HomeResourcesPrivacy notice for patients and service users

Privacy notice for patients and service users

How your personal information is used by South Tees Hospitals NHS Foundation Trust.

South Tees Hospitals NHS Foundation Trust (STHFT) is the largest hospital trust in the Tees Valley with two acute hospitals and services in a number of community hospitals, providing a range of acute inpatient, outpatient, and emergency services for the people living in across Tees Valley and North Yorkshire.

STHFT is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. The Trust Registration Number is: Z5832686

For more information please see the South Tees website

This Privacy Notice explains how we use and share your personal information.  We will continually review and update this Privacy Notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.

Security of information

Confidentiality affects everyone: the South Tees NHS Foundation Trust collect’s, stores and uses large amounts of personal and sensitive personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.

Everyone working for the NHS is subject to the common law duty of confidentiality.  Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

At Trust Board level, we have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.  All staff are required to undertake annual information governance training.

We do transfer personal information to countries across the European Union (EU) and internationally and this is reviewed on a yearly basis.  Where we share information outside of the EU, adequacy checks will be completed in line with legislation.

We do not rely on consent to use your information as a ‘legal basis for processing’.

We rely on specific legal provisions under Article 6 and 9 of the GDPR to provide you with Healthcare, for the purposes described in this notice we will be lawfully using your information in accordance with:

Your Personal Data – will ordinarily be processedunder UK GDPR Article 6(1)(e) where the“Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller(Trust)”.  In some limited circumstances we may also rely on UK GDPR Article 6(1)(d) where this is appropriate to protect the vital interests of the data subject or another person”, UK GDPR Article 6(1)(c) where the processing is necessary “to comply with a legal obligation to which we are subject” or where private care is provided UK GDPR Article 6(1)b “to fulfil the performance of a contract”.

Your Sensitive (Special Category) Personal Data – will ordinarily be processedunder Article 9(2)(h) where “processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”. In some limited circumstances we may also rely on GDPR Article 9(2)(c) but only when it is necessary “to protect the vital interest of a person who is physically or legally incapable of giving consent” or Article 9(2)(f) where we need to process or share your data for the “establishment, exercise or defense of legal claims”.

This means we can use your personal information to provide you with your care without seeking your consent.  However, you do have the right to say ‘no’ to our use of your information but this could have an impact on our ability to provide you with care.

Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in you receiving care.

Why do we collect information about you?

All clinicians and health and social care professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include: 

  • Basic details such as name, address, date of birth, phone number, and email address
  • Your next of kin and contact details
  • Your religious beliefs, ethnicity and sex (if required in a healthcare setting)
  • Notes and reports about your physical or mental health condition and any treatment, care or support you need and receive
  • Results and images of your tests and diagnosis
  • Records of vaccination
  • Relevant information from other professionals, relatives or those who care for you or know you well
  • Records of any contacts you have with us such as home visits or outpatient appointments or with other health professionals or service providers
  • Information on medicines, side effects and allergies
  • Information on your personal preferences relating to your care
  • Patient experience feedback and treatment outcome information you provide
  • Recordings of telephone calls, meetings (where advised)
  • CCTV Images form within the estate of the Trust whilst on site
  • And other health information that is relevant to us providing your care

It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes to your contact details or GP Practice as soon as possible. This will help reduce any risk of you not receiving important correspondence.

By providing the Trust with your contact details, we will communicate with you about your healthcare, i.e. by letter, voice message (telephone or mobile number), by text message or by email.  However, you do have the right to say “No” to our use of your information but this could have an impact on our ability to provide you with care.

How your personal information is used

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers, administrators and other staff involved in your care including administrators – keep records about you, your health and any care and treatment you receive. 

Your information is used to guide and record the care you receive and is vital in helping us to:

  • provide quality healthcare to you as a patient / user of our services
  • To facilitate the provision of care and the management of healthcare systems and services across the UHT
  • have all the information necessary for assessing your needs and for making decisions with you about your care
  • have details of our contact with you, such as referrals and appointments and can see the services you have received from us and to which we have referred you to keep you informed about your care and contact you with details of appointments, attendances and outcomes though mail, telephone, SMS (text), automated voice reminder calls, in person, email or other electronic means.
  • keep you informed about your care and contact you with details of appointments, attendances and outcomes though mail, telephone, SMS (text), automated voice reminder calls, in person, email or other electronic means.

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

  • Move to another area  
  • Need to use another service
  • See a different healthcare professional
  • Receive private care in our hospitals

How long will you keep my information?

This Records Management Code of Practice for Health and Social Care 2023 is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to NHS organisations in England. This also includes public health functions in Local Authorities and Adult Social Care where there is joint care provided within the NHS.

As an example this code of practice requires the following records to be kept:

  • Adult healthcare records – for 8 years after your last contact with the service.
  • Maternity records – for 25 years after your last contact with the service
  • Children’s healthcare records (including midwifery, health visiting, and school nursing –  until the child reaches the age of 25 or 26 if they were 17 when treatment was concluded.
  • Or where there is a legal duty for the Trust to store your records beyond this.

All patient records are destroyed in accordance with the NHS Records Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained.

The Trust does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Further information on the retention periods for healthcare records can be found here on the NHS England website.

When do we share information about you?

Your information will be shared with the team who are caring for you and are providing treatment to you, including with the teams whom provide administration services to enable your care and only where necessary.

The Trust and North Tees and Hartlepool NHS Foundation Trust have formed University Hospital Tees, a group that will allow both organisations to work jointly to improve patient care for the communities they serve.  Whilst part of the collaboration, both trusts will only process and share personal data of patients when considered necessary and has legal basis to do so.

In order for the TRUST to fulfil its functions, information may also be shared between various organisations with strict agreements on how it will be used, examples of these include:

  • General Practices (GP’s)
  • Other Acute Hospitals
  • Community services
  • Mental health care providers
  • Walk-in centres/urgent care centres
  • Ambulance services
  • Dentists
  • Pharmacists
  • NHS England
  • NHS Digital
  • General Medical Council (GMC)
  • Nursing and Midwifery Council (NMC)

Information may also need to be shared with other non-NHS organisations, from which you are receiving care and other agencies that are supporting your care, examples of these include:

  • Social care services
  • Education services
  • Hospices
  • Nursing homes
  • Respite centres
  • Voluntary sector providers
  • Private healthcare organisations
  • Or with other professionals and services involved in your care with whom we work together with

We do this in order to provide the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved.   We will only share your information in this way if it is considered necessary and we have a legal basis to do so. 

There are times when we need to share information with other organisations such as our local authority partners, outside healthcare providers, clinical commissioning groups, the Department of Work and Pensions and the DVLA.   We will only share information in this way if we have your permission, or we have a legal basis and it is considered necessary.

However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies.  In these rare circumstances we are not required to have your consent.

Examples of these are:

  • If there is a concern that you are putting yourself at risk of serious harm
  • If there is concern that you are putting another person at risk of serious harm
  • If there is concern that you are putting a child at risk of harm
  • If we have been instructed to do so by a Court
  • If the information is essential for the investigation of a serious crime
  • If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
In the circumstances where we rely on consent as our legal basis to share then you have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in you receiving care.

The Trust may also share information in the following scenarios:

Sharing to improve Health, Care and Services through planning – To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information, for example with the NHS Clinical Commissioning Groups. The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled. 

In order to ensure that we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally with in our Trust.

Your feedback which we collect via the Friends and Family Test may also be shared with NHS England, NHS Improvement or NHS Commissioners and will be fully anonymised, and care taken to remove any references to you in the free text data fields.

Sharing to improve Health, Care and Services through Research – The Trust actively promotes research with a view to improving future care.   When you agree to take part in a research study, the sponsor will collect the minimum personally-identifiable information needed for the purposes of the research project. Information about you will be used in the ways needed to conduct and analyse the research study. NHS organisations may keep a copy of the information collected about you.

