service user information and enabling appropriate sharing of information, is Jo Mountjoy, Chief Nurse.  Contact details:
Tel: 01483 571 122.

Our Senior Information Risk Owner (SIRO) who takes responsibility and ownership of the Trust’s information risk is Ross Dunworth, Director of Finance.  Contact details:
Tel: 01483 571 122

Our Data Protection Officer is Ruth Drewett who is also Head of Information Governance and Freedom of Information Lead.  Contact details:
Tel: 01483 571 122 Ext: 2504.

Annual National Fraud Initiative Privacy Notice 

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud under its statutory authority and does not require the consent of individuals concerned under data protection legislation or the GDPR. The NFI also conducts regular data sharing and analytics pilots to evaluate and improve data matching methodology to continue to help detect and prevent fraud in the most efficient and effective way possible. The National Fraud Initiative is conducted using the data matching powers bestowed on the Minister for the Cabinet Office by The National Fraud Initiative is conducted using the data matching powers bestowed on the Minister for the Cabinet Office by Part 6 of the Local Audit and Accountability Act 2014 (LAAA).  Click here for more information on the National Fraud Initiative Privacy Notice.

Who are we governed by?

Department of Health

Information Commissioner’s Office

Care Quality Commission

NHS England

Why we collect information about you

For Patients

We ask you for information about yourself so that you can receive care and treatment. We keep this information, together with details of your care, because it may be needed if we see you again, and allows continuity of care.

As a data controller under the GDPR we process personal data (under Article 6) and sensitive data which the GDPR terms as Special Categories (under article 9).

Personal data is defined as information relating to a living individual that can identify them. Examples include name, date of birth, NHS Number or a combination that can also identify an individual.

Special categories are defined as: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life and sexual orientation.

The legal basis for the Trust as a public authority for processing information for your individual care under GDPR is as follows:

Article 6

6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

6(1)(d) ‘…necessary in order to protect the vital interests of the data subject or of another natural person’ and

Article 9

9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

For safeguarding

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’

Our guiding principle is that we hold your records in strict confidence.

Information we collect includes:

  • Your name and address
  • Your medical conditions, allergies and medications
  • Treatment provided and contact you have had with us
  • Results of investigations, such as x-rays, MRI / CT and laboratory tests
  • Reports about your health and the care you need
  • Relevant information from other health professionals
  • Smoking status
  • Any learning disabilities
  • Religion
  • Marital status
  • NHS number
  • Occupation
  • Overseas status
  • Place of birth
  • Preferred name or maiden name
  • Where applicable, the date, cause and place of death
  • Your ethnic origin, in order to help in planning services and ensuring equal access
  • School details
  • Child/Adult protection status
  • Email address
  • Your religious, spiritual or pastoral beliefs (or none)
  • Family details
  • Sexual life
  • Next of Kin details
  • Power of Attorney Status / Deputyship under the Mental Capacity Act (Health and Personal Welfare)
  • Photographs, audio and video recordings.

For Staff, Volunteers and Job Applicants

The Trust keeps information on employees, volunteers and job applicants in connection with their work for the Trust or their application.

The legal basis for the Trust as a public authority for processing this personal information under GDPR is as follows:

6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’

For individual contractors providing services to the Trust.

Article 6(1) (b) is necessary for a contract where the individual has a contract with the Trust or because the individual has asked the Trust to take specific steps before entering into a contract.

This information may include:

  • your name, address and contact details, including email address and telephone number, date of birth and gender
  • the terms and conditions of your employment
  • details of your qualifications, membership of professional bodies, skills, experience and employment history, including start and end dates, with previous employers and with the trust
  • information about your remuneration, including entitlement to benefits such as pensions or insurance cover
  • details of your bank account and national insurance number
  • information about your marital status, next of kin, dependents and emergency contacts
  • information about your nationality and entitlement to work in the UK
  • information about your criminal record
  • details of your schedule (days of work and working hours) and attendance at work
  • details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
  • details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
  • assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence
  • information about medical or health conditions, including whether or not you have a disability for which the trust needs to make reasonable adjustments
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.

The Trust may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, the trust may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

Not a Patient or Employee? Visitors, Relatives, Friends, Next of Kin

It is possible that the Trust holds information on you as part of someone else’s record.  Under GDPR you may still be entitled to receive a copy of this information, so long as it would not breach the confidentiality of the person whose records hold the information, or there is another reason not to provide it.

