Better Care

Patient Privacy Notice

How we manage and protect information about you

Birmingham Community Healthcare NHS Foundation Trust (BCHC) collects information about you to help us give you the best possible care.

Our aim is to maintain full and accurate records of the care we provide for you and keep this information confidential and secure.

This privacy notice has been updated to reflect some of the changes in data protection legislation brought about by the General Data Protection Regulation (GDPR) and  the Data Protection Act 2018. It also tells you how you can access information relating to your healthcare.

What information do we collect?

We collect information about you such as your name, address, NHS number, GP and contact details (including your email address and mobile number where you have provided these) alongside any health related information required for the delivery of health care services, for example:

  • Details and records of treatment and care, including notes and reports about your physical or mental health;
  • Results of x-rays, blood tests and diagnosis;
  • Information on medication or any allergies;
  • Any other relevant contact details, for example a family member.

We may also collect personal sensitive information such as your ethnicity, religion, sexuality, so that we can build up a complete picture of you in order to enable our staff to provide you with the best care possible and to effectively deliver your treatment and care needs.

We may also receive written or electronic information about you from other health and social care providers in order to support the care you receive from us.  This will enable us to provide the appropriate care and treatment that you need. We also collect information to monitor our compliance with our legal obligations relating to equality and diversity.

This information may be recorded in writing (i.e. in your medical notes), or electronically on a computer or other electronic device, or a mixture of both. To assist with the delivery of care, the Trust is moving towards wholly electronic patient records in order to facilitate the sharing of your information. 

When you arrive for an appointment, staff may check your details with you to ensure that our records are accurate. To assist with this, it is important that you notify us of any changes to your personal details (e.g. address, contact number, next of kin).

Who processes your information?

BCHC is the data controller in respect of your personal data for the provision of health care services.  This means that the Trust determines the purposes for which, and the manner in which your personal data may be processed.  We may also engage in the processing of your data in order to deliver healthcare and carry out other functions to deliver our services, or we may engage other organisations to process your data on our behalf (see “Do we share information with anyone” below).  

On what basis are we entitled to process your information?

As a public body, BCHC is lawfully permitted to process your information as there is a legal obligation for us to do so under various legislation, including the NHS Act 2006 and the Health and Social Care Act 2012, among others.  It also processes your information as a public authority acting in the public interest. Information about your health or care is known as “Special Category Data” under the data protection legislation and the Trust is lawfully entitled to process this data as a public authority for the purposes of providing you with care and when undertaking health research.  The Trust does not therefore need your consent to process your personal data. However, you do have the right to say “no” to our use of your information but this could have an impact on our ability to provide you with care.

If we are processing your personal data in ways unrelated to the delivery of direct healthcare or for reasons unrelated to the delivery of your direct healthcare, there may be a different basis on which it would be lawful for us to process your data. For example, if we are processing your data for the purposes of providing you with marketing information about the Trust, or to keep you updated about the Trust’s activities, we will need to see your explicit consent for us to process your data in this way.  

How do we use the information we collect to help you?

We may use the information we collect to help us provide services to you in the following ways:

  • Doctors, nurses or healthcare professionals involved in your care need accurate and up-to-date information about you to assess your health and deliver the care you need;
  • To ensure information is available if you need to be referred to another health professional or another part of the NHS or if you move to a different area;
  • To assess the type and quality of care you have received and require in the future;
  • To support clinic and treatment appointments by sending you electronic and or paper based appointment reminders;
  • To ensure your concerns can be properly investigated if you are unhappy with the care you have received.

Do we share information about you with anyone?

There are times when it is appropriate for us to share information about you and your healthcare with others. We may lawfully share your information with the following main partners:

  • GPs;
  • NHS Trusts and other healthcare providers;
  • Department of Health;
  • NHS England;
  • Child Health Information Service (this is a regional programme covering the wider West Midlands area to support the transfer of child clinical records across the area);
  • NHS Digital – an organisation that utilises technology and information systems to support the delivery of patient care across the NHS;
  • Health Research Authority – we share personal data with the HRA to support research in health and care. The HRA have published their own privacy statement for patients -

We may also need to share your information with other non-healthcare organisations, where it is required in compliance with legal duties. For example, where you are receiving care from a local authority, we would need to share your information with a social worker to support the provision of your care. Other occasions where we may need to share your information include:

  • Reporting some infectious diseases;
  • To help prevent, detect or prosecute serious crime;
  • If a court orders us to do so;
  • When you have expressly agreed – e.g. for an insurance medical;
  • Registering births or deaths;
  • If there is a concern that you may be putting either yourself, another person (including a health or social care professional) or a child at risk of harm.

Where we share information with non-healthcare organisations we may request that they enter into an information sharing agreement to ensure that the information we share with them is handled appropriately and complies with relevant legislation. The information from your patient record will only be used for purposes that benefit your care – we would never share your information for marketing or insurance purposes unless you have given your explicit consent for us to do so.