Depending on the needs of the study, the information that is passed to the research sponsor may include personal data that could identify you. You can find out more about the use of patient information for the study you are taking part in from the research team or the study sponsor.

You can find out who the study sponsor is from the information you were given when you agreed to take part in the study. For further details on personal information in research please visit the Health Research authority website.

Further information about specific research on the South Tees website.

Sharing to enable region wide care provision – The Trust is a partner in the Greath North Care Records (GNCR) which facilitates:

  • the sharing of your electronic health record with other Hospitals, GPs and local authorities for the provision of your direct care and ongoing support;
  • the access to the different electronic health record systems which is managed through a secure third party, Cerner who as a data processor controls the view and access of any records held by the different organisations ensuring all access is appropriate, authorised and audited.
  • the sharing of appointment and clinical correspondence data with NHS Digital for users of the My GNCR service accessed through NHS App. More information on the My GNCR service can be found on the GNCR website.

For further information about the GNCR or to opt out of sharing your information via the GNCR then please contact the GNCR team directly by telephone 0344 811 9587 or email: [email protected]  or via their official website.

Please note that opting out of sharing your information via the GNCR may negatively impact the care the NHS and adult social care services can provide you if health and social care staff can’t access your medical record.

Sharing for the Prevention and Detection of Crime – We may also use the information we hold about you to detect and prevent crime or fraud and where appropriate and where we have a legal basis share with relevant agencies. We may also share this information with other bodies that inspect and manage public funds.

Sharing for safeguarding – Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately.  Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Sharing for Patient Surveys– it is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services. We may share your contact information with an NHS approved contractor to be used for the purpose of national surveys and audits.  You do not have to participate in these surveys and the information you receive will contain contact details to opt out of the National Surveys.

The Trust also actively promotes local surveys to help develop and improve the quality of the services we provide our patients.  If you don’t want to receive a survey from us then please contact 01429 522278 to let us know.

If you do provide us with your views, we will always remove your name and all other personal information which would identify you.

Sharing for Teaching – some medical files are needed to teach students about real and/or rare cases. These materials allow students to understand and learn real scenarios before qualifying.

Sharing for National Cancer Registration & Analysis – where appropriate we may share the data we collect with Public Health England (PHE) as part of the National Cancer Registration  process, you may opt out of this should you wish, please inform your health professional or ask for a leaflet or visit National Disease Registration Service website for more information.

Sharing for Cardiac CT Analysis – the Trust may with your consent share your cardiac CT scan data with HeartFlow Inc. for analysis to create a personalised 3D model of the coronary arties and analyse the impact that blockages have on blood flow to optimise your cardiac care.  The data will be de-identified by HeartFlow in the UK before sending to HeartFlow in the USA for analysis.

Sharing with NHS Digital – whom on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services – we share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations. We do this in order to assess the effectiveness of our care so that we can provide you with the best possible care and ensure that we can continually improve our services.

The data is securely sent to NHS Digital, which is the central organisation that receives the same data from all publicly-funded services across England. NHS Digital removes all identifying details and combines the data we send with the data sent by other care providers.

The data sets are used to produce anonymised/pseudonymised reports that only show summary numbers of, for instance, patients referred to different types of services. It is impossible to identify any individual patient in the reports, but the reports do help us to improve the care we provide to you and other patients.

Find more information about how NHS Digital uses your personal data including their lawful basis for processing, how long they hold it for and your rights.

You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way.  For information about how you can Opt-Out of sharing your data with NHS Digital please visit the NHS Digital National Data Opt-Out Programme Website.

When other people need information about you

Everyone working in Health and Social Care has a legal duty to keep information about you confidential and anyone who receives information from us is also under a legal duty to keep it confidential.