The legal basis for the Trust as a public authority for processing your personal under GDPR is as follows:

6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

What the GDPR terms mean:

Contract: the processing is necessary for a contract the individual has with the Trust, or because they have asked the Trust to take specific steps before entering into a contract.

Legal obligation: the processing is necessary for the Trust to comply with the law (not including contractual obligations).

Vital interests: the processing is necessary to protect someone’s life.

Exercise of Official Authority: there are many Acts of Parliament which set out the responsibilities and authority of NHS bodies, such as Foundation Trusts of which Royal Surrey is one.  For instance the Health and Social Care (Community Health and Standards) Act 2003 and the Health and Social Care Act 2012.

Public task: the processing is necessary for the Trust to perform a task in the public interest or for the Trusts official functions, and the task or function has a clear basis in law.

How your patient records are used to help you

  • Your doctor, nurse or any other healthcare professional involved in your care needs to have accurate and up-to-date information to assess your health.
  • A record of any treatment or care you receive in hospital needs to be kept, in case you return for further treatment.
  • This information is available should you have to see another doctor at the Trust, or receive treatment elsewhere in the NHS.
  • Your records are a good basis for hospital staff to assess the type and quality of care you have received.
  • Your concerns can be properly investigated if you need to complain.

How your patient records are used to help the NHS

  • Review the care we provide for you and other patients, to ensure it is of the highest standard.
  • Makes sure our services can meet all patients’ needs in the future.
  • Teach and train healthcare professionals.
  • Conduct health research and development.
  • Makes sure your hospital gets paid for your treatment.
  • Audit NHS services and accounts.
  • Prepare statistics on NHS performance.
  • Investigate complaints, legal claims or untoward incidents.

Some of this information will also be held centrally by the NHS where it is used for statistical purposes in order to plan ahead. This is known as Secondary Use.  Strict security measures are taken to ensure that individual patients cannot be identified.

Anonymous statistical information may also be passed to organisations with a legitimate interest in health care and its management, including universities, community safety units and research institutions.

Where it is not possible to use anonymous information, personally identifiable information may be used for essential NHS purposes such as research and auditing.  This will only be done with your consent, unless the law permits the information to be passed on to improve public health or the research has been approved by the Confidentiality Advisory Group (CAG), (a national body comprised of ethicists, data protection experts as well as lay people).

Transfers of your information to third countries or international organisations

It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA) unless additional safeguards have been put in place to protect your information.

Any transfers made will be in full compliance with all aspects of current data protection legislation.

How long do we hold your information for?

We retain health records for at least 8 years from the last date that we saw you at the Trust and until 25th birthday for children.  For patients who have had cancer or blood transfusion your record is kept for 30 years after we have finished treating you.

These are the minimum times for which we keep information; we may keep it for longer if we believe doing so will be of benefit to you or we are not able to delete it due to a technical issue for example.

We have a duty to:

  • Maintain full and accurate records of the care we provide to you
  • Keep records about you confidential and secure

Further details can be found in the "NHSX Records Management Code of Practice 2021."

Royal Surrey Customer

This fair processing notice also applies where you are an individual (acting solely or jointly with another person for your own account or as a sole trader or as an attorney, trustee, partner in a partnership or member of an unincorporated club or association) or where you are a relevant individual (such as an owner, director, officer, partner or authorised signatory) of a company or other incorporated entity who is considering entering into an agreement to provide goods or services with us or one of our operating partners.  For further information on how we process your financial payment information, click here. Fair Processing Notice - Customers IG  

How we keep your records confidential

Everyone working for the NHS has a legal duty to keep information about you confidential.

You may receive care from other people as well as the NHS (like Social Services). We may need to share some information about you so that we can all work together for your benefit. We will only ever use, or pass on, information about you if others involved in your care have a genuine need for it such as our partner organisations, listed below.

All NHS organisations must comply with the NHS Care Records Guarantee. The document sets out the rules that govern how patient information is used in the NHS and what controls a patient can have over this.

We will not disclose your information to third parties without your consent unless there are exceptional circumstances.  These may be in situations when the health and safety of others is at risk, or where the law permits information to be passed on.  Anyone who receives information from us is also under a legal duty to keep it confidential.