In all cases where we must pass on health care related information, we will only share the minimum amount of information required.   Anyone who receives information from us also has a legal duty to keep it confidential.

You have the right to object to us sharing your information (although this right is not an absolute right – see below).  You may also opt out of organisations using your data where it is being used for purposes other than care and treatment. For information about how you can opt-out of sharing your data for such purposes please go to

If you need further information on how we might share your data please email our Data Protection Officer at the contact details below.

How else could your information be used?

Your information may also be used to help us:

  • Review the care we provide to ensure it is of the highest standard;
  • Audit NHS accounts and services;
  • Arrange payment for the person who treats you;
  • Prepare statistics or other performance data on the quality of care being delivered by the Trust;
  • Investigate incidents, complaints or legal claims;
  • Conduct health research and development;
  • Make sure our services can meet patient needs in the future;
  • Teach and train healthcare professionals;
  • To monitor how we spend public money.

Your data will not be transferred outside the European Economic Area to “Third Countries” unless there are exceptional circumstances and the Trust’s Data Protection Officer has approved the transfer.

What if I object to your processing of my information?

GDPR confirms that you have the right to object to the Trust’s processing of your information, however the Trust may have legitimate grounds to refuse your request if there are compelling grounds for it to do so such that it could override your request.  Any objection made by you to processing of your data by the Trust will be considered by the Trust’s Data Protection Officer, who will make a decision whether or not the Trust should cease processing your data, and will write to you to explain the reasons for the Trust’s decision.  You have the right to make a complaint to the ICO if you disagree with the decision, or you may be able to bring legal proceedings to appeal the decision should you wish to do so.

Where your information is being processed for the purposes of research being carried out in the public interest there is no right to object.

GDPR also contains a general right to request that an organisation erase personal data, however, this does not apply to data which is being processed for the purposes of delivering healthcare.

Can you see the information we collect about you?

The data protection legislation gives you the right to know what information we hold about you, what we use it for and if the information is to be shared, who it will be shared with.

You have the right to apply for access to the information we hold about you, free of charge, whether it is stored electronically or on paper. We have a duty to provide this information in a format that is accessible to you (e.g. large print or Braille) and in a way that you can understand, explaining any abbreviations where necessary.

Your request must be made in writing and we may ask you to provide proof of identity before we can disclose personal information.  Please see our webpage to make a Subject Access Request.

In certain circumstances your right to see some details in your health records may be restricted, for example if the information refers to someone else who hasn’t given their permission, or could cause physical or mental harm to you or someone else (including any health or social care professional) were it to be disclosed; or if the information is being used to detect or prevent crime.

After having viewed your records, if you believe any information is inaccurate or incorrect, please inform us of this in writing and we will take steps to rectify any inaccuracies as quickly as possible and within one month maximum.

Healthcare Students 

Birmingham Community Healthcare has a large number of students training with us each year to become nurses, therapists, dentists and a wide range of other clinical professions. Please tell your clinician if you do not want students to be involved in your care. Your treatment will not be affected by your decision.

How we keep your information safe

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in hard copy or electronic format. We protect your information in the following ways:

Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.  Staff  are also obliged to undertake online training in data security and confidentiality on an annual basis to demonstrate that they understand and are complying with Trust policies on confidentiality.

Access controls - Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access. Staff only have access to patient identifiable information where it is relevant and necessary for them to do so.

Audit trails - We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation - If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management - All healthcare records are stored confidentially in secure locations.

Legislation - There are laws in place to protect your information, including the General Data Protection Regulation 2016 and the Data Protection Act 2018) and the Human Rights Act 1998. There is also a common law duty of confidentiality. Under the NHS Code of Conduct all staff are required to protect information and only share what is necessary and proportionate and take steps to protect your confidentiality.

Caldicott Guardian - Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that the organisation promotes the confidentiality of patient records and how they are handled within the organisation. The Caldicott Guardian for Birmingham Community Healthcare NHS Trust is our medical director, Dr Andrew Dayani.

Data Protection Officer (“DPO”)  – As a public authority, the Trust is required to appoint a Data Protection Officer, whose role it is to ensure that the Trust has in place appropriate mechanisms and procedures to protect your information and to ensure that personal data is processed lawfully within the Trust.  The Trust’s DPO is Ben Pumphrey, Head of Legal Services, who may be contacted at the following details:

Tel: 0121 466 7033


Post:   Data Protection Officer
Corporate Affairs
Birmingham Community Healthcare NHS Foundation Trust
3 Priestley Wharf
Holt St
B7 4BN

To get further advice or to report a concern directly to the UK’s information regulatory authority you can do this by making contact with:

Information Commissioner’s Office
Wycliffe House
Water Lane

Tel: 0303 123 1113

Version 4: May 2018