Arrow ImageAcute, PICU and Rapid Response



Patient and Service User Privacy Notice

About this notice and who it applies to

Data Protection law determines how organisations can use personal information.

In accordance with the Data Protection Act 2018, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the legislation.

We recognise the need to treat personal data in a secure, fair and lawful manner. No personal information held by St Andrew’s Healthcare will be processed unless the requirements for fair and lawful processing can be met.

This privacy notice applies to patients and service users.

This notice contains information about how the Charity processes your personal data and your rights in relation to this processing including what to do if you have a query or complaint.

Please also see our general Privacy Notice for further details.

Please click here for our easy read version of the Patient and Service User Privacy Notice

What personal information we may collect

In order to provide services to you, St Andrew’s may collect and use your personal data including, for example:


  • Personal details such as name, date of birth, home address, NHS number and the name of your General Practitioner (GP)
  • Details of your mental condition, including any medications you are taking and the side effects
  • Medical records whilst at St Andrew’s and any previous placements
  • Contacts such as nearest relative, main carer, next of kin, external health professionals and your Solicitor
  • Bank details if you wish to have a St Andrew’s finance account
  • Criminal offence details (if applicable)
  • Education and learning records
  • Information about your personal interests
  • Relevant information relating to risks, behaviour, special needs and allergies, and useful interventions to ensure safe and productive delivery of our service

Raising a query or concern

If you have a query or concern about any aspects of this privacy notice, or how your data is handled, please contact the Charity’s Data Protection Officer:

Data Protection Officer
St Andrew’s Healthcare

If you remain unsatisfied you also have the right to raise your concern externally with the Information Commissioner’s Office:

The Information Commissioner's Office
Wycliffe House
Water Lane

Additional rights

In certain circumstances, you may also have the right to:


  • Object to the processing of personal data that is likely to cause, or is causing, damage or distress
  • Have inaccurate personal data rectified, blocked, erased or destroyed
  • Object at any time to processing of personal data concerning you for direct marketing


If you wish to exercise them, please let us know by contacting our Data Protection Officer (details at the bottom of this privacy notice).

Access to personal information

Data protection law gives you the right to access the information that we hold about you. This includes supplementary information about the processing that this privacy notice is designed to address.

Requests for access to patient/service user records can be made verbally or in writing to:

Health Records Office
St Andrew’s Healthcare

Telephone: 01604 616000

We will need to check that you are who you say you are. Therefore you may be asked to provide:


  • Identification
  • Relevant information (for example full name, address, date of birth, staff number, etc.)


We may ask you for further information to help us locate what you are looking for.

We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within one calendar month of receipt, unless there is a reason for delay that is justifiable under the law.

If a subject access request is made and the request for access is thought to be unfounded or excessive, or if you ask for more than one copy of the information we may ask you pay a fee to cover the costs.

Retention and disposal of personal information

We will only keep information for as long as necessary. Records are managed in line with our Records Management Policy. This ensures that we regularly review records and securely destroy records at the right time. There are times when we need to keep some information for longer so we can comply with the law.

Keeping your personal information up to date

It is important that the information which we hold about you is up to date and accurate. If your personal details change or if they are currently inaccurate then it is important that you let us know by contacting the Charity’s Data Protection Officer using the contact details at the bottom of this privacy notice.

Any corrections which are needed will be made promptly and we will promptly inform any third parties who have received the incorrect information from us, so that they can amend their records.

Security of your information

We take our duty to protect your personal information and confidentiality very seriously. The Charity is accredited to an international security standard, and we take all steps to ensure we have the right technical and organisational security control measures in place to protect your personal data from harm.

We have made some senior employees specifically responsible for data protection and confidentiality. For example, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information associated risks and incidents, and a Caldicott Guardian who is responsible for the management of confidential patient information.

There is a Data Protection Officer who has specific responsibility for and knowledge of data protection compliance, covering all aspects of this privacy notice.

There are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data and we ensure that our staff regularly undertake data protection training.

We ensure that any third parties who process your personal data on our behalf are contractually obliged to comply with our data protection and information security policies and procedures.

