Skip to content
left end
left end
right end


If you want a basic overview of how we handle patient information please read our leaflet "What we do with your personal information".  Full details are set out below.

What Information do we collect from you?

Health and social care professionals working with you - such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care - keep records about your health and any care and treatment you receive.  This may include:

  • Basic details such as name, address, date of birth, phone number, and email address  - where you have provided it to enable us to communicate with you by email
  • Your next of kin and their contact details
  • Notes and reports about your physical or mental health and any treatment, care or support you need and receive
  • Results of x-rays, scans, laboratory tests and diagnosis
  • Relevant information from other professionals, relatives or those who care for you or know you well
  • Any contacts you have with us such as home visits or outpatient appointments
  • Information on medicines, side effects and allergies
  • If you stay in one of our hospitals, information about your menu choices and meals provided
  • Patient experience feedback and treatment outcome information you provide

It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.

Most of your records are electronic and are held on a computer system and secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers.  To make this possible, the use of other electronic patient record systems to share your information will be implemented.  You will be given the opportunity to say no and to object to this sharing.  Sharing your information via secure electronic methods, means that necessary information relating to you which is relevant to the care that you need, is shared more quickly and accurately. If you opt out of your information being shared via this method, then this information will still be shared via the slower more traditional routes such as letters, phone calls and emails. See also Connecting Care below. 

Why do we collect this information about you?

Your information is used to guide and record the care you receive and is vital in helping us to:

  • have all the information necessary for assessing your needs and for making decisions with you about your care
  • have details of our contact with you, such as referrals and appointments and can see the services you have received
  • assess the quality of care we give you 
  • ensure that appropriate information is available if you see another doctor, or are referred to a specialist or another part of the NHS, Social Care or another health provider.
  • properly investigate if you and your family have a concern or a complaint about your healthcare

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

  • Move to another area  
  • Need to use another service
  • See a different healthcare professional

What is your legal basis for processing my personal information?

When you consen to treatment we do not rely on that same consent to use your information as a 'legal basis for processing'.  We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as '…a task carried out in the public interest or in the exercise of official authority vested in the controller.' 

In particular the Trust has a legal duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided. Because of this there are limitations on your rights to object to the keeping of records or to ask for them to be deleted. For more information see the section on your rights.

This means we can use your personal information to provide you with your care without seeking your consent.  

Other legal duties may require us to use your information for processing a complaint, for assessing, monitoring and improving the quality and safety of the services we provide, to seek feedback on the quality of services, or for the general management of the NHS.

The NHS is supported by a complex network of statutory duties and powers. We have provided here an overview of the main provisions applying to the Trust. If you require specific information about the particular duty or power supporting any activity please contact the Data Protection Officer:

What else do we use your information for

In addition to using your information for managing your care it may be used for some additional purposes including:

  • Planning managing and improving NHS Services. To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information, for example with the NHS Clinical Commissioning Groups. The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled.
  • Clinical audits and other quality improvement projects/activities. We try continually to raise the standard of care we provide. To do this we need to review the clinical work we do, this is typically done using a process known as Clinical Audit. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally with in our Trust.
  • Approving payments where you have an individually commissioned care plan
  • Recovering costs if you are an out of area patient and some other NHS organisation is responsible for the cost of your care
  • Contribute to service development (the Trust may contact patients to raise awareness of the Trust's designated charities, but will not share personal data with them)
  • Prepare statistics on NHS performance;
  • Internal and External audit of Trust accounts
  • Helping to train health professionals. The information you give us is vital in helping us to educate the health workers of the future. However, you always have the right to choose whether not to have students present during a consultation.
  • Health research and development - see also the section on use of data for research purposes below.

Wherever possible these activities will use anonymised information and in all cases will use only the minimum personal data required. The Trust adopts the principles in the Information Commissioner's Anonymisation Code of Practice which you can find here.

Where we do use information for these purposes we will only do so if there is a proper legal basis to do so - for example an approval under s251 of the National Health Service Act 2006 allows us to use personal data to validate payments for out of area treatments.

In some cases you have the right to opt-out of the use of your information for purposes other than your direct care. See the section on the National Data Opt-Out below.

How long do we keep your records?

There is no single retention period which applies to all medical records. The Trust aims to comply with the  Records Management Code of Practice for Health and Social Care 2016. 

In general medical records are retained for eight years from data of discharge or end of care but some may be kept longer than that e.g. if there has been a serious incident. For a child the record will be kept until the 25th or 26th birthday depending on age when discharged / last seen.

Exceptions where records may be kept longer - up to 30 years or eight years after death include:

  • Cancer / oncology records
  • Long term illnesses
  • Human Fertilization and Embryology - up to 50 years
  • Mental Health issues (20 years)
  • Obstetric maternity and neo-natal - 25 years

For full details please see the  NHS Retention Schedule

Who might we share your information with?

Your health records are confidential and every member of staff within the NHS  has a legal duty to keep your information confidential and secure, ensuring that confidential data about you is used only in the course of their duties and for lawful purposes.

Health and Social Care Professionals - Your information will be shared with the team who are caring for you and are providing treatment to you.

We will share information with the following main partner organisations:

  • Other NHS Trusts and hospitals that are involved in your care;
  • General Practitioners (GPs); and
  • Ambulance Services

You may be receiving care from other people as well as the NHS, for example, Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

  • Social Care Services;
  • Community Pharmacies;
  • Education Services;
  • Local Authorities; and
  • Voluntary and private sector providers working with the NHS

We do this in order to provide the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved.  Where practical we will discuss such sharing with you so that there are no surprises but if necessary for your care we will imply your consent for such sharing from your consent to treatment.

You have the right to object to information sharing at any time. Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in receiving care or it may make the provision of treatment and care most difficult or impossible. Objections to sharing will be noted explicitly within your records in order that all healthcare professionals and staff treating you are aware of your decision. You can also change your mind at any time about this sharing.

However, a person's right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies.  These are rare circumstances and we are not required to have your consent for these purposes. 

Examples of this are:

  • If there is a concern that you are putting yourself or another person at risk of serious harm
  • If there is concern that you are putting a child at risk of harm
  • If we have been instructed to do so by a Court
  • If the information is essential for the investigation of a serious crime
  • If you are subject to the Mental Health Act (1983), there are circumstances in which your 'nearest relative' must receive information even if you object or we may need to make a decision in your best interests in accordance with our Mental Capacity policy
  • If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases

We would never share your information for marketing or insurance purposes without your explicit and specific consent.

NHS Patient Survey Programme (NPSP) is part of the government's commitment to ensure patient feedback is used to inform the improvement and development of NHS services.  We have a legal duty under Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to assess, monitor and improve the quality and safety of the services provided (including the quality of the experience of service users in receiving those services). We may share your contact information with an NHS approved contractor as a data processor to be used for the purpose of the NPSP. 

NHS Digital

NHS Digital on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services - we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations and our legal duty under s259 Health and Social Care Act 2012. For further information about how NHS Digital looks after your data follow this  link.

Clinical Commissioning Groups

Information may be shared with a Clinical Commissioning Group where it is necessary for them to comply with their legal duties. For example they have particular duties relating to the discharge of patients under the Care Act 2014 and for the provision of continuing care under s3 NHS Act 2006 including in some cases the authorisation of individual funding. Please also see the  Bristol, North Somerset and South Gloucestershire Clinical Commissioning Group Privacy Notice.

NHS England

Where your doctor wants to prescribe certain specialised drugs, approval may be needed from NHS England. In these cases we need to confirm that you meet the required clinical criteria defined by either NICE or NHS England policy. These aim to ensure that treatments are offered to those patients most likely to benefit clinically from them. In order to do this, your doctor will complete a form with your information through a website provided by Blueteq. If you are eligible for the treatment your doctor has prescribed, NHS England will immediately approve this application so you can begin your treatment without delay. Once you have received your treatment, your hospital will ask NHS England for payment for your treatment and NHS England will go through a process to authorise the payment. To allow NHS England to ensure that it pays for treatments for patients who meet the necessary clinical criteria, your personal details will be processed by NHS Digital teams; NHS Digital is the national safe haven set up under the Health and Social Care Act 2012 - Safe Havens have been set up in the NHS to ensure that confidential patient data can be transmitted and stored securely. NHS Digital will de-identify the data so NHS England can match the clinical approval and payment without being able to link any information to a specific individual. Data which identifies you is only used for your direct care purposes. All data required by NHS England for commissioning purposes is de-identified by NHS Digital in line with the Information Commissioners Code of Practice on Anonymisation. Please also see the  NHS England Privacy Notice.

South West Child Health Information Service (CHIS)

For the purposes of providing medical services to, and the safeguarding of, children the Trust shares Maternity Department Data and Newborn Hearing Screening Data with the South West CHIS. This is a Public Health Service commissioned by NHS England to maintain active and accurate child health records for the local population including children who move in and out of the area; manage queries about the health status of individual children and populations; and check who has not yet had their interventions and ensure that no interventions are duplicated or unintentionally missed.

Information is hosted by Health Intelligence Limited who act as Processors for the Trust and other participating health service providers. Information may be made available through the service to NHS Providers/NHS Business Partners under an NHS Contract to deliver Child Health Services including Health Visitor teams, Looked After Children co-ordinators, School Nursing Teams, Acute (including Maternity Departments/Units), Newborn Bloodspot Laboratory, Newborn Hearing Screening Providers, Newborn Infant & Physical Examination (NIPE) providers, Vision Screening Providers, and Mental Health and Community Health service providers who are engaged in delivering services to children.

All parties participating in the CHIS have signed specific Data Sharing Agreements to control their access to this patient data. For further information please see the CHIS section of the  Health Intelligence Limited Privacy Notice.

Connecting Care: Connecting Care is a digital care record system for sharing information in Bristol, North Somerset and South Gloucestershire.  It allows instant, secure access to a summary of your health and social care records for the professionals involved in your careto help them manage your care better, allowing up-to-date information to be shared quickly and safely.

Connecting Care takes some of the information held in the Trust's medical records together with information from GP practices, other hospitals deprtments, community services, mental health trusts, out of hours services and local authorities across Bristol, North Somerset and South Gloucestershire.  This information combines into a single, shared digital record all about you.

The main types of data which may be shared are;

Person Details and Demographics; Other Addresses Held; Immediate Family Members; Legal Relationships; Key Case Worker (s); Last Known GP Practice; Disabilities; Allergies; Events; Medications; Procedures; Examinations; Investigations; Procedures; Referrals Details; Social / Family History; Next of Kin; Alerts, Risks And Warnings; Admissions; Previous Appointments Details; Future Appointment Details; Assessment;  Care Plan Interventions Details; Care Plan Problems Details; Care Plans Details; Carer Details; Diagnosis Details; Diagnostic Tests; radiology information;  Discharges; DOLs (Deprivation of Liberty); Early Interventions; Risk Management plans; Safeguarding; End of Life Care Plan

Only those directly involved with your care and providing health services across Bristol, South Gloucestershire and North Somerset who are authorised to use the system can see this information. All authorised users of Connecting Care are required to select a legitimate reason for access to a record, otherwise they are unable to access that record. Usually this will be because, being involved in your treatment they require access in order to provide you with safe and effective treatment based on the best available and most up to date information.

The legal basis for holding information within Connecting Care is the same as for the Trust holding your records initially and also as part of the legal duties on the Trust and its partners to improve the services provided to patients.

As the information is confidential to the original provider you do have the right to object to such sharing. However this may have an impact on your care. If you do object the information will be removed from general view but may still be available for some specific purposes such as protecting someone from harm where a legal duty may override your objection. For further information please see  What if I don't want my information shared?

We would also refer you to the  Transparency Notice of the Connecting Care website.

BUPA / Private Patients:

The Trust has arrangements with health insurance providers including BUPA for the provision of private treatment. In such cases we will share information with the insurer as required by our contract with them for the following purposes:

  • To provide clinical quality information
  • To notify them of any serious incidents
  • To pre-authorise treatment
  • To invoice them for services
  • To assist them when they are investigating a complaint

You can view BUPA's notice here. You should refer to your insurers own Privacy Notice.

As required by the  Competition & Markets Authority Private Healthcare Market Investigation Order 2014 we may share non-identifiable information about you and your treatment with the Private Healthcare Information Network (PHIN). For further details see the  PHIN Privacy Notice.

Personal Health Record

The NHS is committed to introducing processes to help patients to see their personal health records online. The aim is that patients should be able to:

  • see information that healthcare staff want to share with them
  • find out about appointments and treatment
  • have more control over their health problems
  • bring together information from different NHS organisations they have contact with

The Trust is rolling out a Personal Health Record (PHR) for this purpose using systems provided by System C Healthcare Limited who act as a data processor for the Trust. 

Information held within the PHR may include:

  • Questions, queries, or feedback you leave, including your email address and mobile number if you provide it to us.
  • Details that allow you to access NHS services (you will always be told when this information is being collected, and it will only be used for the purpose you provide it for).
  • Personal Confidential Data which you may provide including health diaries, blood pressure, blood sugar, and weight and which will be used for your direct care with your consent or may be used in an anonymised form for research purposes but only with your consent.

Use of a PHR will help us to understand your needs and provide you with a better service as well as providing you with direct access as set out above.

You are not required to have a PHR and accordingly the above information is used with your explicit consent. You can always withdraw that consent by contacting us in which case your PHR can be discontinued.

The PHR will also progressively allow you to have direct access to a range of information including:

  • Your details: a view of your personal details held by the Trust including your GP details.
  • Your admissions - Any inpatient admissions that you have had to University Hospitals Bristol.
  • Any emergency department attendances you have had at University Hospitals Bristol.
  • Your Appointments - Your outpatient appointments booked through the University patient administration system
  • Questions, queries or feedback you leave, including your email address and mobile number if you provide it to us.
  • Direct access to parts of your records including test results (and also information fromcommunity and social care providers)

This information is effectively a snapshot of information held elsewhere by the provider. It is not processed under your consent to have a PHR but for the reasons set out in the main part of this notice or the privacy notice of the provider. If you discontinue your PHR you will lose access but the records will be retained. See also section on your rights.

Teen and Young Adults IAM

The Teen and Young Adults IAM is a web based service which aims to support teenage and young adult patients with cancer. Completing an IAM assessment helps users, the Trust  and its partners to understand the patient's needs so we can work together to provide the right support.

Information you provide is given by explicit consent and will only be used at your request and with that consent.

Please also see the TYA IAM Privacy Policy.

Hospital Passport

The Trust uses a Hospital Passport to support the care of adults with learning disabilities and autism when going to hospital. This records your contact details, all essential information we need to know about you, important information about your day-to-day activities and finally information about your likes and dislikes. The Trust keeps an electronic copy which can be updated and provides you with a copy for you to keep with you during your stay.

The purpose is to support your care and to provide our staff with information about yourself and your carers during a hospital visit. You are not required to have a passport if you do not want one and so we use your explicit consent to hold and process the data needed for the passport.

You can withdraw your consent at any time but we could then no longer support your passport and this may affect our ability to reduce the stress of your visits.

Improving care through research

As an NHS organisation we use personally-identifiable information to conduct research to improve health, care and services. As a publicly-funded organisation, we have to ensure that it is in the public interest when we use personally-identifiable information from people who have agreed to take part in research.  This means that when you agree to take part in a research study, we will use your data in the ways needed to conduct and analyse the research study. Your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible.

Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. We do this by following the  UK Policy Framework for Health and Social Care Research.

Any research involving patients has to be approved by the Health Research Authority. If any research involves processing your personal data, you will usually be contacted to see if you are willing to take part. Research will only use your data without contacting you if it has been formally approved under s251 of the National Health Service Act 2006 and the and the Health Service (Control of Patient Information) Regulations 2002. S251(12) specifically refers to medical research. The Health Research Authority publishes details of such approvals and you can  find a list here. The National Data Opt-Out (see below) applies to most of these approvals. If you do ask for this opt-out to apply the Trust may still contact you to invite you to partipate in specific studies. You would not be identified personally in any published results, unless you agreed to this.

When you agree to take part in a research study, the information about your health and care may be provided to researchers running other research studies in this organisation and in other organisations. These organisations may be universities, NHS organisations or companies involved in health and care research in this country or abroad. Your information will only be used by organisations and researchers to conduct research in accordance with the  Policy Framework.

Your information could be used for research in any aspect of health or care, and could be combined with information about you from other sources held by researchers, the NHS or government.

Where this information could identify you, the information will be held securely with strict arrangements about who can access the information. The information will only be used for the purpose of health and care research, or to contact you about future opportunities to participate in research. It will not be used to make decisions about future services available to you, such as insurance.

Once you have agreed to take part in a research project, or that your personal data may be used for research the Trust has a clear legal basis for using your personal data as set out in the next paragraphs under Article 6.1 (e) GDPR as research is recognised to be task carried out in the public interest.

The NHS has a statutory framework which provides a clear legal basis for research in the public interest. This is set out in:

  • The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 under which  NHS providers have legal duties to "improve the quality and safety of the services provided" and "assess, monitor and mitigate the risks relating to the health, safety and welfare of service users" under.
  • s14R NHS Act 1996 - where research is commissioned by a Clinical Commissioning Group  under the duty to secure "continuous improvement in the quality of services provided to individuals for or in connection with the prevention, diagnosis or treatment of illness"
  • The NHS Constitution (July 2015) made under s1 Health Act 2009 which NHS bodies must have regard to (s2). It includes a commitment, in the third of its seven guiding principles, to " … innovation and to the promotion, conduct and use of research to improve the current and future health and care of the population."  The handbook to the Constitution refers specifically to the  duties on the Secretary of State, NHS England and CCGs to secure continuous improvement in the quality of outcomes achieved by health services and in this context says: "The importance of innovation and medical research is underscored by this Principle as integral to driving improvements in healthcare services for patients."
  • Paragraph 13 of Schedule 1 of the NHS Act 2006 as amended by the Health and Social Care Act 2012 provides that "The Secretary of State, the Board or a clinical commissioning group may conduct, commission or assist the conduct of research into- (a) any matters relating to the causation, prevention, diagnosis or treatment of illness". This includes "power to do so by providing financial assistance or making the services of any person or other resources available".
  • s13L NHS Act 2006 gives the NHS Commissioning Board a duty to "promote research on matters relevant to the health service". Clinical Commissioning Groups have a similar duty under s14Y.
  • s66 Health and Social Care Act 2012 requires Monitor to have regard to "the need to promote research into matters relevant to the NHS by persons who provide health care services for the purposes of the NHS".
  • s72 NHS Act 2006 under which Foundation Trusts and other NHS bodies must co-operate with other NHS bodies in exercising their functions.

Most  research requires the use of special category data including health information so the Trust also relies on the above legal bases together with Article 9.2 (j) of GDPR - processing is necessary for … scientific or historical research purposes.

For further information about how the NHS looks after your information when used for research please refer to the NHS Health Research Authoritywebpage.

If you would like to actively be involved in a research study, you may find the  'Patient and Public Involvement' page of the Trust's website useful or you can discuss the issue with your Health Care Professional.

Overseas Visitors

Where the Trust treats you as an overseas patient in addition to the above the Trust may collect additional information to establish your eligibity for free treatment within the NHS and to recover payment from you if that becomes necessary..

This may include:

  • additional identification such as a passport
  • proof of residence
  • asylum status
  • evidence of health insurance
  • purpose and length of stay

Once we have satisfactorily established your status we will not retain copies of amy supporting documents you supplied.

Relevant information may be shared with the Home Office where required by the National Health Service (Charges to Overseas Visitors) Regulations 2015 so that they can confirm your immigration status to us.  This will not include clinical information about your healthcare with us.

The information provided may be used and retained by the Home Office for its functions, which include enforcing immigration controls overseas, at the ports of entry and within the UK. The Home Office may also share this information with other law enforcement and authorised debt recovery agencies for purposes including national security, investigation and prosecution of crime, and collection of fines and civil penalties.

If you are chargeable but fail to pay for NHS treatment for which you have been billed, it may result in a future immigration application to enter or remain in the UK being denied. Necessary (non-clinical) personal information may be passed via the Department of Health to the Home Office for this purpose.

National Data Opt-Out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, and research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family, and future generations. Confidential personal information about your health and care is only used in this way where it is allowed by law.

You have a choice about whether you want your confidential information to be used in this way in many cases.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the Your NHS Data Matters website. If you do choose to opt out you can still consent to your data being used for specific purposes.

If you are happy with this use of information you do not need to do anything. You can change your choice at any time.