From time to time we may need to share information with other professionals and services concerned in your care. This may be for instance, when your healthcare professional needs to discuss your case with other professionals (who do not work for the Trust) in order to plan your care. We do this in order to provide the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved.

There may be other circumstances when we must share information with other agencies. In these rare circumstances we are not required to seek your consent.

Examples of this are:

  • If there is a concern that you are putting yourself at risk of serious harm
  • If there is a concern that you are putting another person at risk of serious harm
  • If there is a concern that you are putting a child at risk of harm
  • If we have been instructed to do so by a court
  • If the information is essential for the investigation of a serious crime
  • If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • If your information falls within a category that needs to be notified for public health or other legal reasons, e.g. Certain infectious diseases

Do we use third parties to process data on our behalf?

Attend Anywhere Video Calls- The Trust is offering video consultations to some patients who have been selected by their doctor/nurse as someone who may benefit from this type of appointment and are happy to have a video appointment rather than attend hospital. 

The Trust does not collect or use any personal data about you on this system and the associated Attend Anywhere website, apart from: information that you volunteer by completing the online form to enter your name, phone number and date of birth; and your IP address and access device type. Information that is submitted via the online form is encrypted and securely transferred to us.  

It is used solely for the purpose of identifying you to your clinical team.  At end of the video call this information is deleted from the system. Your IP address and access device type are used to process your call effectively and are deleted from the Attend Anywhere system within 12 months. Your IP address is also sent to Google Analytics for web access statistical reporting. The video and audio elements of your call are not recorded in the Attend Anywhere system.  However, details of your consultation may be entered into your health record. Any queries regarding your medical or care record should be made to STHFT who is providing the service.  Contact details: [email protected]  

Due to changes in EU legislation, which came into force on 26 May 2012, we need to inform you about cookies we store on your device.

Cookies are small files stored in your browser and are used by most websites to help personalise your web experience. Some features on this site will not function if you do not allow cookies.

To allow us to meet the legislation we have implemented a ‘consent’ solution where to tick to accept the Terms of Use, Privacy Policy and Cookie Policy. In order to use the site, you are required to accept the Cookie Policy.  If you do not want to accept the use of Cookies, please contact your clinical service provider to arrange an alternative appointment.

Patient Engagement Portal (PEP) – The Trust collect and share demographic and appointment information with our trusted third party PEP supplier DrDoctor to enable us to send you digital letters and appointment reminders and notifications by text message and email.  Messaging is secure.  You can opt out of receiving digital letters, text messages or emails by contacting the Trust or by updating your preferences within the PEP. DrDoctor will not share your contact details or appointment information with anyone else.

Call recording – Telephone calls to the Trust maybe recorded for the following purposes:

  • To make sure that staff act in compliance with Trust procedures.
  • To ensure quality control.
  • Training, monitoring and service improvement
  • To prevent crime, misuse and to protect staff

Operation of CCTV – We employ surveillance cameras (CCTV) and body worn video (BWV) on and around our sites in order to:

  • protect staff, patients, visitors and Trust property,
  • apprehend and prosecute offenders and provide evidence to take criminal or civil court action,
  • provide a deterrent effect and reduce unlawful activity,
  • help provide a safer environment for our staff,
  • assist in traffic management and car parking schemes,
  • monitor operational and safety related incidents,
  • help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance,
  • assist with the verification of claims.

You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Requests should be directed to the address below and you will need to provide further details as contained in the section ‘How you can access your records’. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems.

We reserve the right to withhold information where permissible by data protection legislation and we will only retain surveillance data for a reasonable period (nominally 30 days) or as long as is required by law.  In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose surveillance data for legal reasons.  When this is done there is a requirement for the organisation that has received the images to adhere to the data protection legislation.

Data Processors – As a Trust we have entered into contracts with other organisations to provide services for us. These range from software companies to provide Electronic Patient Records to contractors who provide specialist clinical services that help provide a better service to you as a patient. These contractors may hold and process data including patient information on our behalf.

These contractors are known as ‘Data Processors’ and subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

Opting out of sharing your data for purposes beyond care

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.  The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out:

Please visit NHS data matters website.

On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

  • Introducing patient data (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time. Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

How do we keep information safe?

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format. 

We ensure that we comply with current data protection legislation including the Data Protection Act (DPA) and UK General Data Protection Regulation (UK GDPR)

All of the Information Systems used by our Trust are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by the Trust are influenced by a number of sources including the 10 National Data Guardian Standards and guidelines produced by NHS Digital and other Government standards.

Everyone working for the NHS is subject to the Common Law Duty of Confidence.  Information provided in confidence will only be used for the purposes advised and/ or consented to, unless it is required or permitted by the law.  All of our staff receives annual Data Security training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so.

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. 

Your information is never collected or sold for direct marketing purposes.

Do we record telephone calls or video consultations?

The Trust may undertake the recording of phone calls where it is necessary, to archive the content of the call in order to provide a record for any subsequent investigation, analysis of an incident or training purposes. Indiscriminate recording or monitoring of the content of telephone calls are not undertaken. The Trust does not record video consultations.

Do we process information overseas?

On occasions your data may be processed outside the UK, in most circumstances it will remain within the European Economic Area (EEA). The same protection would be applied as if processed within this country. If your data is transferred outside the EEA we are required to comply with the Data Protection Act 2018 and the UK GDPR, and ensure there is adequate protection is in place ensuring that appropriate and suitable safeguards and binding contractual clauses are in place.

Data collected will not be sent to countries where the Laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with legal requirements.  Where this is applied copies of information regarding the safeguards put in place can be provided on request to the Data Protection Officer.

What are your rights and how are these applied?

Data Protection law gives individuals rights in respect of the personal information that we hold about you and these apply in circumstances where the relevant conditions are met. 

These rights are:

  • Right to be informed – You have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
  • Right of access by the data subject – You have the right to request a copy of the information the Trust holds about you and supplementary information about what we process and the legal basis for processing.  Further information on this process can be found in this privacy notice under the ‘How can I access my information?’ section.  This is also commonly known as a Subject Access Request.
  • Right to rectification – Data must be accurate; you have the right to request correction of any data that you believe is incorrect.  However, where the Trust is not the author /creator/originator of the information this request will be forward to the relevant party for them to take forward. Any requests for information to be rectified will be considered on a case by case basis and requests should be made initially to your health professional.
  • Right to erasure (‘right to be forgotten’) – A data subject has the right to have personal data concerning them erased by the Trust without undue delay where one of the following applies:
    • The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed (and no new lawful purpose exists);
    • The lawful basis for the processing is your consent, and you withdraw that consent, and no other lawful ground exists;
    • Where the data subject exercises their ‘right to object’ regarding processing in the public interest or legitimate interests of the DC, (UK GDPR Article 21(1)) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes, (UK GDPR Article 21(2))
    • The personal data have been unlawfully processed
    • The personal data must be erased for compliance with a legal obligation
    • The personal data have been collected in relation to the offer of information society services referred to in UK GDPR Article 8(1) relating to a child’s data

The Trust can refuse to erase your data in the following circumstances:

  • When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
  • When the Trust is legally obliged to keep hold of your data.
  • When keeping hold of your data is necessary for reasons of public health.
  • When keeping your data is necessary for establishing, exercising or defending legal claims.
  • When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.
  • The majority of processing of healthcare related personal information is undertaken under our statutory duty to provide such care and not on the grounds of consent. This means that we are required by law to hold your personal data and you do not have the ability to have that data erased in most circumstances.  All requests will be considered on a case by case basis and requests should be made to the Data Protection Officer (DPO).
  • Right to restriction of processing – You have the right to request restriction of processing of personal data where one of the following applies:
    • Accuracy of personal data is contested
    • Processing is unlawful
    • The Trust no longer requires the information but the data subject has requested it is retained to enable them to establish, exercise or defense of legal claims
    • Pending verification of the outcome of the Right to object
    • Where processing has been restricted

Where we have disclosed personal data to any third parties, and you have subsequently exercised any of the rights of rectification, erasure or blocking, we must notify those third parties of the data subject’s exercising of those rights.

