Privacy Notice


St Andrew's is committed to protecting your privacy.

This General Privacy Notice is part of our layered scheme of documents explaining what personal information we collect about you, why, and how we use it.

It explains your rights and how to get help exercising those rights.

It links to several, more specific, Privacy Notices which we hope answer your particular questions.

If you are not sure we have made things clear, please contact our Data Protection Officer at

St Andrew's Healthcare is accountable for your personal data and under the Data Protection Act 2018 (and the General Data Protection Regulation (GDPR)) we are the ‘controller’ of the personal data we collect and hold about you.

The regulator is the Information Commissioner’s Office (“ICO”). The ICO website contains useful guidance about the law and your rights.

Your Rights

The law gives you a number of rights in relation to your personal information or ’data’.

In summary these are -

The right of access;

The right to have your data corrected;

The right have your data deleted;

The right to transfer your data;

The right to object to certain types of processing;

Not all these rights apply in all situations though and sometimes we have to reach a judgment based on the law and the best interest of the people concerned.

We will always do our best to respond helpfully to your requests.

You can contact the Information Governance Team, headed by the Data Protection Officer (DPO) at Data Protection Officer, St Andrew's Healthcare, Billing Road, Northampton, NN1 5DG.

Email: if you have a query or complaint.

You also have the right to make a complaint to the Information Commissioner’s Office at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. They have a helpline number which is 0303 123 1113.     

Changes to this Privacy Notice

We may need to change this notice from time to time to reflect changes in the way we use personal information or because of changes to the law. We reserve the right to make those changes as necessary and we recommend you revisit the website from time to time to check for any changes. If appropriate we will also notify you by email.

What Information do we collect?

We collect and process the following types of information:

Identity and contact details including your name; date of birth; gender; nationality; email address; telephone number; postal address; job title, role and responsibilities in the organisation; information about your membership of professional bodies and specialist interests.

Business information including information provided in the course of the contractual or professional relationship between you, your organisation and St Andrew's; or otherwise voluntarily provided by you or your organisation.

Technical data; for which see our Cookie Policy and Website Terms of Use.

Profile and usage data including your preferences in terms of receiving our marketing information and information about how you use our website; information about the interest you may have shown in particular services, specialisms, promotions or events at St Andrew's;

Physical access data including CCTV images of you and your vehicle and other electronic data relating to your access to our site and individual buildings.

Sensitive or ‘special category’ personal data –including health records; occupational health records; biometric data; criminal records history; information about your sexuality, sex life, racial or ethnic origin, mental health, genetic data, religious beliefs, political opinions.

We only collect the information we need for the particular purpose identified at the time.

Are we allowed to collect this information?

Very often we will obtain your consent (permission) to use your information.

If you have given your consent to our processing your information, you have the right withdraw that consent (partly or fully). If you would like to do this please use any unsubscribe link on our marketing communications or contact our information governance team by email at

We may ask you to show proof of your identity.

Alternatively, we may use the information because we are relying on one of the other legal justifications. (They are set out in the GDPR and are explained fully on the ICO’s website.) These include processing which is:

* necessary to fulfil a contract or take steps linked to a contract with you or your organisation;

* necessary to conduct our business and pursue our legitimate interests;

* necessary in order to comply with the law (such as compliance checks; tax records);

* necessary in order to provide you with health or social care; occupational medicine; fitness for work assessments or similar and to assist in the management of the healthcare system;

*  necessary for defending or making legal claims or assisting the courts.

Sharing your information

We may share your information:

• With the courts, law enforcement authorities; police; regulators; government departments and agencies; local authorities and expert witnesses where necessary in order to meet our legal obligations or pursue or defend claims in the courts or tribunals;

• With other health and social care providers, clinicians and administrators where this is necessary to help us provide our services or to protect your vital interests of the vital interests of another person;

• With our sub-contractors and service providers under contractual terms which provide appropriate safeguards for your privacy, including confidentiality provisions and controls over when and how any information may be transferred outside the European Economic Area;

• With the organisations that commission our services for patients such as NHS England.

• We will not sell your personal information or licence it on commercial terms.

We have processes and systems in place to ensure that sharing only takes place when sharing is appropriate and lawful and on terms that continue to safeguard your information. These include Data Protection Impact Assessments which are carried out whenever a new process or system is likely to involve processing personal data and which might create a new risk to your privacy.

Keeping your Information and updating it

It is important to us that the information we hold is kept up to date and accurate and is only kept for a long as is necessary.

Once we no longer need it we will delete it or destroy it securely (unless we need to keep a copy for lawful purposes).

If you want to provide us with updated information about you can do this by contacting the Data Protection Officer at

You can also contact us if you believe some information we have about you is incorrect or incomplete and ask us to consider whether it should be corrected.

Data Protection Impact Assessments

In order to comply with the law, St Andrew’s has to complete Data Protection Impact Assessments (DPIA). This is a process which helps assess privacy risks to individuals and identifies the legal basis for the collection, use and disclosure of information, known as processing.

All new projects, initiatives and processes that involve using or sharing personal information will require a Data Protection Impact Assessment at the initial stages and prior to any procurement decision being made. All Data Protection Impact Assessments when completed are submitted to the Data Protection Officer and/or Charity’s Information Governance Group for approval.

If you would like further information on the Data Protection Impact Assessments that are carried out, please contact the Data Protection Officer at


We maintain technical and administrative systems, processes and procedures designed to keep your information safe.

We hold ISO 27001 (which is an international information security standard).

We monitor, test and maintain our systems to identify and respond to any problems as quickly as possible.

Our staff are trained in how to protect your privacy and have a duty of confidentiality.

If ever there is a security breach that presents a high risk to your information we will try to inform you promptly so you can take any further steps that might be desirable.

Our arrangements with NHS England also require us to report serious privacy breaches to the NHS.

Links to our privacy notices can be found below:

Patients and Service Users Privacy Notice 

> Easy Read: Patients and Service Users Privacy Notice

> Carers, Families and Friends Privacy Notice

> Recruitment and Staffing Privacy Notice

> Sales and Marketing Privacy Notice

Other policies

> Terms of Use

> Cookies Policy

Company details

St Andrew’s Healthcare - A charitable company limited by guarantee. Company number: 5176998 (England). Charity number: 1104951. VAT number: 120 948 773

Registered Office: Billing Rd, Northampton NN1 5DG.