Arrow ImagePICU & Rapid Response



Patient and Service User Privacy Notice

About this notice and who it applies to

Data Protection law determines how organisations can use personal information.

In accordance with the Data Protection Act 2018, individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the legislation.

We recognise the need to treat personal data in a secure, fair and lawful manner. No personal information held by St Andrew’s Healthcare will be processed unless the requirements for fair and lawful processing can be met.

This privacy notice applies to patients and service users.

This notice contains information about how the Charity processes your personal data and your rights in relation to this processing including what to do if you have a query or complaint.

Please also see our general Privacy Notice for further details.

Please click here for our easy read version of the Patient and Service User Privacy Notice

What personal information we may collect

In order to provide services to you, St Andrew’s may collect and use your personal data including, for example:


  • Personal details such as name, date of birth, home address, NHS number and the name of your General Practitioner (GP)
  • Details of your mental condition, including any medications you are taking and the side effects
  • Medical records whilst at St Andrew’s and any previous placements
  • Contacts such as nearest relative, main carer, next of kin, external health professionals and your Solicitor
  • Bank details if you wish to have a St Andrew’s finance account
  • Criminal offence details (if applicable)
  • Education and learning records
  • Information about your personal interests
  • Relevant information relating to risks, behaviour, special needs and allergies, and useful interventions to ensure safe and productive delivery of our service

Raising a query or concern

If you have a query or concern about any aspects of this privacy notice, or how your data is handled, please contact the Charity’s Data Protection Officer:

Data Protection Officer
St Andrew’s Healthcare


If you remain unsatisfied you also have the right to raise your concern externally with the Information Commissioner’s Office:

The Information Commissioner's Office 
Wycliffe House
Water Lane

Additional rights

In certain circumstances, you may also have the right to:


  • Object to the processing of personal data that is likely to cause, or is causing, damage or distress
  • Have inaccurate personal data rectified, blocked, erased or destroyed
  • Object at any time to processing of personal data concerning you for direct marketing


If you wish to exercise them, please let us know by contacting our Data Protection Officer (details at the bottom of this privacy notice).

Access to personal information

Data protection law gives you the right to access the information that we hold about you. This includes supplementary information about the processing that this privacy notice is designed to address.

Requests for access to patient/service user records can be made verbally or in writing to:

Health Records Office
St Andrew’s Healthcare

Telephone: 01604 616000

We will need to check that you are who you say you are. Therefore you may be asked to provide:


  • Identification
  • Relevant information (for example full name, address, date of birth, staff number, etc.)


We may ask you for further information to help us locate what you are looking for.

We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within one calendar month of receipt, unless there is a reason for delay that is justifiable under the law.

If a subject access request is made and the request for access is thought to be unfounded or excessive, or if you ask for more than one copy of the information we may ask you pay a fee to cover the costs.

Retention and disposal of personal information

We will only keep information for as long as necessary. Records are managed in line with our Records Management Policy. This ensures that we regularly review records and securely destroy records at the right time. There are times when we need to keep some information for longer so we can comply with the law.

Keeping your personal information up to date

It is important that the information which we hold about you is up to date and accurate. If your personal details change or if they are currently inaccurate then it is important that you let us know by contacting the Charity’s Data Protection Officer using the contact details at the bottom of this privacy notice.

Any corrections which are needed will be made promptly and we will promptly inform any third parties who have received the incorrect information from us, so that they can amend their records.

Security of your information

We take our duty to protect your personal information and confidentiality very seriously. The Charity is accredited to an international security standard, and we take all steps to ensure we have the right technical and organisational security control measures in place to protect your personal data from harm.

We have made some senior employees specifically responsible for data protection and confidentiality. For example, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information associated risks and incidents, and a Caldicott Guardian who is responsible for the management of confidential patient information.

There is a Data Protection Officer who has specific responsibility for and knowledge of data protection compliance, covering all aspects of this privacy notice.

There are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data and we ensure that our staff regularly undertake data protection training.

We ensure that any third parties who process your personal data on our behalf are contractually obliged to comply with our data protection and information security policies and procedures.

Sharing your information

To provide you with the best care possible, we may need to share your information with others. We will only share your information in the following circumstances:


  • Where you have given your consent to the information being shared
  • Where there are issues or concerns, like the health and safety of yourself or others
  • Where there is a legal requirement or responsibility on us to share the information


Some examples of third parties we may need to share your information with, but not limited to:


  • Central and local government agencies and departments
  • General Practitioners (GPs)
  • Commissioners
  • Healthcare and Safeguarding bodies
  • Police, courts and prisons


Any disclosures of personal data are made only on a case-by-case basis, using the minimum personal data necessary and with the appropriate security controls in place.

Why we need to process your personal data

There are a number of direct care purposes why we may need to process your personal data, which include:


  • To help inform decisions that we make about your care and treatment
  • To ensure that your treatment is safe and effective
  • To work effectively with other organisations and individuals who may be involved in your care


We may process your information without your knowledge or consent where this is permitted by law.

We will only process your personal data for reason it was collected for. An exception would be unless it is needed for another purpose and the reason is compatible with the original purpose for processing.

We will notify you of any material changes to information which we collect or the purpose for which we collect and process it, and explain the legal basis for doing that.

Additionally, we may use information we hold about you for the following indirect care purposes:


  • Ensure our services can meet future needs
  • Investigate patient queries, complaints and legal claims
  • Review the care we provide to ensure that it is of the highest standard and quality
  • To prepare statistics on our performance
  • Help train and educate healthcare professionals
  • Undertake health research and development (with your consent- you may choose whether or not to be involved)

Nationally there are strict controls on how your information is used for these purposes. These decide whether your information has to be de-identified first and with whom we may share identifiable information with.

Much of the care we provide to patients is commissioned by our NHS partners and in May 2018 strict rules around how your data can and cannot be used were tightened. You can choose whether your confidential patient information is used for research and planning by the NHS. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.

To find out more or to make your choice visit, or call 0300 303 5678.

Lawful basis for processing your personal data

We will only use your data where the law allows us to. Most commonly, we will process your personal data in the following circumstances:


  • Where you have given consent
  • Where it is necessary so that we can provide healthcare for you
  • To comply with the law (for example, the Mental Health Act 1983)
  • To help detect or prevent crime
  • When it is necessary to protect the vital interests of an individual (for example, in a medical emergency)
  • Where it is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal data which overrides those legitimate interests)

How the Charity obtains your personal data

If you come to us through your GP, local authority or another health or social care authority, they will provide us with a variety of information, including your name, contact details and medical history. This would include any significant episodes that we need to be aware of in order to assess your needs and deliver the right care and service to you.

We also conduct independent mental health reviews or medico legal reports for solicitors, the Crown Prosecution Service, the Police, Courts, Coroners, Magistrates and other healthcare providers etc. In order to provide this service, we will usually obtain information about you from these organisations, and use the information you have provided to us.

Data Protection Notification with the Information Commissioner’s Office

St Andrew’s Healthcare is registered as a ‘data controller’ with the Information Commissioner’s Office.

The details of the Charity’s notification are available on the ICO’s Data Protection Public Register.

St Andrew’s registration number is Z5735699.