Information Requesters Privacy Notice
PLEASE NOTE – this privacy notice supports the integration of the Royal Devon and Exeter NHS Foundation Trust and Northern Devon Healthcare NHS Trust. There may be differences in systems and processes as the organisations integrate with each other and this privacy notice is subject to change.
This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and with whom and for which legal purpose we may share it.
To find out more about our Privacy Notice, please select the relevant hyperlink below:
Why do we collect personal information about you?
Our purpose for processing your personal data is so we can fulfil your information request to us. This enables us to comply with our legal obligations under the legislation we are subject to:
- UK General Data Protection Regulation (2016)
- Data Protection Act (2018)
- Freedom of Information Act (2000)
- Environmental Information Regulations (2004)
- Re-use of Public Sector Information Regulations
- Human Rights Act 1998
NHS Act 2006
What is our legal basis for processing personal information about you?
The lawful basis for this is article 6(1)(C) of the GDPR, which relates to processing necessary to comply with a legal obligation to which we are subject.
If any of the information you provide us in relation to information request contains special category data, such as health, religious or ethnic information the lawful basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights. And Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.
What personal information do we need to collect about you and how do we obtain it?
We need information from you to respond to you and to locate the information you are looking for.
If you are making a request about your personal data, or are acting on behalf of someone making such a request, then we may ask for proof of your identity. If it is relevant, we will also ask for information to show you have authority to act on someone else’s behalf.
What do we do with your personal information?
The data you provide will be used so that you are able to exercise your lawful rights under the relevant legislation. We may be required to share the data with the relevant departments/employees who may hold the data you require to enable us to respond to your request.
When we receive a request from you, we will set up an electronic case file containing the details of your request. This normally includes your contact details and any other information you have given us. We will also store on this case file a copy of the information that falls within the scope of your request.
We will use the information supplied to us to process your information request and check on the level of service we provide.
How we maintain your records
We have a duty to:
- maintain accurate records;
- keep records about you confidential and secure;
- provide information in a format that is accessible to
Once a request has been completed, the relevant data will be held by the Information Governance Team for three years (extended to six years if there has been a subsequent appeal) in line with the Records Management Code of Practice 2021
Data Protection Officer
The Data Protection Officer can be contacted at the below email address:
For further details, please see: