Data Protection - Our Privacy Notice


As you may already know, the General Data Protection Regulation came into force on 25 May 2018, giving you more control over your personal data and to be kept informed about how your information is used.

A Privacy Notice is a statement by the Trust to patients, service users, visitors, carers, the public and staff, that describes how we collect, use, retain and disclose personal information which we hold.

It is sometimes also referred to as a Privacy Statement, Fair Processing Statement, or Privacy Policy. This privacy notice is part of our commitment to ensure that we process your personal information/data fairly and lawfully.

North West Anglia NHS Foundation Trust recognises the importance of protecting personal and confidential information in all that we do and takes care to meet its legal and regulatory duties.

This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and with whom and for which legal purpose we may share it. This notice may be updated at any time. To find out more about our Privacy Notice, please select the relevant hyperlink below:

North West Anglia NHS Foundation Trust (the Trust) employs 6,100 staff and was formed on 1 April 2017. The Trust runs three hospitals – Peterborough City Hospital, Hinchingbrooke Hospital and Stamford and Rutland Hospital, plus provides radiology and outpatient services at The Princess of Wales Hospital, Ely and Doddington Hospital near March. In addition, the Trust provides radiology services at North Cambs Hospital in Wisbech and at the City Care Centre in Peterborough. Our Trust serves approximately 700,000 residents living in Cambridgeshire, South Lincolnshire and the neighbouring counties. All three main hospital sites deliver inpatient and outpatient services.  

The Trust is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you.

The Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information  Under the Data Protection Act 2018 and GDPR(UK) and our registration number is Z6661010.

For further information about the Trust, please refer to the About Us section of this website.

The information that you provide to us is necessary in order for us to provide you with the best possible treatment and care. Without this information, we may not be able to treat you effectively.  This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

Personal information about you is collected in a number of ways.  This can be from referral details from your GP or another hospital, directly from you or your authorised representative.

We will likely hold the following basic personal information about you:

  • Personal details (such as your name - including any maiden name, date and place of birth, gender, occupation, overseas status and marital status.
  • Contact details (such as address - including correspondence, telephone numbers and email address)
  • Information about your family and others (such as next of kin contacts and carers/ representatives)
  • Security information (such as CCTV footage) 

Some of the information which we collect may be special categories of personal data (also called sensitive personal data). The special categories of personal data about you which we may collect include notes and reports about your health, treatment and care, including:

  • Your medical conditions

  • Results of investigations, such as xrays and laboratory tests

  • Future care you may need

  • Personal information from people who care for and know you, such as relatives and health and social care professionals

  • Other personal information such as smoking status and any learning disabilities

  • Your religion, race, sex life, sexual orientation and ethnic origin

  • Whether or not you're subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status).

It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.

We use the types of personal data listed above for a number of purposes, each of which is processed in accordance with a "lawful basis". In accordance with the data protection laws, we need a "lawful basis" for collecting and using information about you. There are a variety of different legal bases for using personal data which are set out in the data protection laws.  

We have set out below the different purposes for which we collect and use your personal data, along with the lawful bases we rely on to do so.

Your records are used to directly, manage and deliver healthcare to you to ensure that:

  • The staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
  • Staff have the information they need to be able to assess and improve the quality and type of care you receive.
  • Appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.

The personal information we collect about you may also be used to:

  • Remind you about your appointments and send you relevant correspondence.
  • review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement;
  • contact you to complete the Friends and Family Test (FFT). You may be contacted by employees of the Trust, or a contractor acting on its behalf;
  • support the funding of your care, e.g. with commissioning organisations;
  • prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies;
  • help to train and educate healthcare professionals;
  • report and investigate complaints, claims and untoward incidents;
  • report events to the appropriate authorities when we are required to do so by law;
  • review your suitability for research study or clinical trial;
  • contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients.

The lawful basis on which we rely in order to use the information which we collect about you for the purposes set out above is that using your information in this way is necessary in the exercise of official authority vested in the Trust.  The source of this official authority includes the Health and Social Care Act 2016.

We may also rely on the lawful basis that using your information in this way is necessary for us to comply with legal and regulatory obligations to which we are subject.

In limited circumstances, we may also process your personal data based on you providing your consent.

Where possible, we will look to anonymise/ pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/ share the minimum information necessary. 


A lot of the information which we collect will be special categories of personal data (also called sensitive personal data). This will mostly consist of information about your health but may also include information about, for example, your ethnic background or race.

Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.

We will use your particularly sensitive personal information in the provision of healthcare on the basis that it is necessary for reasons of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies, etc.  We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs. 

We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. We will share your personal information with these third parties where required or permitted by law, where necessary for the provision of health and social care or with your explicit consent.

There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

We may provide information to non-NHS partner organisations that act as ‘data processors’ and with whom we have binding confidentiality agreements to carry out an agreed service for the Trust.   

There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).

For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.

The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will be used for the purposes explained to you and where required will be based on your consent.

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and any associated legislation.  In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements. 

We have a duty to:

  • maintain full and accurate records of the care we provide to you;   
  • keep records about you confidential and secure;
  • provide information in a format that is accessible to you.

Use of email - Some services in the Trust provide the option to communicate with parents via email. Please be aware that the Trust cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk. Further information can be found in our Information Governance policies, which are available here

We will comply with data protection law. At the heart of data protection laws are the "data protection principles" which say that the personal information we hold about you must be:

  • used lawfully, fairly and in a transparent way;    
  • collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  • relevant to the purposes we have told you about and limited only to those purposes;
  • accurate and kept up to date;
  • kept only as long as necessary for the purposes we have told you about; and kept securely.

Under certain circumstances, by law you have the right to:

  • Request access to the personal data we hold about you, e.g. in health records. The way in which you can access your own health records is explained here         
  • Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.   
  • Refuse/withdraw consent to the processing of your health records: Under the Data Protection Act 2018, we are authorised to process your health records ‘for health or social care purposes'. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research).  Consent forms you are asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal.  Once we have received notification that you have withdrawn your consent, we will make every reasonable effort to no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.      
  • Request your personal information to be transferred to other providers on certain occasions.    
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to the use of your personal information: In certain circumstances you may also have the right to ‘object’ to the processing of your information where the processing would be for a purpose beyond your care and treatment (e.g. as part of a local/regional data sharing initiative). You may be able to 'opt out' of the processing of your personal information for purposes other than your care and treatment. Further information can be found on the following website:        
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

If you wish to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please write to:

Peterborough or Stamford Hospitals: post to Access Services Team, Department 012, Peterborough City Hospital, Bretton Gate, Peterborough, PE3 9GZ
or email

Hinchingbrooke Hospital: post to Access to Health Records Department, Hinchingbrooke Hospital, Hinchingbrooke Park, Huntingdon, PE29 6NT
or email

National data opt-out programme

The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

You can view or change your national data opt-out choice any time, by visiting:

Our Data Protection Officer is responsible for overseeing what we do with your information and monitoring our compliance with data protection laws.

If you have any concerns or questions about our use of your personal data, you can contact our Data Protection Officer by writing to:

Information Governance Team
North West Anglia NHS Foundation Trust
Peterborough City Hospital
Department 404
Edith Cavell Campus
Bretton Gate
PE3 9GZ 

Or email

Covid-19 and your personal information

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available above.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.  Further information is available on here and some FAQs on this law are available here.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information.  This includesNational Data Opt-outs.  However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.  Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.   

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.  All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.


The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation. You can find their website here.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the ICO at:

Information Commissioner's Office
Wycliffe House
Water Lane

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Fax: 01625 524 510