We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional.

Occasions when we must pass on information include:

  • Notification of new births.
  • Where we encounter infectious diseases which may endanger the safety of others, such as meningitis, or measles (but not HIV/AIDS).
  • Where a formal court order has been issued.
  • Where a serious crime has been committed or a terrorist incident

Who are our partner organisations

The principal partner organisations or people with which relevant information may be shared are:

  • Other NHS Trusts and Foundation Trusts
  • Clinical commissioning groups (who commission hospital services – usually information is partly or fully anonymised)
  • General Practitioners (GP)
  • Ambulance services
  • Social services
  • Private sector providers, such as care homes or home care delivery services
  • Family, associates and representatives (with your consent or under Lasting Power of Attorney/Deputyship under Mental Capacity Act – Personal Welfare)

Relevant information may also be shared with the organisations below.  Where this is done it will be either to benefit your treatment plan or to help plan future services for others. Usually this is covered by a strict agreement describing how the information is to be used (a Purpose Specific Information Sharing Agreement).

  • Local authorities
  • Education services, such as research at universities
  • Voluntary sector providers, such as patient groups or health charities

Mole Valley RSFT Post Discharge Welfare Check-in Pilot

From 19th December 2023 for a 3 month period, Royal Surrey NHS Foundation Trust (RSFT) in collaboration with Mole Valley Borough Council/Mole Valley Life will be piloting a post discharge welfare telephone call service.  This will mean that Guildford & Waverley patients who have been an in-patient with RSFT for over two nights and under two weeks length of stay, who are over 50 years of age and are not on a follow-up referral pathway, may receive a welfare telephone call from a Mole Valley Responder to check if any further support is required in the home.  For the purpose of this welfare telephone call the minimum personal information (full name, DoB and telephone contact) will be shared securely with the Mole Valley Responder team and processed in accordance with Data Protection Legislation.  

For further information visit Privacy Notice for Technology Enabled Care Services (Telecare) - Mole Valley District Council

  If you have any queries regarding this service, please do not hesitate to contact respective organisation Data Protection Officers, for RSFT –, Mole Valley Borough Council – Mr Tom Penlington (Solicitor) – tel 01306 879354.

Surrey & Sussex Cancer Alliance 

Royal Surrey NHS Foundation Trust host Surrey & Sussex Cancer Alliance (SSCA) on behalf of NHS England Cancer Programme funding.

SSCA is one of 19 Cancer Alliances established across England and it members include;

  • Surrey Heartlands Health & Care Partnership (ICS)
  • Frimley Health ICS
  • Sussex Health & Care Partnership
  • All eight acute and specialist Trusts in Surrey and Sussex.

For more information about SSCA, visit:

One of the SSCA projects starting in July 2022  “Talk Prostate” is an exciting new partnership between the NHS Surrey and Sussex Cancer Alliance (SSCA) and Medefer.

The partnership was established in spring 2022 and was set up in response to a below expected number of suspected prostate cancer referrals, and a drop in the number of prostate cancers being picked up during the Covid pandemic.  Whilst this situation is now recovering, working in partnership with Medefer will allow the SSCA to achieve this extra work without adding to the burden already experienced by GPs.

Prostate cancer is the most common cancer in men.  1 in 8 men will be diagnosed with prostate cancer in their lifetime. Whilst survival is high (78%) compared to other cancers, we still lose almost 12,000 men to this disease every year in the UK.

Medefer and SSCA are running a “case finding” project to identify 12,000 men across Surrey & Sussex who might most benefit from having a simple urine and PSA blood test, with the aim of detecting prostate cancers earlier and faster, without adding to GP workload.  The project is designed to minimise the number of “false positives” (patients with a +ve test who do not have cancer) and to then refer these men to hospital as a suspected cancer referral where they will have an MRI of their prostate, and if necessary, a biopsy.

Surrey Safe Care

Royal Surrey and Ashford St Peter’s NHS Foundation Trusts are implementing a joint electronic patient record, known as Surrey Safe Care, as a replacement for their separate patient administration systems.

This means that all information in relation to a patient that visits either Trust for treatment , will be provided in a joint system but only on a ‘need to know’ basis by relevant clinicians .

Providing a shared record will improve communications over the many different clinical pathways that an individual may go through during the course of their treatment, giving clinicians access to timely information to provide the best possible care.

If you would like further information in relation to Surrey Safe Care, please email Information Governance:

Third parties processing on Royal Surrey's behalf for direct care: 

HeartFlow – click here.

Berkshire and Surrey Pathology Services - click here.

As part of your care, you may have provided samples e.g. urine or blood etc. which will be processed by the Trust’s laboratory, or, if a specialised test, with a partner laboratory. The results of these tests and a record of the drugs you have been prescribed are stored by the Trust. The Trust is part of Berkshire Surrey Pathology Services (BSPS) - learn more by clicking here. BSPS is a joint venture of Pathology Services between Frimley Health, Royal Berkshire, Royal Surrey, Ashford and St Peters and Surrey and Sussex Healthcare NHS Foundation Trusts.

To view their Privacy Notice, please see:

NHS Surrey Heartlands - Surrey Care Record

Please find here further information about Surrey Heartlands ICB:

 Surrey Care Record - ICS (

NHS Surrey Heartlands Integrated Care Board – Guildford and Waverley Alliance:


Summary Care Record

The Summary Care Record (SCR) is a summary electronic patient record of national health services patient data held on a central secure database covering the whole of England.  The purpose of the system is to make ‘essential’ patient data readily available anywhere the patient seeks treatment.  The Trust’s electronic patient record interfaces with this system to check individuals demographic details.  To ensure that this system is recording up-to-date information, i.e. correct home address, always keep your GP notified of any demographic changes. 

Information we are required to report

We are also required by law to report certain information to the appropriate authorities, for example notification of new births. We may also provide information regarding crimes to the police and where a court order has been received.

Whenever we share information with other organisations we will do this line with the Data Protection Legislation and the NHS Confidentiality Code of Practice (2003).

We share anonymous information with local authorities and the police for the purposes of crime mapping.

We do not share information, in the ways described above, regarding treatment you may have received in the specialities of sexually transmitted infections and human fertilisation and embryology (not withstanding any legal requirements imposed on the trust).

Clinical Audit

The Department of Health & Social Care mandates all NHS Trusts to undertake clinical audits on care delivered to patients, which can be undertaken by clinical staff employed by us or by external audit companies. This could involve individuals who have not been involved with your direct care accessing your medical records. Further information on national clinical audit can be found by clicking here.

We have an annual clinical audit programme which requires clinical staff to participate. Clinical staff consider patient medical records to review the care provided, and to identify ways in which the care could be improved in the future.

Medical Device Information Service and Implant Registry

NHS Digital has created a registry, in response to a request from Secretary of State for Health and Social Care to support the national reporting of surgical devices and implants to improve patient safety.

It records implants, such as pacemakers or mesh products, and related medical devices, given to patients.

The registry will also collect information about patients that receive alternative procedures that do not include a medical device or implants, so that outcomes can be compared and complications can be understood.

The information your surgical team will submit to NHS Digital includes:

  • Your NHS number
  • Your family name
  • Your first name
  • Your current postcode
  • Your date of birth
  • Your surgeon, and other clinicians involved in your care
  • Details of your procedure and implant used
  • Health information about you pre and post treatment
  • Post surgery outcome information collected from you by clinicians or submitted by you as part of the review of your care.

Any questions, please contact NHS Digital


Telephone: 0300 303 5678

Their customer service centre is open 9am to 5pm, Monday to Friday, except on public holidays.


Undertaking research is an important element of providing healthcare. Clinical staff are actively encouraged to participate in research trials. The Trust’s Research and Development Department manages all research projects undertaken by us. Your participation in a research project will only take place with your explicit consent, or if the national Confidentiality Advisory Group agrees that it should have special permission to undertake research without consent.  This is called Section 251 approval.  The Trust occasionally works with other organisations e.g. universities and external organisations to pilot new ways of working, with the aim to provide improved and more efficient services to patients.  Where the Trust undertakes this work you will be informed and be asked if you wish to participate.

Research – National Cancer Registration and Analysis Service (NCRAS)

Public Health England (PHE) is responsible for managing the National Cancer Registration and Analysis Service (NCRAS).  Cancer Registration in England has been running since the start of the NHS and collects data on all patients with cancer or a reasonable suspicion of cancer.  The data includes information on the diagnosis, treatment and outcomes of cancer patients.  The data is then linked to other information including information from PROMS and Patient Experience surveys.  Although originally used as a resource for epidemiology and public health the Registration Service data is now used extensively for health service evaluation, clinical audit, basic and clinical research, commissioning and increasingly to support direct patient care. For further information on how your data is used and how you can request access to information held on you, please click here.

Should you wish to request to ‘opt-out’ of your identifiable data being collected and stored for this purpose, please contact Public Health England – email or write to:

National Cancer Registration and Analysis Service
Public Health England
Wellington House
133-155 Waterloo Road

Patient Surveys

For further information regarding patient surveys that the Trust is participating, please click on the links below:

Inpatient Survey Poster

CQC 2022 Maternity Survey

CQC 2022 Emergency Care Survey

CQC 2022 Urgent Treatment Centre

National Opt-out - what you need to know

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where it is allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information is not needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please click here, which will also provide further information about;

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply.

Alternatively you can speak to an advisor in NHS Digital Contact Centre, telephone; 0300 303 5678 - Monday to Friday, 9am to 5pm (excluding bank holidays).  They can help you use the online service and make changes of your choice on your behalf.

You can also find out more about how patient information is used at:

Click here to learn more about health and care research; and click here to learn more about how and why patient information is used, the safeguards and how decisions are made.

You can change your mind about your choice at any point in time.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. RSFT ‘is currently’ compliant with the national data opt-out policy.

Complaints and Legal Claims

In order to deal with issues raised by you or to process your complaint or legal claim, staff within our Legal Department and Complaints Department will access your medical records and may share this information with other staff as well as external third parties where applicable, including our solicitors or NHS Resolve (Formerly NHS Litigation Authority).

We take patient safety very seriously. If an incident occurs which was not expected we will investigate it, therefore the staff involved in your care, with support from the Trust’s Risk Management Department, will access your medical records.

Royal Surrey Hospital Fundraising Charities

Please click here to visit the Royal Surrey County Hospital Charity website

Foundation Trust Membership

The Trust has a membership for all from the local communities we serve to become involved with supporting us and to help shape the future of Royal Surrey and the services we offer local people.

Social Media, CCTV and email communications

When you use our website or interact with our social media presence (e.g. Twitter, Instagram and Facebook) your data (e.g. comments, likes, reviews) may be visible to providers of social networking services and their users.

We suggest that you review the privacy and security settings of your social media accounts to ensure you understand how your data maybe shared and used.

Closed Circuit Television (CCTV)

The Trust makes use of CCTV systems for crime prevention in line with the Information Commissioners CCTV code of practice. 

The Trust also uses Automatic Number Plate Recognition (ANPR) cameras and hand-held cameras in Trust operated car parks to provide car parking services, enforcement of parking terms and conditions, for the prevention of crime and traffic analytics. 

If you email us

Please note that we may use email monitoring or blocking software.

You have a responsibility to ensure that any email you send to us is within the bounds of the law.

Please note that emails sent to us may not be secure in transit, and we cannot take any responsibility for the security of your email before it is received by the Trust and we may choose not to reply via email if we have concerns regarding confidentiality and/or security.

If you email us or give us your email address then you accept that we may communicate with you via email.

Email is not a guaranteed delivery service – if your communication is important, please confirm we have received it by other means.

It is your responsibility to ensure we and your G.P. have up to date contact details for you.

Automated decision-making and profiling

The Trust does not carry out automated decision making but will endeavour to identify people who may benefit from additional services (profiling) for example those who attend our emergency department frequently.

Appropriate staff, for example clinicians, would make the actual decisions based on the available information.

There are times when it may be necessary to be able to track back to the patient details.  In these cases the patient detail is replaced by a code and we keep the code in the Trust.  This is called pseudonymisation.

Your rights in respect of restricting our processing of your information

Your right to be informed:

This means you have a right to be informed about the way we collect and use your data.

Your right to rectification:

This means you have the right to have inaccurate (incorrect or misleading as to any matter of fact) personal data corrected or completed.

Your right to have your personal information erased

This right is not absolute and only applies in certain circumstances.

It does not apply to Health Records which are legal documents under the Public Records Act 1950.

You can request whether in writing or verbally to have your information erased. We will respond to your request within one month.

When does the right to erasure not apply?

If the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or

  • if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services).
  • to comply with a legal obligation;
  • for the performance of a task carried out in the public interest or in the exercise of official authority;
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • for the establishment, exercise or defence of legal claims.

Your right to Restrict processing:

This means that you can request the processing of your data is blocked and your data stored separately.

  • You may request a restriction verbally or in writing. This is not an absolute right and will depend on the circumstances of your request.
  • The length of time the restriction will apply for will depend on the circumstances of your request.
  • If you restrict our processing of your data we are permitted to store the personal data, but not use it.
  • We will respond to your request within one calendar month.

You have the right to restrict the processing of your information in the following circumstances:

  • You contest the accuracy of your personal data and we are verifying the accuracy of the data.
  • We no longer need the personal data but you need to keep it in order to establish, exercise or defend a legal claim; or
  • You have objected to the Trust processing your data under Article 21(1), and The Trust is considering whether the Trusts legitimate grounds override yours (the individual).

How might we restrict processing?

We may:

  • Make the data unavailable to users.

When will a restriction be removed?

Once we have made a decision on the accuracy of the data, or whether our legitimate grounds override those of the individual, we may decide to lift the restriction. We will inform you before we lift the restriction.

Your right to data portability

This means that you can request a secure transfer of your data to another Data Controller.

The right to data portability only applies when:

  • the data is about you and that it was provided by you to the Trust.
  • where the processing is based on your consent or for the performance of a contract; and
  • when processing is carried out by automated means

Your Right to object

This means that you have the right to object to the Trust processing your data where the processing is based on:

  • legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

You must have an objection on “grounds relating to your particular situation”

We will stop processing your information unless:

  • We can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
  • the processing is for the establishment, exercise or defence of legal claims.
  • the Trust is conducting research where the processing of personal data is necessary for the performance of a public interest task, in which case the Trust is not required to comply with an objection to the processing.

Your right to withdraw your consent

This means that in situations where you have given your explicit consent for your information to be processed you have the right to withdraw your explicit consent for the processing of your information.  Please note that this does not apply to your individual care which is provided under other legal basis (refer to Section 2 above).

You can withdraw your consent by informing the department / team that took your consent. You can do this in writing or verbally.

The fact that consent may be obtained for confidentiality purposes does not mean that consent must also be the lawful basis applied for the purposes of processing data in compliance with the Data Protection Legislation. Well established national guidance on confidentiality remains applicable.

It should be noted that:

  • Data protection requirements (GDPR) do not affect the common law duty of confidence (confidentiality).
  • Although the practice of assuming implied consent for processing data for direct care purposes will not comply with the consent standards under the GDPR, this does not mean that implied consent ceases to be valid for confidentiality purposes (e.g. sending a discharge summary to your GP).

Further information

If you would like to know more about how we use your information or if, for any reason, you do not wish to have your information used in any of the ways described in this leaflet, then please speak to your health care professional.

You can also contact:

Head of Information Governance
Royal Surrey NHS Foundation Trust
Egerton Road

Tel: 01483 571 122


If you feel that we have not adequately dealt with your query or complaint regarding how we process your information you can raise the issue with the Information Commissioner who is the supervisory authority for the United Kingdom (the Regulator) at the address below:

Information Commissioner’s Office

By phone: 0303 123 1113

By letter:

Wycliffe House
Water Lane

By email

How you can get access to your personal information

The Data Protection legislation allows you to find out what information is held about you on computer and in certain manual records, including your health records, personnel files (for staff)  and other systems. This is known as “Right of Subject Access”, or, a Subject Access Request.  The Act says that the information should be provided within a calendar month but we aim to provide the information as soon as possible.

Although the Act does not require you to fill in a form this will help the Trust in identifying the information you require and guide you in what proof of identity you need to provide and the fee, if applicable.  The Act does require you to put your request in writing and if you choose to do so by letter we would ask you to be as clear as possible in stating the information you require and to provide the proofs of identity and fee where appropriate.  We have provided forms at the end of this leaflet.

Please be as detailed as possible when requesting information, for instance stating date ranges, appointment types or specific letters.

For Patients

  1. For access to the records of living patients, The Data Protection Act 1998 has superseded the Data Protection Act 1984 and the Access to Health Records Act 1990, which has now been replaced by the Data Protection Act 2018. For access to the records of deceased patients, The Access to Health Records Act 1990 which came into force on the 1st November 1991 still applies to manual records created from that date though we would not restrict this to just manual records.
  2. People who can apply for Patient Records include:
    • the Patient about whom the record has been compiled (the Data Subject), or
    • someone acting on behalf of the patient, for example
    • by written authorisation of the Patient
    • by exercising parental rights – children who are able to understand the nature of the request can apply in their own right or should give consent to parental request. A parent may apply if the child is too young or unable to understand the request.
    • by Lasting Power of Attorney – Personal Welfare naming both the Attorney(s) and the Patient (please note that the lasting Power for Attorney for Finance and Personal Affairs does not apply)
    • by court appointment e.g Deputy under the Mental Capacity Act
    • a deceased patient’s personal representative
    • someone with a claim arising from the death of the patient

Before records are released we will seek the advice of the consultant in charge of the patient care to ensure that no information about an individual’s physical or mental health or condition will be released if it would be likely to cause harm to them or another person’s physical or mental health condition.  We will also withhold information provided by third parties where we don’t have consent to release it or where the patient has made it clear that they did not want the information disclosed.

For Staff

3. People who can apply for Staff, Volunteer, Job Applicant Information:

  • the staff member, volunteer or job applicant themselves
  • someone acting on behalf of the staff member, volunteer or job applicant
  • by written authorisation of the staff member, volunteer or job applicant themselves
  • by court appointment

For Others

4. For people who do not fall into the categories above (this may include relatives, carers, friends or visitors), the Trust may still hold information about you as part of other records. Only the applicant themselves can request this information.

5. Proof of Identity

Please enclose copies of two proofs of ID, one from each category:-

Category One:

  • Passport
  • Photographic Driving License
  • Birth Certificate
  • Marriage Certificate
  • Lasting Power of Attorney – Personal Welfare
  • Deputyship under the Mental Capacity Act
  • Staff ID Card

Category Two:

  • Utility Bill with current address – gas, electricity, phone, broadband
  • Appointment or clinic letter
  • Benefit Statement e.g. child benefit, DLA, PIP, Pension
  • Bank statement
  • Building Society Payment
  • Credit Card Statement

Additional information may also be required:

For a parent guardian request for a child, please also provide copies of:

  • Birth certificate of the child
  • Court order of parental responsibility (if applicable)
  • Written consent of the child if able to understand the request

For a request regarding a deceased patient a copy of one of the following:

  • Last Will & Testament (of the deceased) naming you as the executor
  • Solicitor letter granting executor status
  • Grant of probate

For a request from any person with a claim arising from the death of a person:

  • Evidence of the claim (e.g. a solicitor’s letter)

6. There are no fees for access to Patients records.

7. You can ask for corrections to the record. The Trust will either make the necessary correction or make a note in the relevant part of the record of the matters which you say are inaccurate. You will be provided with a copy of the correction or note free of charge.

8. In line with Data Protection Act guidelines we aim to provide access to the records or provide a copy of the record within calendar month of receipt of the completed application form and the fee (if applicable). Please bear in mind the turnaround time if you have upcoming appointments where the records may be required.

9. If you wish to make a complaint on any aspect of the way in which we have handled your request for access to your information, you can write to the Complaints Department.

10. Confidentiality – Everyone has the right to have their information kept confidential and record holders are obliged to be satisfied that an applicant is who they say they are, or is otherwise entitled to access of that information. Please provide proofs of your ID with your application as defined above.

11. The information that you provide in the course of making an application will only be used for the purposes of processing the application. We retain the application in accordance with the Records management Code of Practice for Health and Social Care 2016. This is currently 3 years following close of the request or 6 years where there has been a subsequent appeal.  At the end of the period it will be destroyed in a secure and confidential manner.

Please send completed application form / letter of request to:

Patient Records Only:
Healthcare Records Manager
Royal Surrey NHS Foundation Trust
Egerton Road

Telephone: (01483) 571122 extension. 2032 or 2564

Other access requests other than Patient Records:
Head of Information Governance
Royal Surrey NHS Foundation Trust
Egerton Road

Telephone: (01483) 571 122 extension 2504