Skip to main content

Privacy notice for patients

Under data protection law we are legally required to provide information about how we use your information in a way that is:

  • concise
  • transparent
  • easy to understand
  • easily accessible
  • written in clear, plain language, particularly if addressed to a child
  • free of charge

Data protection law says the personal information we hold about you must be:

  1. used lawfully, fairly and in a transparent way
  2. collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
  3. relevant to the purposes we have told you about and limited only to those purposes
  4. accurate and kept up to date
  5. kept only as long as necessary for the purposes we have told you about
  6. kept securely

This privacy notice explains what we do with your personal information where we are or have provided care to you. It tells you:

  • the information we collect about you
  • how we store this information
  • how long we retain it
  • who we may share it with
  • for which legal purpose we may share it

Please note that the information contained in this privacy notice is applicable to all University Hospitals Birmingham NHS Foundation Trust sites (Good Hope, Heartlands and Solihull hospitals, Queen Elizabeth Hospital Birmingham, and community sites).

Coronavirus/COVID-19: information on how we process your personal data

Sharing of information relating to coronavirus

University Hospitals Birmingham is working to ensure that the spread of COVID-19 is minimised.

The Secretary of State for Health and Social Care has directed NHS Digital to collect and analyse data from providers and other organisations involved in managing the COVID-19 response and then disseminate information and analysis to other bodies for the purpose of planning and managing the response. This direction was given under ss254 and 255 of the Health and Social Care Act 2012 (2012 Act). University Hospitals Birmingham NHS Foundation Trust (hereby referred to as "the Trust") has now been given legal notice to act under the same Direction as NHS Digital. This is to ensure that confidential patient information can be used and shared appropriately and lawfully for purposes related to the COVID-19 response.

Your personal data relating to COVID-19 will be used for the purposes of healthcare, identification, location and to carry out screening for COVID-19 in relation to protecting public health for monitoring and managing the workforce within the health and adult social care services, as well as research and planning.

When you tell us you’re experiencing COVID-19 symptoms, we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

Who we may share your information with

In order to look after your health and care needs, the Trust may share your confidential patient information, including health and care records, with clinical and non-clinical staff in other health and care provider organisations, for example neighbouring GP practices, hospitals and NHS 111. We may also use the contact details we hold for you to send you public health messages, either by phone, text or email.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the COVID-19 response is available on the NHSX website.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data, as well as data provided by patients themselves.

All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

We also participate in research with other acute hospital providers, renowned universities and selected private organisations with the aim to establish any trends and find a vaccine or cure. Where possible, we will anonymise your data and ensure the data is kept in a safe and secure environment, giving minimal access by others.

Legal basis

The Trust's legal requirement to share this sensitive information in this current health crisis, without your consent, is outlined in the General Data Protection Regulation (GDPR). Article 9 2(i) of the GDPR details that "processing [of personal data, including the sharing of information] is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care". This is in addition to the requirement for the Trust to work in line with the Direction from the Secretary of State for Health and Social Care referenced above (Sections 259(1)(a), 259(5) and 259(8) of the 2012 Act).

Sharing your personal data in this way is not normal for the Trust and will take place only as long as COVID-19 is a threat to public health.

Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on the GOV.UK website, and FAQs on this law are available via NHSX.

Conducting video consultations

Where possible, the Trust will now be conducting appointments via video conferencing applications.

Our legal basis to process your personal information in these types of consultations does not differ from usual, face-to-face consultations as the Trust is still providing you with direct medical care. Therefore, the legal basis for the Trust conducting video conferencing is “the performance of a task carried out in the public interest” under Art 6 (1)(e ) GDPR and the “provision of health or social care or treatment or the management of health of social care systems and services” under  Art 9 (2)(h) GDPR in combination with Schedule 1, Part 1, section 2(2) DPA.

By clicking on the video link to begin the consultation, you are providing your consent and agreement for the consultation to take place over the video call. We will safeguard your personal/confidential patient information in the same way as we would under normal circumstances.

National data opt-out

The national data-opt out gives patients greater control over what purposes for which their health data can be used. Previous guidance mandated that all organisations must be in a position to implement all data opt-outs by March 2020. Due to pressures on health and social care services due to the COVID-19 outbreak, NHS Digital has taken the decision to extend the March 2020 deadline by a further six months, giving organisations until September 2020 to implement the national data opt-out.

Additionally, opt-outs which are currently in place will not apply to data required to support the COVID-19 response.

For further information, please visit the NHS Digital website.

If you have any queries during this time with how your personal data is being processed by the Trust, please contact the Data Protection Officer.

Data Protection Officer
Information Governance Team
3rd Floor, Nuffield House
Queen Elizabeth Hospital Birmingham
Mindelsohn Way
Birmingham, B15 2TH


Anonymisation/anonymised data

"Anonymisation" means the treatment of personal data such that you can no longer be identified, transforming the data into "anonymised data". Anonymised data is not covered by the General Data Protection Regulation (2016/679).


"Controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.


"GDPR" means the General Data Protection Regulation (2016/679) (as transposed into the UK's national law by operation of section 3 of the EU (Withdrawal) Act 2018).

Personal data

"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

  • name
  • identification number
  • social media posts
  • location data
  • online identifier

Special category of personal data

"Special category of personal data" means information which is thought to be "extra sensitive", such as:

  • ethnicity
  • data concerning health
  • biometric data
  • sexual orientation
  • religious or philosophical belief


"Processing" means anything that is done to the personal data we hold.


"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information (key).

Information Commissioner's Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation. If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the ICO.

Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF
Fax: 01625 524 510

Who we are

University Hospitals Birmingham NHS Foundation Trust (UHB) is one of the highest performing healthcare organisations in Europe, with a proven international reputation for its quality of care, information technology, clinical education and training and research.

The Trust employs more than 20,000 staff and runs the largest single-site hospital in the country.

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z5568104.

Data Protection Officer

If you have any questions or concerns regarding how your data is being processed, please contact the Data Protection Officer.

Data Protection Officer
Information Governance Team
3rd Floor, Nuffield House
Queen Elizabeth Hospital Birmingham
Mindelsohn Way
Birmingham, B15 2TH

Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.

Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF

Why we collect personal information about you

The staff caring for you need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care. 

Our legal basis for processing personal information about you

Any personal information we hold about you is processed for the purposes of:

  • “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under chapter 2, article 6 (1) (e)
  • "the provision of health or social care or treatment or the management of health of social care systems and services” under chapter 2, article 9 (2) (h) of the UK GDPR

For further information on this legislation please visit the Government's UK legislation website.

What personal information we need to collect about you and how we collect it

We collect personal information about you in a number of ways. This can be from referral details from your GP or another hospital, or directly from you or your authorised representative.

It is likely that we will hold the following basic personal information about you:

  • Your name
  • Your address (including correspondence)
  • Your telephone numbers
  • Your date of birth
  • Your next of kin contacts
  • Your GP details

We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred or maiden name.

In addition to the above, we may hold special category personal information about you which could include:

  • notes and reports about your health, treatment and care, including:
    • your medical conditions (physical and mental)
    • results of investigations, such as X-rays and laboratory tests
    • future care you may need
    • personal information from people who care for and know you, such as relatives and healthcare or social care professionals
    • other personal information, such as smoking status
  • your religion and ethnic origin
  • whether or not you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status)
  • where applicable, the date and cause of a person’s death in our hospitals

This personal information can be held in a variety of formats, including paper records, electronically on computer systems, and in video and audio files.

It is important for us to have a complete picture of you as this will help staff to deliver appropriate treatment and care plans in accordance with your needs.

CCTV/surveillance cameras

We employ surveillance cameras (CCTV and body-worn cameras) on and around our premises for the purposes of crime prevention and detection, to assist in traffic management and to monitor operational and safety-related incidents. Images captured by CCTV will not be kept for longer than necessary and will be held securely. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. The use of CCTV and any disclosure of images will be in accordance with the codes of practice issued by the Information Commissioner.

