Privacy

Data Protection

Barts Health NHS Trust is required to comply with the laws and regulations that apply to protecting your data and how it is used. They are the UK General Data Protection Regulation 2016 (UK GDPR) and the Data Protection Act 2018.

Looking after your personal information 

Barts Health NHS Trust is committed to protecting your privacy and the data we collect and use to provide our services. We are required to comply with the laws and regulations that apply to protecting your data and how it is used. They are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This privacy notice explains how we use information about you and how we keep it safe, and protect your privacy.

This privacy notice applies to any personal data collected by us or on our behalf, by any format – phone, letter, email, online, or face to face.

It will tell you:

• what information we collect about you
• where we get your information from
• why we collect your information
• how we keep your information safe
• how long we keep your information
• why we are allowed to process your information
• your rights as a data subject
• when we may pass your information on to other people or organisations
• when we may transfer your information to other countries
• where to get further advice   

What information do we collect?

Depending on your circumstances and the nature of the health care you require, we may collect the following information about you:

• Your general details (such as name, address, date of birth, telephone number)
• Details about your GP
• Your medical history
• Any medications you are taking
• Details about your physical or mental health
• Your family details (for example, your next of kin)
• Your ethnicity
• Your religious beliefs
• Your lifestyle and social circumstances
• Your sexual life
• Scans, x-rays, and other diagnostic images
• Your genetic or biometric data

The information we collect about you may be written down in a paper file (manual record), or held on a computer system (electronic record).

In some cases the information we hold about you might be provided directly by you through the use of a mobile application or wearable technology (like a diabetes pump).  We   may also record CCTV images in public areas as part of the Trust's security arrangements and for crime prevention.

You have the right to receive a copy of your medical records via a Subject Access Request.

Where do we get your information from?

A lot of the personal information provided to us comes directly from our patients. In certain circumstances, we may also receive personal data from:

• Parents, relatives or carers
• General Practitioners (GPs)
• Other NHS trusts, hospitals, clinics or hospices
• Ambulance trusts
• Local authorities
• Private healthcare providers

We use information from other providers to make sure that you receive quality care. One way that we do this is through the London Care Record. You can read more about that on the London Care Record website.

Why does Barts Health collect your information?

To provide your care

The doctors and other health professionals caring for you need to keep records about your health and the treatments you have received from the NHS and other healthcare providers, in order to be able to provide you with the most effective care. It is in your interests as a patient for a full and complete record to be collected, so that we have accurate, up to date information about you.

To carry out medical research

We may also process your data to carry out scientific or historical research. The Health Research Authority sets standards for NHS organisations to make sure they protect your privacy and comply with the law when they do research work. When Barts Health uses your data for research purposes we will ensure that appropriate safeguards are in place, such as using the minimum amount of data needed or making sure you cannot be identified by the data. We will also make sure that the research will benefit our patients or the wider public and has the relevant ethics approval.

Sometimes a member of your care team may review your health records to see if you might be a good candidate for any research we have planned. However, except in very specific circumstances, we are required to inform you first and get your explicit consent before we are allowed to use any of your information for research. We will not use data from private or non-NHS patients for research purposes.

We use the same definition of the 'care team' that the Health and Research Authority use- this come from the Information Governance Review in 2013 by the National Data Guardian. It states: 'direct care is provided by health and social care staff working in 'care teams', which may include doctors, nurses and a wide range of staff on regulated professional registers, including social workers.... Care teams may also contain members of staff, who are not registered with a regulatory authority, but who may need access to a proportion of somones's personal data to provide care safely.'

The Trust are compliant with the National Data Opt Out, which means we remove your data from any uses of data that the opt out applies to. You can read more about the National Data Opt out, and set your preferences on the NHS website.

To help run our hospitals and improve our service

We may also need to use some information about you to:

• manage the healthcare services we provide
• help investigate any complaints, claims or incidents
• match data under the National Fraud Initiative
• help us to plan new services
• help us keep track of spending on our services
• prepare performance statistics for the Department of Health and other regulatory bodies
• assist in clinical audits of the quality of our services

After you attend one of our hospitals you may receive a text message asking you to rate how happy you were with your visit. This is a national service called the Friends and Family Test, and it gives NHS users an opportunity to give feedback on their experience. When you receive a Friends and Family Test message by text, you will have the option to opt out of any future messages from this service if you wish to do so.

How do we protect your information?

Everyone working for the NHS has a legal duty to maintain the highest levels of confidentiality, and all Barts Health staff receive training in how to handle your information securely. Except in certain specific circumstances, your records will generally only be seen by those involved in providing or administering your care.

Your paper healthcare records are stored in physically secure areas and electronic records held on computer systems are protected by appropriate technology (such as data encryption and access controls).

If you decide to send or receive personal information by email, please be aware that Barts Health cannot be responsible for the security of the information during its transfer to or from our email system, or for any loss or compromise of the information due to technical or security issues occurring outside our computer networks. We do have a secure email option that we can use for transfer of sensitive data, upon request. To use this you will need to set up an account with Egress once we have sent you an invitation.

How long will we keep your information?

There is often a legal reason for keeping your personal information for a set period of time. We can also be instructed to keep certain information during unusual circumstances (legal hold) e.g. ongoing public inquiries. In these cases, we cannot destroy the records until instructed to, even if the retention period has passed. Our policy for keeping information is based on the NHS Records Management Code of Practice. Please see this document to find out how long we will keep different kinds of information about our patients. 

Why are we allowed to process your information?

Under the UK General Data Protection Regulation (UK GDPR) most of the Trust’s processing of personal information is carried out under the lawful basis of ‘Public Task’, because the processing is necessary for the performance of a task carried out in the public interest (GDPR Article 6(1)(e)). This allows us to process your information because it is part of our public task to provide healthcare.

We will also process more sensitive information (such as your medical history) because it is necessary for the purposes of preventative or occupational medicine, medical diagnosis, and the provision of healthcare (GDPR Article 9(2)(h)) or for scientific research and statistical purposes (GDPR Article 9(2)(j)).

What are your rights as a data subject?

Under the General Data Protection Regulation you have a number of rights as a data subject. These are:

The right to be informed

We are required to inform you about how we collect and use your personal information (for example, by the information given in this Privacy Notice and patient information leaflets).

The right to access

Health data:  

You can get access to your own health data by signing up to Patient Knows Best (PKB).  

To make a Subject Access Request (a request for your data, or someone else’s data) please see the health records page.

• Request for staff data (including current and former staff): bartshealth.peoplesars@nhs.net 
• Request for CCTV:  bartshealth.sarcctvrequest@nhs.net 
• Request for historical patient data from a predecessor Trust (over 30 years since last treatment): barts.archives@nhs.net   

Requests for HIV related data: 

• Grahame Hayton Unit patients (RLH): ghuappointments.bartshealth@nhs.net
• Greenway Centre patients (NUH): bartshealth.gwcslgadmin@nhs.net  

Request for sexual health data:  

• Ambrose King (AKC): bhnt.akc-reception@nhs.net  
• SLG/Forest Road/West Ham Lane: bhnt.slg-reception@nhs.net  
• Requests for Community Womens Health (MEH) data: bartshealth.CWHS-Admin@nhs.net 

The right to rectification

You may request that we make changes to any data we hold about you that is incorrect or incomplete. We will take action to rectify inaccuracies in the personal information we hold about you when it is drawn to our attention. Sometimes it may be necessary to add an explanatory note to your information (an addendum) rather than change the original record. We would do this to ensure that we have all necessary information available to provide your care (your complete medical history, for example).

The best way to request a correction to your data is to contact the clinical team that you have been receiving treatment from. 

The right to erasure

In most cases you are not able to request that we erase the medical information that we hold about you for your direct care and public health purposes, under our lawful basis for processing your data as set out in the GDPR.

The right to restrict processing

You may request that we restrict the processing of your information in certain circumstances, for example if you believe it to be inaccurate. In most cases a restriction of processing is a temporary measure while we investigate your concerns. The right to restrict processing is not an absolute right, and we may decide not to restrict the processing of your information if we consider that processing to be necessary for the purpose of the public interest or for the purpose of your legitimate interests.

The right to object to us processing your personal information

In addition to your other rights as a data subject (see below), you have the right to object to the processing of your personal information, although you must give specific reasons for your objection based upon your particular concerns. This is not an absolute right and depending on the circumstances we may decide that there are compelling and legitimate grounds for us to continue to process your information. If we do decide to continue processing your information we will let you know and explain the reasons for our decision to you. You would also have the right to challenge our decision, for example, with the Information Commissioner’s Office (ICO).

If you wish to object to the processing of your personal information by Barts Health then please get in touch with the Trust’s Data Protection Officer (their contact details are given at the end of this notice).

The right to data portability

The Trust’s basis for processing your data under the GDPR means that we are not legally required to provide your information in a machine-readable form, although we will try to provide information that you have asked us for (such as under a Subject Access Request) in the format you prefer if it is practical for us to do so.

Rights related to automated decision making (including profiling)

Barts Health does not make automated decisions about patients or carry out evaluations based on any automated processes (profiling). 

We do use Artificial Intelligence in the Trust, but any new AI software goes through assessment. All uses include a human decision-making step to avoid any automated decision making.

Do we pass your information on to other people or organisations?

When we are required to do so, we will ensure that we seek your consent before sharing your personal information with other people. We will not pass your personal information to your friends, relatives or carers without your explicit consent. If you are unable to consent for any reason, we will only share information where it is clearly in your best interests to do so or it is required by law.

The Trust sometimes needs to share the personal information we process with other organisations. When we do this we are required to comply with all aspects of the UK General Data Protection Regulation and confidentiality requirements. Where necessary we also have data sharing agreements in place with our partner organisations which will state the specific ways in which the shared data can be used.

The organisations we share information with can include:

• other public and private healthcare, social and welfare organisations
• central and local government organisations
• police forces and security organisations
• public and private service providers, suppliers of medical equipment and support systems
• public and private auditors and audit bodies
• legal representatives
• survey and research organisations
• professional advisers and consultants

The reasons why we would share your information can include:

• notification of births and deaths
• an emergency (when there is risk of loss of life or limb)
• to control infectious diseases (such as meningitis or tuberculosis)
• child protection
• when required by a formal court order
• for the prevention or detection of a crime

Where possible we share anonymous data, or data that is effectively anonymous to the person or company receiving it. This type of data sharing still goes through scrutiny and approvals to make sure it definitely won’t identify you. It is most common for this type of data sharing to be part of indirect care such as service evaluation or clinical audit, or formal research approved by the HRA. 

If it is not part of research or indirect care, we will only share the anonymous data outside of the Trust if our Data Access Committee has agreed it is in the public interest. If we feel there will be a commercial value to the anonymous data they are accessing, then we will ensure that agreements are in place for some of the revenue to be returned to the NHS in accordance with national guidelines.  

You can read more about our Data Access Committee and the projects they have approved on the Barts Life Sciences website.

Do we transfer your information to other countries?

The Trust may sometimes use service providers who process information in other countries, both within and outside the European Economic Area (EEA). Because of this it may sometimes be necessary for personal data to be transferred overseas. However, before any transfer is made Barts Health will make sure that appropriate safeguards are in place so that the transfer of the data, its processing, storage and retention are securely controlled and in full compliance with the requirements of the GDPR.

Data Protection Impact Assessments

Under GDPR regulations we are required to carry out a Data Protection Impact Assessment (DPIA) when undertaking new projects which involve the processing of personal data. Completing a DPIA helps us to identify any data risks at an early stage and to take steps to minimise these risks as part of the project development process.

Data Protection Impact Assessments were completed for the following projects during 2024/2025:

• Federated Data Platform: Inpatient theatre scheduling  
• NHS England Complications of Excess Weight programme 
• Federated Data Platform - Patient Level Costings  
• Patient Level Costings on premise software 
• Adding MRN to EDGE for clinical research equalities monitoring 
• ENT Insourcing  
• Anthony Nolan stem cell transplant web portal 
• National Legal Services System 
• Migration of Master Patient List data for Joint EPR 
• Uniform replacement project 
• Asthma Biologics app 
• Immunotherapies – advanced therapeutic (including investigational) medicinal products 
• Barts Health Data Platform 
• Barts BioResource consent form scanning 
• NAVIS software for glaucoma fundus camera 
• Watchpat 

Please contact the data protection officer should you require any further information regarding these DPIAs.

Where can I get further advice?

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

The Trust processes a lot of sensitive personal information about both patients and staff. We have a responsibility to ensure that this information is protected at all times and shared in an appropriate manner.

The EU General Data Protection Regulations (GDPR) came into force on 25 May 2018 and directly applicable as law in the UK. It will replace the Directive that is the basis for the UK Data Protection Act (DPA) 1998. The basic premise of the DPA will remain; the GDPR will be an enhancement of the DPA.

Do these changes impact me and my department?

Yes it does. The Trust’s preparations are well advanced but we still need help from you. Under GDPR, fines that can be administered against organisations will be increased to £17 million or 4% of turnover. The fines can be for any breach of GDPR not just data security breaches.

How can I help?

• Ensure that you and your team are up to date with information governance training
• That any personal identifiable information is kept secure i.e.
  • Patient notes are not left in public places
  • PCs are locked when left unattended
  • All offices and filing cabinets are locked
• Always check that you have the correct recipients contact details before sending
• Always check that you are sending correspondence to the right patient
• Do not open any suspicious looking emails
• If a breach or near miss does occur that it is reported immediately on Datix and your line manager is informed. Under GDPR we will be expected to report any high risk incident within 72 hours to the Information Commissioner’s Office
• The Information Governance Team is continuing to conduct risk assessments to identify information flows and assets. Please provide them with any assistance required
• If suppliers or any third parties contact you about their readiness or the Trust’s for GDPR that the Information Governance team are made aware

Ensuring the Trust is compliant with GDPR doesn’t end on 25 May. Compliance is on-going and will be monitored by the current data protection regulator, the Information Commissioner’s Office (ICO).

All staff need to be aware of their responsibilities under GDPR and over the coming weeks the Information Governance Team will continue to provide updates on GDPR outlining staff responsibility on WeShare.

If you have any queries or concerns please contact the Information Governance Team.

Cookies

Barts Health NHS Trust uses cookies to help us understand how people use our website. We use cookies to capture which pages are most popular, how long people spend on each page and what links they use to access the information they are seeking. We may also use cookies to enable the website to ‘remember’ details that you voluntarily give, such as when you complete online forms, so that you do not have to retype the information next time you use the website.

By using this website you are implying consent for these cookies to be placed on your computer. If you would like to remove these cookies and opt-out of the services that use them you can by selecting the appropriate settings on your browser.

What is a cookie?

A cookie is a simple text file that is stored on your computer or mobile device by a website’s server and only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the site name and some digits and numbers. It allows a website to remember things such as your preferences or remembers your details when filing out a form. They are controlled by your computer. If you visit the Tools section in your browser menu, you will find details of your cookies settings.

Cookies may come with or without an expiry date. Cookies without an expiry date exist until the browser is closed, while cookies with an expiry date may be stored by the device until the expiry date passes.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

You can set your browser to warn you before accepting cookies, or you can set it to automatically reject them. Please note that by rejecting cookies it may inconvenience you in browsing our website. See your browser 'help' button for how to change your cookie settings.

We will not share personal data about you

When you complete an online form to change an appointment, this form asks you for personal data so that we can complete your request. This information is stored securely and never shared with other organisations or used for marketing purposes.

Google Analytics

The Barts Health website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses cookies, which are text files placed on your computer, to help the website analyse how users use the site.

By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Our jobs feed

The Barts Health website uses the Trac recruitment site, provided by Civica UK Ltd, to advertise our current vacancies.

The Trac website, displayed through the use of a code droplet on our website, uses cookies. By accepting our privacy policy, you agree to the use of these cookies. If you choose not to accept cookies, our job roles will not display on our website.

Other third party applications

The Barts Health website uses code droplets to share content from other websites, such as Twitter, YouTube and Google maps. We do this so that our site is easier for you to use, and the content from these other websites is displayed automatically on the page.

We sometimes use code droplets to measure the effectiveness of our recruitment advertising campaigns through third party applications.

These third party applications use cookies. By accepting our privacy policy, you agree to the use of these cookies by third parties.

Links to other websites

Barts Health NHS Trust website contains links to other websites of interest. However, once you have used these links to leave this website, you should note that we do not have any control over that other website. We cannot be responsible for the protection and privacy of any information which you provide while visiting such websites, and such websites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question. We recommend that you review the websites privacy policy as a precautionary measure. The trust does not endorse any external sites and is not responsible for their content.