Privacy notice for patients

This privacy notice explains what we do with your personal information where we are or have provided care to you. It tells you:

  • the information we collect about you
  • how we store this information
  • how long we retain it
  • who we may share it with
  • for which legal purpose we may share it


Personal data

"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

  • name
  • identification number
  • social media posts
  • location data
  • online identifier

Special category of personal data

"Special category of personal data" means information which is thought to be "extra sensitive" such as ethnicity, sexual orientation and religion.

Data controller

"Data controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.


"Processing" means anything that is done to the personal data we hold.


"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information.

Who we are

University Hospitals Birmingham NHS Foundation Trust (UHB) is one of the highest performing healthcare organisations in Europe, with a proven international reputation for its quality of care, information technology, clinical education and training and research.

The Trust employs more than 20,000 staff and runs the largest single-site hospital in the country.

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 (subject to parliamentary approval) and our registration number is Z5568104.

Data Protection Officer

If you have any questions or concerns regarding how your data is being processed, please contact the Data Protection Officer.

Data Protection Officer
Information Governance Team
3rd Floor, Nuffield House
Mindelsohn Way
Birmingham, B15 2TH

Information Commissioner's Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.

Information Commissioner's Office website

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.

Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate)
Telephone: 01625 545 745 (national rate)
Fax: 01625 524 510

Why we collect personal information about you

The staff caring for you need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care. 

Our legal basis for processing personal information about you

Any personal information we hold about you is processed for the purposes of “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under chapter 2, section 6 and the “provision of health or social care or treatment or the management of health of social care systems and services” under chapter 2, section 9 of the Data Protection Act 2018 (subject to parliamentary approval).

For further information on this legislation please visit the Government's UK legislation website.

What personal information we need to collect about you and how we collect it

We collect personal information about you in a number of ways. This can be from referral details from your GP or another hospital, or directly from you or your authorised representative.

It is likely that we will hold the following basic personal information about you:

  • Your name
  • Your address (including correspondence)
  • Your telephone numbers
  • Your date of birth
  • Your next of kin contacts
  • Your GP details

We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred or maiden name.

In addition to the above, we may hold special category personal information about you which could include:

  • notes and reports about your health, treatment and care, including:
    • your medical conditions (physical and mental)
    • results of investigations, such as X-rays and laboratory tests
    • future care you may need
    • personal information from people who care for and know you, such as relatives and health or social care professionals
    • other personal information, such as smoking status
  • your religion and ethnic origin
  • whether or not you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status)
  • where applicable, the date and cause of a person’s death in our hospitals

This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.

What we do with your personal information

Your records are used to directly manage and deliver healthcare to you to ensure that:

  • the staff involved in your care have accurate and up to date information to assess and advice on the most appropriate care for you
  • staff have the information they need to be able to assess and improve the quality and type of care you receive
  • appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or healthcare provider

What we may do with your personal information

The personal information we collect about you may also be used to:

  • remind you about your appointments and send you relevant correspondence
  • review the care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research, for example the Friends and Family test
  • support the funding of your care, e.g. with commissioning organisations
  • prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
  • help to train and educate healthcare professionals
  • report and investigate complaints, claims and untoward incidents
  • report events to the appropriate authorities when we are required to do so by law
  • review your suitability for research studies or clinical trials
  • contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
  • contact you with regards to Trust membership

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.

Who we share your information with, and why

We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.

We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. However, we will not disclose any health information to third parties unless there are specific circumstances, such as when the health or safety of others is at risk, where current legislation permits or requires it or where we have your explicit consent.

There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

There may also be situations where we are under a duty to share your information due to a legal requirement. This includes, but is not limited to:

  • disclosure under a court order
  • sharing with the Care Quality Commission for inspection purposes
  • sharing with the police for the prevention or detection of crime
  • where there is an overriding public interest to prevent abuse or serious harm to others

For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is to be satisfied before the transfer.

The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented, unless there are exceptional circumstances, such as:

  • when the health or safety of others is at risk
  • where the law requires it
  • where there is an overriding public interest to do so

Where there is cause to do this, the Trust will always do its best to notify you of this sharing.

How we maintain your records

Your personal information is held in both paper and electronic (including audio recordings, electronic databases etc) formats, for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018 (subject to parliamentary approval), as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:

  • maintain full and accurate records of the care we provide to you
  • keep records about you confidential and secure
  • provide information in a format that is accessible to you

Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the Trust's Record Management and Information Lifecycle Policy.

Use of email

Some services in the Trust provide the option to communicate with patients via email. Please be aware that the Trust cannot guarantee the security of this information while in transit, and by requesting this service you are accepting this risk.

Further information can be found in our Information Governance policies.

Your rights

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 (subject to parliamentary approval) gives you certain rights, including the right to:

  • request access to the personal data we hold about you, e.g. in health records (see "How to access your personal data" below)
  • request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards. This is explained in our Access to Health Records Procedure
  • refuse/withdraw consent to the sharing of your health records
    • Under the Data Protection Act 2018 (subject to approval), we are authorised to process, i.e. share, your health records "for the management of healthcare systems and services"
    • Your consent will only be required if we intend to share your health records beyond these purposes, as explained above
    • In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time
  • request your personal information to be transferred to other providers on certain occasions
  • object to the use of your personal information
    • In certain circumstances you may also have the right to "object" to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment
    • For further information, please see the "National data opt-out programme" link below
  • challenge any decisions made without human intervention (automated decision making)
  • ask us to restrict the use of your information where appropriate

We will always try to keep your information confidential and only share information when absolutely necessary. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

How to access your personal data

To access the personal data we hold about you, please contact one of the following teams.

Queen Elizabeth Hospital Birmingham and Umbrella sexual health services

The Medical Records Manager
Access to Health Records Department
Unit 5 – 6, Selly Oak Industrial Estate
Elliott Road
Selly Oak
Birmingham, B29 6LR

Heartlands, Good Hope and Solihull hospitals, Birmingham Chest Clinic and Solihull Community Services

Medical Records Department
Birmingham Heartlands Hospital
Bordesley Green
Birmingham, B9 5SS

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.