Sharing your information

To provide you with the best care possible, we may need to share your information with others. We will only share your information in the following circumstances:


  • Where you have given your consent to the information being shared
  • Where there are issues or concerns, like the health and safety of yourself or others
  • Where there is a legal requirement or responsibility on us to share the information


Some examples of third parties we may need to share your information with, but not limited to:


  • Central and local government agencies and departments
  • General Practitioners (GPs)
  • Commissioners
  • Healthcare and Safeguarding bodies
  • Police, courts and prisons


Any disclosures of personal data are made only on a case-by-case basis, using the minimum personal data necessary and with the appropriate security controls in place.

Why we need to process your personal data

There are a number of direct care purposes why we may need to process your personal data, which include:


  • To help inform decisions that we make about your care and treatment
  • To ensure that your treatment is safe and effective
  • To work effectively with other organisations and individuals who may be involved in your care


We may process your information without your knowledge or consent where this is permitted by law.

We will only process your personal data for reason it was collected for. An exception would be unless it is needed for another purpose and the reason is compatible with the original purpose for processing.

We will notify you of any material changes to information which we collect or the purpose for which we collect and process it, and explain the legal basis for doing that.

Additionally, we may use information we hold about you for the following indirect care purposes:


  • Ensure our services can meet future needs
  • Investigate patient queries, complaints and legal claims
  • Review the care we provide to ensure that it is of the highest standard and quality
  • To prepare statistics on our performance
  • Help train and educate healthcare professionals
  • Undertake health research and development (with your consent- you may choose whether or not to be involved)

Nationally there are strict controls on how your information is used for these purposes. These decide whether your information has to be de-identified first and with whom we may share identifiable information with.

Much of the care we provide to patients is commissioned by our NHS partners and in May 2018 strict rules around how your data can and cannot be used were tightened. You can choose whether your confidential patient information is used for research and planning by the NHS. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.

To find out more or to make your choice visit, or call 0300 303 5678.

Lawful basis for processing your personal data

We will only use your data where the law allows us to. Most commonly, we will process your personal data in the following circumstances:


  • Where you have given consent
  • Where it is necessary so that we can provide healthcare for you
  • To comply with the law (for example, the Mental Health Act 1983)
  • To help detect or prevent crime
  • When it is necessary to protect the vital interests of an individual (for example, in a medical emergency)
  • Where it is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal data which overrides those legitimate interests)

How the Charity obtains your personal data

If you come to us through your GP, local authority or another health or social care authority, they will provide us with a variety of information, including your name, contact details and medical history. This would include any significant episodes that we need to be aware of in order to assess your needs and deliver the right care and service to you.

We also conduct independent mental health reviews or medico legal reports for solicitors, the Crown Prosecution Service, the Police, Courts, Coroners, Magistrates and other healthcare providers etc. In order to provide this service, we will usually obtain information about you from these organisations, and use the information you have provided to us.

Data Protection Notification with the Information Commissioner’s Office

St Andrew’s Healthcare is registered as a ‘data controller’ with the Information Commissioner’s Office.

The details of the Charity’s notification are available on the ICO’s Data Protection Public Register.

St Andrew’s registration number is Z5735699.

NHS National Data Opt-Out

Privacy Notice - NHS National Data Opt-Out

The information collected about you when you use our services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments and practices
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

All these uses help to provide better healthcare.

Confidential patient information about your health and care is only used like this where allowed by law.

We only do this when there is a clear legal basis to use this information. Currently, we ensure that anonymised data is used, wherever possible, so that you cannot be identified, in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. Otherwise, you have the right to opt out through the NHS National Data Opt-Out. If you do choose to opt out, your confidential patient information will still be used to support your individual care.

Should a situation arise where we did need to use or share confidential patient information for one of these purposes, and we had a lawful right to do so, we would first consult the NHS National Data Opt-Out information in order to determine whether we could or could not include your confidential patient information.

To find out more or to register your choice to opt out, please visit the NHS website

On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used on the NHS Health Research Authority website (which covers health and care research), and on the Understanding Patient Data website (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.