Toggle site contrast Toggle Contract

Privacy notice

Protecting your confidentiality 

This Fair Processing Notice informs all users of Buckinghamshire Healthcare NHS Trust how we use the information we collect, who we share it with and how we maintain patient confidentiality.

If you would prefer to, you can view an easy to read version of this privacy notice.

When visiting our website a number of small pieces of data called cookies are placed onto your computer. This just helps us know that someone has visited. We have listed the cookies in the cookie policy.

Here at Buckinghamshire Healthcare NHS Trust we collect and process personal and sensitive data about our service users to ensure that you receive the best possible treatment and care.

Information is collected in a number of ways, either via your healthcare professional, referral details from your GP or other referrers, or directly given by you.

The Trust has to provide a legal basis for the processing of your information.  Under the Data Protection Act, the Trust may process information which is appropriate to provide the health and social care treatment to patients, as well as the management of health or social care systems and services.

Your information is never collected for direct marketing purposes and is not sold on to any other third parties.

We collect information and maintain records about your health and treatment in order to make sure that you receive the best possible care.  This information may be stored electronically or in written form and may include the following:

  • Details such as your name, address, date of birth, next of kin, ethnicity and contact details.
  • Details about your care and treatment such as appointments, test results, medical history, symptoms, prescriptions, x-rays.
  • Relevant information from other health and social care professions who care for you

This information assists staff involved in your care to deliver and provide improved care and deliver appropriate treatment and care plans to meet your needs. All information about you is treated confidentially and only ever shared on a ‚Äėneed to know‚Äô basis.

It is essential therefore that your details are accurate and up to date. Always check that your personal details are correct and up to date when you visit us and please inform us of any changes as soon as possible.

CCTV cameras are installed around the Trust to assist in the prevention, investigation and detection of crime and anti-social activity. CCTV recording and equipment are securely stored in a restricted area and password protected. All images are deleted after a set period, unless the images are required for the prevention and detection of crime.

Body Worn Cameras are used within the Trust by security personnel to assist with deterring acts of aggression of verbal and or/physical abuse towards staff. The cameras are worn in a prominent position and used in an open and honest manner. Images captured by body worn cameras will be deleted directly from the camera unless required for evidence purposes. If this is the case, footage may be handed over to the Police if it is required to form part of a criminal record.

Here at Buckinghamshire Healthcare NHS Trust we take our duty to protect your personal information and confidentiality very seriously and everyone working for the NHS has a legal duty to keep information about you confidential and secure, as set out in the NHS Confidentiality Code of Conduct. The information is held and processed in accordance with and under the legal governance of:

  • Data Protection Act 2018
  • UK General Data Protection Regulation
  • Human Rights Act 1998
  • Health and Social Care Act 2015
  • Common Law Duty of Confidentiality
  • The Health Service Act 2006
  • Records Management Code of Practice 2021- NHSX

We are regularly audited and assessed to ensure that appropriate security measures and good practice is in place. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel only.

The Trust has appointed a Senior Information Risk Owner, who provides the focus for the management of information risk and provides our Trust Board with assurance that information risk is being managed appropriately and effectively across the organisation. We have also appointed a Caldicott Guardian, who is a senior health professional responsible for protecting the confidentiality of patient and service-user information and enabling and overseeing appropriate information-sharing.

All employees of the Trust are bound by the terms and conditions of their professional ethic codes of practice and contractual employment contract. Only authorised staff who have a legitimate involvement in your care are given access to your records. Any potential breach of confidentiality is a staff disciplinary offence and is taken very seriously. We also ensure that other organisations e.g. suppliers who support us, have adequate information security standards in place.

All information held by the Trust is used specifically for the purposes it was consented to unless statutory legislation permits otherwise, for example disclosure is required to protect the health and safety of others who may be put at risk, or there is an urgent safeguarding matter to resolve.

We will only keep your information as long as is necessary and in accordance with the retention periods set out in the Record Management Code of Practice 2021- NHSX. All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Direct care purposes

The Trust will normally share information about you with other health and social care professionals directly involved in your care, so that you may receive the best quality of care.

The Trust also works in partnership with several NHS and Non-NHS organisations to deliver joined up, integrated services to assist with giving you the best care possible. This may involve the Trust routinely sharing information with third parties where there is a genuine need for information to be shared, and they are subject to strict information sharing protocols. Data sharing agreements with third party organisations are in place to ensure that the requirements of law and guidance are being met. Anyone who receives information from the Trust has a legal duty to keep it confidential and secure. Only information that is required and appropriate to support your care and treatment will be provided.

