CUH Careers logo

Mobile menu open

Patient privacy notice

This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and who we may share your information with.

We also publish a number of specific notices, which will also be available on our website.

Why we collect personal information about you

Our staff caring for you need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care.  This personal information can be held in a variety of formats, including electronic information in our Electronic Patient Record, in other computer systems, in video and audio files and in paper format.

Our legal basis for processing your personal information

Any personal information we hold about you is processed for the purposes of ‘provision of health or social care or treatment or the management of health of social care systems and services under chapter 2, section 9 of the Data Protection Act 2018.

For further information on this legislation please visit the government legislation website (opens in a new tab).

Personal information we need to collect about you and how we obtain it

Personal information about you is collected in a number of ways. This can be from referral details from your GP or another hospital, directly from you or your authorised representative.

We will likely hold the following basic personal information about you:

  • your name,  including your preferred name or maiden name
  • address (including correspondence)
  • telephone numbers including your mobile number
  • date of birth
  • next of kin contacts
  • your GP details, etc
  • your email address
  • marital status
  • occupation
  • overseas status

Your records are also identified by a hospital number, used only when in the hospital, and an NHS number, which can be used across the NHS.

In addition to the above, we may hold sensitive personal information about you which could include:  

  • Notes and reports about your health, treatment and care, including:
    • your medical conditions
    • results of investigations, such as x-rays and laboratory tests
    • future care you may need 
    • personal information from people who care for and know you, such as relatives and health or social care professionals 
    • other personal information such as smoking status and any learning disabilities 
  • Your religion and ethnic origin
  • Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status). 

It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.

What we do and might do with your personal information

What do we do with your personal information?

Your records are used to directly, manage and deliver healthcare to you to ensure that:

  • The staff involved in your care have accurate and up to date information to assess and advice on the most appropriate care for you.
  • Staff have the information they need to be able to assess and improve the quality and type of care you receive.
  • Appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.

What we may do with your personal information?

The personal information we collect about you may also be used to:

  • Remind you about your appointments and send you relevant correspondence.
  • review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement;
  • support the funding of your care, e.g. with commissioning organisations;
  • prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies;
  • help to train and educate healthcare professionals;
  • report and investigate complaints, claims and untoward incidents;
  • report events to the appropriate authorities when we are required to do so by law; 
  • review your suitability for research study or clinical trial. 
  • contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
  • Share your location within the Trust, such as the ward or department that you are in, with your relatives or representatives, subject to them providing sufficient information about you such as your full name, address and date of birth.
  • The Trust would like to include you in its development and may send you correspondence from time to time that you may find of interest. This could come from the Addenbrooke’s Charitable Trust, or from our Foundation Trust Membership Office

Where possible, we will always look to anonymise / pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use / share the minimum information necessary.

Who we share your personal information with and why

We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies, etc.  We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.  

We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. However, we will not disclose any health information to third parties without your explicit consent unless there are circumstances, such as when the health or safety of others is at risk or where current legislation permits or requires it.

There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

We may need to share your information with other organisations such as the ambulance service so that they can complete clinical audits.

The National Cancer Registration and Analysis Service (NCRAS) collects data on all cancer patients in the UK to better inform researchers and clinicians about the incidence of different types of cancer. Information collected includes, but is not limited to, your name, age, date of birth, and cancer diagnosis.

As part of Trust’s policy of openness and transparency towards all our patients, it is important that all cancer patients are aware of NCRAS, what it is, and how to opt-out if you wish to do so. For further information please go to national cancer registration and analysis service (NCRAS) (opens in a new tab), or alternatively you can contact the Trust’s Macmillan Cancer Information and Support Specialist on 01223 274421.

Patient information is shared with the National Congenital Anomaly and Rare Disease Registration Service (NCARDRS). NCARDRS is part of the National Disease Registration Service (NDRS), which is part of Public Health England (PHE) and records people with congenital abnormalities and rare diseases across the whole of England. The registration service provides a resource for clinicians to support high quality clinical practice, including epidemiology and monitoring of the frequency, nature, cause and outcomes of these disorders. The data shared includes patients NHS number and date of birth.

The National Cancer Registration and Analysis Service (NCRAS) collects data on all cancer patients in the UK to better inform researchers and clinicians about the incidence of different types of cancer. Information collected includes, but is not limited

There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the Health & Safety Executive if you are involved in a reportable accident whilst on site, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud). 

For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.

The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. 

Personal information you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so.  Where there is cause to do this, the Trust will always do its best to notify you of this sharing.

Cambridge University Hospitals NHS Foundation Trust participates in research to benefit patient care, and so your de-identified information could be studied, but only after appropriate ethical review and research governance approval. If your identifiable personal information (the information that identifies you) is to be used in research you will be asked for your consent. However, a specially appointed national body, the Confidentiality Advisory Group (CAG), may allow personal details to be used without consent in specific circumstances when the research is seen to be in the public interest.

Shared Health Care Record

With the implementation of the Shared Health Care record, access will be granted to service user records, to staff who are within a partner organisation, for the provision of joint or ongoing health or social care. This will be governed by RBAC controls, as agreed by the partnership.

The sharing of the service user records for the Shared Health Care Record will be done via a common platform, which has been ratified as secure for this purpose. Information will be shared in line with all appropriate Data Protection legislation, including the Common Law Duty of Confidentiality where appropriate.

Staff will be able to view the data in read only format and will not be able to download into local systems.

How we maintain your records

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information  in accordance with the Data Protection Act 2018 (subject to Parliamentary approval) as amended by the GDPR 2016, as explained above.  In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements. 

We have a duty to:

  • maintain full and accurate records of the care we provide to you;
  • keep records about you confidential and secure;
  • provide information in a format that is accessible to you.

The following staff groups may have access to the information we hold about you: 

  • clinical staff such as nursing or medical, allied health professionals and support staff
  • administration/management 
  • safeguarding team
  • laboratory staff
  • data analysis’s/auditors
  • patient advice and liaison service and medical legal

Use of Email - Some services in the Trust provide the option to communicate with patients via email.  Please be aware that the Trust cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.

Your rights

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The  Data Protection Act 2018 gives you certain rights, including the right to:

  • Request access to the personal data we hold about you, e.g. in health records.  The way in which you can access your own health records is further explained in our Access to Health Records Procedure. 
  • Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.  This is also explained in our Access to Health Records Procedure.
  • Refuse / withdraw consent to the sharing of your health records: Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research).  Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal / withdrawal. 
  • Request your personal information to be transferred to other providers on certain occasions.
  • Object to the use of your personal information: In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (e.g. as part of a local / regional data sharing initiative). 
  • We will always try to keep your information confidential and only share information when absolutely necessary. 

If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

Our data protection officer

Please contact the Information Governance Lead:

Michelle Ellerbeck
Information governance lead / Data Protection Officer
Cambridge University Hospitals NHS Foundation TrustBox 153
Hills Road

Or email general data protection regulation.

The information commissioner

The information commissioner’s office (ICO) (opens in a new tab) is the body that regulates the Trust under Data Protection and Freedom of Information legislation. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the. ICO at:

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 1231113 (local rate) or 01625 545745 if you prefer to use a national rate number
Fax: 01625 524510

Email ICO