What we do with your personal information

Your records are used to directly manage and deliver healthcare to you to ensure that:

  • the staff involved in your care have accurate and up to date information to assess and advice on the most appropriate care for you
  • staff have the information they need to be able to assess and improve the quality and type of care you receive
  • appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or healthcare provider

What we may do with your personal information

The personal information we collect about you may also be used to:

  • remind you about your appointments and send you relevant correspondence
  • review the care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research, for example the Friends and Family Test
  • support the funding of your care, e.g. with commissioning organisations
  • prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
  • help to train and educate healthcare professionals
  • report and investigate complaints, claims and untoward incidents
  • report events to the appropriate authorities when we are required to do so by law
  • review your suitability for research studies or clinical trials
  • contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
  • contact you with regards to Trust membership
  • contact you to provide spiritual, religious and emotional support to all patients, regardless of faith, as part of our holistic approach to patient care

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.

Who we share your information with, and why

We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, NHS Digital, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.

We share your information with NHS Digital for the purposes of the National Disease Registration Service (NDRS) which records people with congenital abnormalities and rare diseases across the whole of England. The data collected is then used to establish how well treatments are working and to further improve patient care across the country. For further information, please see the NDRS web page.

We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. However, we will not disclose any health information to third parties unless there are specific circumstances, such as when the health or safety of others is at risk, where current legislation permits or requires it or where we have your explicit consent.

There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

There may also be situations where we are under a duty to share your information due to a legal requirement. This includes, but is not limited to:

  • disclosure under a court order
  • sharing with the Care Quality Commission for inspection purposes
  • sharing with the police for the prevention or detection of crime
  • where there is an overriding public interest to prevent abuse or serious harm to others

For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is to be satisfied before the transfer.

The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented, unless there are exceptional circumstances, such as:

  • when the health or safety of others is at risk
  • where the law requires it
  • where there is an overriding public interest to do so

Where there is cause to do this, the Trust will always do its best to notify you of this sharing.

Birmingham and Solihull Shared Care Record

University Hospitals Birmingham NHS Foundation Trust works with other health and social care organisations to share information that will form part of your Shared Care Record. The Shared Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other health and care professionals in Birmingham and Solihull, Coventry and Warwickshire, and Herefordshire and Worcestershire when they are involved in your health or social care.

For more information on how your data is used on the Shared Care Record and how to exercise your rights please see the full privacy notice on the Birmingham and Solihull Integrated Care System (ICS) website.


How we maintain your records

Your personal information is held in both paper and electronic formats (including audio recordings, electronic databases etc), for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:

  • maintain full and accurate records of the care we provide to you
  • keep records about you confidential and secure
  • provide information in a format that is accessible to you

Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the Trust's Record Management and Information Lifecycle Policy.

Use of email

Some services in the Trust provide the option to communicate with patients via email. Please be aware that the Trust cannot guarantee the security of this information while in transit, and by requesting this service you are accepting this risk.

Further information can be found in our information governance policies.

Your rights

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

  • request access to the personal data we hold about you, e.g. in health records (see "How to access your personal data" below)
  • request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards. This is explained in our Access to Health Records Procedure
  • refuse/withdraw consent to the sharing of your health records
    • Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records "for the management of healthcare systems and services"
    • Your consent will only be required if we intend to share your health records beyond these purposes, as explained above
    • In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time
  • request your personal information to be transferred to other providers on certain occasions
  • object to the use of your personal information
    • In certain circumstances you may also have the right to "object" to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment
    • For further information, please see the National data opt-out programme
  • challenge any decisions made without human intervention (automated decision making)
  • ask us to restrict the use of your information where appropriate

We will always try to keep your information confidential and only share information when absolutely necessary. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How to access your personal data

To access the personal data we hold about you, please see our page on requesting access to health records.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

Last reviewed: 05 December 2022