Where we share information with other organisations that do not form part of your care, permission from yourself will be sought before disclosure, unless we have a legal obligation to provide the information or public interest is thought to be of greater importance.

Principal organisations we share information with include:

  • NHS trusts involved in your care
  • GPs
  • Ambulance Services
  • Private health sector providers who work with the Trust

Buckinghamshire’s Shared Care Record and the Thames Valley and Surrey Local Health and Care Record (LHCR)

Within Buckinghamshire, the Trust participates in a Shared Care Record which provides authorised health and social care staff e.g. Emergency Department, Minor Illness and Injury Unit, 111 Out of Hours, with controlled access to relevant information to help them to make informed decisions about your care and treatment.  The Trust is moving to an Integrated Care Partnership in which healthcare providers, commissioners and local authorities take explicit collective responsibility for resourcing the provision of health in our area. Your information may be securely shared between members of the consortium through the shared care record, to ensure that the optimum timely care is provided to you. Employees are only allowed to access the information necessary to effectively perform their job duties using role-based access controls and discretionary access only.

Buckinghamshire’s shared care record is part of the Thames Valley and Surrey (TVS) Local Health and Care Record (LHCR) Partnership, which has the same aim, but on a wider footprint and helps ensure the right services are available wherever and whenever someone needs care. TVS will use the same data for the same purposes for when/if you receive treatment across TVS. It allows patient data and patient health and care information to be shared across Berkshire, Buckinghamshire, Milton Keynes, Oxfordshire and Surrey (Thames Valley and Surrey).

All information will be stored securely on a protected NHS IT system and only accessed by authorised professionals.

If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable. Please discuss any concerns with the clinician treating you so that you are aware of any potential impact.

If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. You can also change your mind at any time about a disclosure decision.

The Trust has a legal obligation to share data where it is in respect of:

  • The notification of births
  • Where a formal court order has been served on us
  • To third parties such as the Police, the Department of Work and Pensions and anti-fraud agencies where it is for the purpose of the prevention and detection of crime and fraud
  • To protect public interest
  • To safeguard vulnerable children and adults
  • Health and safety purposes

(This list is not exhaustive.)

We may also share anonymised data with Clinical Commissioning Groups for performance and commissioning purposes.

Indirect care purposes

Your information will also be used to help us manage and improve the NHS and protect the health of the public by using it to:

  • Review the care we provide to ensure it is of the highest standard and quality
  • Ensure our services can meet patient needs in future
  • Investigate patient queries, complaints and legal claims
  • Ensure the hospital receives payment for the care you receive
  • Prepare statistics on NHS performance
  • Audit NHS accounts and services
  • Undertake health research and development (with your consent)
  • Help train and educate healthcare professionals
  • Patient Satisfaction Surveys

Nationally there are strict controls on how your information is used for these purposes. These regulate whether your information must be anonymised first and with whom we may share identifiable information

In addition, we may arrange for overseas or external transcription companies to type dictated correspondence. In order to maintain confidentiality, your name and address is not added until the typed correspondence has been returned to us, so it is not possible for anyone outside the Trust to identify you. Any transfer will be made in full compliance with all aspects of the Data Protection requirements.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness.  All of these helps to provide better health and care for you, your family and future generations.  Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.  Where information sharing is required with third parties, we will always have a relevant contractual obligation and Data Sharing Agreement or Data Processing Agreement in place.

Our legal basis for processing your personal information

As part of the Trust‚Äôs requirements under the law, it must demonstrate clear legal reason for collecting, using, sharing and retaining personal data about you. For personal data used in the provision of health and social care our basis is outlines as ‚Äėnecessary for the performance of a task carried out in the public interest or in the exercise of official authority‚Äô under 6(1)(e) of GDPR. This is because the Trust is a public organisation providing a healthcare service and is required to use names, addresses or other personal data to deliver this.

The Trust‚Äôs legal basis for using sensitive personal data (called ‚Äėspecial categories of personal data‚Äô under GDPR) is that this is necessary for the ‚Äėprovision of health or social care or treatment or the management of health of social care systems and service‚Äô under 9 (2) (h) of GDPR. This is because the Trust must use health and social care information about you in the delivery of your care.

These points also cover the use of data for clinical audits, service improvement and sharing with other health or social care providers when necessary as part of our service delivery.

There may be times when the Trust uses other different legal bases for other services it provides (e.g. research). In most instances, the information will be made anonymous so that you cannot be identified. If this is not possible, we will ask your permission and may have to request approval from the NHS Health Research Authority’s Confidentiality Advisory Group. In some instances, Confidentiality Advisory Group approval may already be in place if the information requested is part of a research project.

As well as the right to privacy and to expect the NHS to keep your information confidential and secure, you have certain other legal rights, including a right to have your information processed fairly and lawfully. These are:

  • Right to be informed – This encompasses our obligation to provide ‚Äėfair processing information‚Äô, typically through a privacy notice. It emphasises the need for transparency over why, where and how we use personal data
  • Right of access – You have the right to obtain confirmation that your data is being processed and for what purposes. You can request a copy of your health record and other supplementary information we hold about you. This is commonly known as a Subject Access Request
  • Right to object – You have the right to object to us making use of your information for any reason other than direct healthcare e.g. processing for purposes of scientific/historical research and statistics, direct marketing including profiling.
  • Right to restrict processing ‚Äď You can ask us to change or restrict the way we use your information. This is not an absolute right and only applies in certain circumstances
  • Right to erasure – You have the right to ask for your information to be erased where there is not a legal ground to keep it, or compelling reason for its continued processing, and to prevent processing in specified circumstances. However, this depends on the legal justification for why you provided the data. For instance, medical records are collated under the Health and Social Care Act and therefore are not able to be erased.
  • Right to rectification – You have the right to have your personal data rectified if you believe it to be incomplete or inaccurate
  • Right to data portability – Allows you to obtain and reuse your personal data for your own purposes, across different services
  • You have the right to prevent automatic decision making. This means to not be subject to a decision based solely on automated processing (e.g. the decision is made via a computer).
  • You have the right to prevent profiling. This is when the recording and analysis of a person’s psychological and behavioural characteristics are used. However, health profiling is sometimes essential to help us support wellness.

The NHS Constitution states, ‚ÄúYou have the right to request that your confidential information is not used beyond your own care and treatment and to have your objection considered‚ÄĚ.

In order for us to consider your request please contact us in writing either by letter to:

Medical Records Department
Stoke Mandeville Hospital
Buckinghamshire Healthcare NHS Trust
Mandeville Road
Bucks HP21 8AL

or via email at

The national data opt-out, introduced on 25 May 2018, is a new service that allows people to opt out of their confidential patient information being used for research and planning.

Further information can be found on the following website:

To register your choice to opt out if you do not want your data to be used for research and planning, visit  If you choose to opt out you can still consent to your data being used for specific purposes.

Buckinghamshire Healthcare NHS Trust has put systems and processes in place to ensure compliance with the National Data opt-out.

We have charitable funds which are administered by the Trust charity the Buckinghamshire Healthcare NHS Trust Charitable Fund, Registered Number: 1053113.

We shall endeavour to ensure that the personal information we obtain will always be held, used and otherwise processed in accordance with the UK GDPR and Data Protection Act 2018 and all other applicable data protection laws and regulations.

We collect personal information when you donate money, undertake fundraising activities, ask about our activities, register on our website, order products and services (such as publications and email newsletters), or otherwise give us personal information online, in paper or electronic form, over the phone or face to face. We only collect your debit/credit card details if you provide them to us to make a donation. The card details are deleted once the donation is processed. We only collect bank account details if you set up a direct debit payment for regular donations to us.

We do not and never will sell or swap your data. We will use your personal information to provide you with the services, products or information you have requested, for administration purposes and to further our charitable aims, including for fundraising activities. We may need to share your information with our service providers such as external mailing houses that process our appeals. We will always have strict data protection arrangements in place with these fulfilment organisations. Any information we collect is stored and processed in the UK. We reserve the right to share your personal information if we are legally obliged to and to enable us to apply our terms and conditions and other agreements. This includes exchanging information with other organisations for fraud and credit risk reduction and for police investigations. We will ensure that there are appropriate technical controls in place to protect your personal details and our network is protected and routinely monitored.

The charity fund raising makes a significant contribution to the quality of care provided by the Trust by supporting research, enabling the provision of additional facilities or equipment that enhances patient experience. The Charity has always adopted the Mission, Vision, Values and Aims from the Trust.

When attending the Trust for an outpatient appointment or procedure, patients may be asked to confirm their contact number/mobile telephone number and email address. We may use these details or where you have provided your contact details for the National Summary Care Record via your GP, to contact you or send your appointment details and reminder messages.

Most of our patients appreciate these reminders and it can help in reducing the number of missed appointments. If you do not wish to receive these texts or be contacted in this way, please inform the relevant department involved.

We run surveys to improve the quality of care and treatment provided to patients, by contacting patients or their carers after discharge from hospital. If you do not wish to be contacted in this way, please inform the ward staff during admission.  The Trust may also use your details to contact you with regards to patient satisfaction surveys or clinical audits, including National Audits relating to services you have used within our hospital. This is to improve the way we deliver healthcare to you and other patients.

The Trust may also pass your contact information to approved contractors to carry out surveys for the purpose of NPSP. Only anonymised reports produced by the survey programme are used to help make service improvements.

We may process anonymised, pseudonymised or limited Personal Confidential Data (PCD) with other public sector organisations for the purposes of clinical audit or patient satisfaction surveys e.g. the National Audit of Care at the end of Life (NACEL).

Details about any such surveys will be informed through posters and leaflets to enable you to make an informed decision. Any objection to taking part will be respected and you have the right to opt-out of this.

Patients can make a choice about how their data is used by following this link

Preferences can be changed at any point.

By staff we mean applicants, employees, former employees, agency staff, apprentices, volunteers, trainees, secondees and contractors.


To carry out our activities and obligations as an employer we process your personal information where required, where the processing is necessary for the purposes of a contract of employment we have with you. In some cases, we may process information only once we have received your consent for us to do so. In other cases, we will process data in order to comply with legal requirements, both contractually and non-contractually. The reasons for which we may process your personal data may include (but are not limited to):

  • Staff administration (including payroll)
  • Pensions administration
  • Workforce planning, and provision of facilities such as estates, car parking and IT
  • Equal Opportunities Monitoring

Our legal bases for processing employment data

We process and share your information under Article 6 1(b) of the General Data Protection Regulation (processing is necessary for the performance of a contract), Article 6 1(a) (consent has been given for the processing of personal data) ‚Äď this mostly applies to the sensitive categories of information you give us when you apply for a job as this ensures we treat you fairly and equitably. We will also seek your consent if we want to refer you to occupational health or similar external agencies.

We may be required by law to share information about you. This includes preventing and detecting fraud, disclosure under a court order, to HM Revenue and Customs, Pensions Agencies, with the police for the prevention and detection of serious crime, or where there is an overriding public interest to prevent abuse or serious harm to others.

The UK General Data Protection Regulation and Data Protection Act 2018 give you the right to access the information we hold about you. Requests must be made in writing to:

Medical Records Department
Stoke Mandeville Hospital,
Mandeville Road,
HP21 8AL

The Freedom of Information Act 2000 provides members of the public access to recorded official information held by public authorities, subject to exemptions. For more details or to request some information from us, please visit the link below.

¬†The Accessible Information Standard became a legal requirement as of 31st July 2016.¬† Organisations must provide one or more communication or contact methods which are accessible to and useable by all.¬† Effective information and communication are vital components of a ‚Äėpatient centred‚Äô NHS and it is important therefore, that information is presented in an accessible way and in a range of formats and languages.

If you have particular communication needs, we can help you.¬† Please refer to the Accessibility section of¬†our ‚Äėhow we support you‚Äô page which explains how we can help and who to contact.

Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact the Patient Advice and Liaison Service (PALS) or write to:

Complaints Department
Trust Offices, Amersham Hospital
Buckinghamshire Healthcare NHS Trust
Whielden Street
Bucks HP7 0JD

A Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.

The Data Controller responsible for keeping your information confidential is:

Buckinghamshire Healthcare NHS Trust
Trust Headquarters
Hartwell Wing
Stoke Mandeville Hospital
Mandeville Road
Bucks   HP21 8AL

The ICO is the UK’s independent regulatory body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

We are data protection registered with the ICO, registration number Z7752080

Patients have the right to complain to the Information Commissioner, the supervisory authority, if they should ever be dissatisfied with the way the Trust has handled or shared their personal information:

The Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Cheshire SK9 5AF

Tel: 0303 123 1113 or 01625 545745
Information Commissioner’s Office website¬†(

For further information please contact:

Data Protection Officer
Information Governance Department
IT Hub, Haleacre Unit
Amersham Hospital
Whielden Street
Bucks, HP7 0JD