We are exempt from this obligation if it is impossible or would require disproportionate effort. You are also entitled to request information about the identities of those third parties. Where we have made the data public, and the data subject exercises these rights, the controller must take reasonable steps (taking costs into account) to inform third parties that the data subject has exercised those rights.

Any requests for information to stop processing will be considered on a case by case basis and requests should be made to the Data Protection Officer.

  • Right to data portability – The right to data portability allows data subjects (you) to obtain and reuse your personal data for your own purposes across different services.  It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. 

However, it should be noted that this is unlikely to apply to information processed under this privacy notice as the processing is not carried out based on consent or by an automated means.  For further information into this right please contact the Data Protection Officer.

  • Right to object to processing – You have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either:
    • public interest – UK GDPR Article 6(1)(e)or
    • legitimate interests of the controller – UK GDPR Article 6(1)(f).

In such cases we must cease such processing unless we can:

  1. demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject; or
  2. require the data in order to establish, exercise or defend our legal rights.
  • Right to object to processing for direct marketing – You have the right to object to the processing of personal data for the purpose of direct marketing, including profiling. We do not use your personal data for Direct Marketing purposes unless you have provided us with explicit consent to do so.
  • Right to object to processing for scientific, historical or statistical purposes – You have the right to object where your personal data are processed for scientific and historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
  • Rights in relation to automated decision making and profiling  – You also have the right to object to any automated decision-making including profiling.  Currently the Trust does not undertake any automated decision-making or profiling.
  • Right to Lodge a complaint to the supervisory authority, Information Commissioners Office (ICO) – You have the right to lodge a complaint if you are not content with the outcome of your confidentiality and data protection complaint and/or concern raised with the Trust.

More Information about Your Rights

There are additional restrictions to the above rights of individuals and these are listed in UK GDPR Article 23 and can be obtained from the Trust on request.

You retain the right to seek remedy from a court under section 167 of the Data Protection Act 2018 where you feel these rights have not been appropriately applied.

For further information on your rights please visit the ICO website or contact the Trust Data Protection Officer.

How you can access your records?

You have the right to obtain from the Trust confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and the following information if required:

  • the purposes and legal basis of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the Trust rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with the ICO;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling giving meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

Once your request has been received and your identity / entitlement verified, your request will usually be completed within one calendar month.  However, if your records are extensive we may take longer to process your request but will inform you from the outset where possible, and in any case within one calendar month. 

To submit a formal request, please contact

Patient Access Office

South Tees Hospitals NHS Foundation Trust

The James Cook Hospital Site

Marton Road

Middlesbrough

TS4 3BW

Or email: [email protected]

Data Protection Officer

The Trust’s Data Protection Officer (DPO) is responsible for ensuring that the Trust complies with the GDPR and DPA 2018.  The DPO is the person to contact if you would like to know more about how we use your information, require this information in any accessible format or language or if (for any reason) you do not wish to have your information used in any of the ways described please contact:

South Tees Hospitals NHS Foundation Trust

The James Cook Hospital

Marton Road

Middlesbrough

TS4 3BW

Main Switchboard: 01642 850850

Data Protection Officer Contact:  Kerry McLean ([email protected])

Patient services and complaints

Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact the Patient Advice & Liaison Service (PALS).

If you have any concerns about how we handle your information you have a right to complain to the Information Commissioners Office about it.

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, SK9 5AF

Telephone: 08456 306060

Website: ICO website

Changes to privacy notice

It is important to point out that we may amend this privacy notice from time to time to ensure that it reflects how we handle your information; we recommend that you review this regularly and we will show below when we last reviewed it.

Last Reviewed:   29 September 2025