[Skip to content]

Print this page

Privacy Notice - General 

Your personal information is very important to you and to us at Derby Teaching Hospitals NHS Foundation Trust.  We recognise the importance of protecting personal and confidential information and are committed to ensuring that your privacy is protected.    

The way your information is collected, used and retained has changed substantially over recent years with the development of new technologies. The laws that govern the use of personal data have also changed to encompass these developments. The General Data Protection Regulation (GDPR) becomes law 25 May 2018, at the same time a new UK Data Protection Bill is going through Parliament to incorporate the GDPR fully into UK Law, which will replace the current Data Protection Act 1998. 

Derby Teaching Hospitals NHS Foundation Trust recognises the importance of protecting personal and confidential information and is committed to ensuring that your privacy is protected.

The law determines how organisations can use personal information.  This is covered within the General Data Protection Regulation (GDPR), UK Data Protection Law, the Human Rights Act, Common Law Duty of Confidentiality and other Health Service legislation.

In accordance with NHS guidance, the Trust has:

  • a Caldicott Guardian – an Executive Director who is responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.

  • a Senior Information Risk Owner – an Executive Director with overall responsibility for information risk within the Trust 

The General Data Protection Regulation requires the Trust to appoint a Data Protection Officer to facilitate compliance with the data protection legislation/requirements, act as an intermediary between relevant stakeholders and be the first point of contact for supervisory authorities. 

The Data Protection Officer for this Trust is Anne Woodhouse, Head of Information Governance & Data Protection Officer.  Contact details are anne.woodhouse1@nhs.net

 This privacy notice is intended to inform you about:
  • the type of information we hold and how we use and manage that information
  • how we ensure that the confidentiality of personal/sensitive information is maintained
  • how and why we may share information with other NHS organisations and non-NHS organisations  

Definition of personal and sensitive data: 
  • Personal data is information about an identifiable living person such as name, address, telephone number, date of birth, email address, online identifiers, and credit card/bank details.  This includes, but is not limited to, written correspondence, emails, photographs, audio recordings and video recordings.

  • Sensitive data is special categories of personal data, i.e. data concerning health, ethnic origin, race, political opinion, religious beliefs, biometric and genetic data. 

How we protect your data and ensure confidentiality of information is maintained

All NHS organisations and everyone who works for the NHS or in partnership with them have a legal duty to keep information confidential and take great care with the security of information and records. 

Staff have a legal responsibility to maintain confidentiality and security of all the personal information we hold and ensure compliance with the Data Protection Law, the Caldicott Principles, the NHS Code of Confidentiality and the Human Rights Act.

The Trust is the Data Controller for the data it holds.  All information and information systems within the Trust are stored on our secure network with appropriate security controls, which includes access controls, cyber security and assessments against all aspects of data security.  

Training - Staff are trained to understand their responsibilities regarding the security and confidentiality of patient information and that access is on a strictly need to know basis.  They must update this mandatory training on an annual basis.

Audit trails – records are available to show who accessed what information.  Routine/random audits take place to ensure access in appropriate.  Any inappropriate access identified will be dealt with through the Trusts’ Disciplinary Process.

The Information Commissioner’s Office maintains a public register of organisations that process personal identifiable data.  The Trust’s registration number is Z8575998.

How we may share your information

For more details of how and why we may share your information please click on one of the additional notices via the links below:

Derby Teaching Hospitals Website

For information regarding the security / privacy policy and the use of cookies on our website please click here. 


Security cameras are installed at various locations within this Trust to prevent and detect crime and for the protection of staff, visitors and patients and their property.  Our security staff are also equipped with body worn cameras which are only activated if they need to record a violent or aggressive incident.  Signage about CCTV is posted around the entrances and will be visible on all officers carrying body worn cameras.

Retention of your data

We will retain your information in line with the Department of Health Retention Schedule.

Click here to download the NHS Health & Social Care retention schedule.


Contact us for further information: