Patient Privacy Notice
What is a ‘Privacy Notice’?
A ‘privacy notice’ describes how we use and share the personal information we hold about our patients, service users, visitors, carers, the public and staff.
This patient privacy notice is issued by the Royal Devon as a healthcare provider and covers the information we hold about our patients and other individuals that may use our services.
Separate privacy notices are also available for:
- COVID-19 and your information covers how information is used during the COVID-19 outbreak.
- Information Requesters Privacy Notice covers the information we collect when you request a disclosure from us.
- Staff Privacy Notice covers the information we collect as an employer.
- Occupation Health Privacy Notice covers the information relating to occupational health.
A privacy notice is a legal requirement under Data Protection legislation and is here to help you be aware of your rights, our duties and how we protect your privacy by keeping your information confidential and secure. Under this legislation, the Royal Devon is the data controller of this information.
Who we are
The Royal Devon University Healthcare NHS Foundation Trust was established in April 2022, bringing together the expertise of both the Royal Devon and Exeter NHS Foundation Trust (known as Eastern Services and sites) and Northern Devon Healthcare NHS Trust (known as Northern Services and sites).
Stretching across Northern, Eastern and Mid Devon, we have a workforce of over 15,000 staff, making us the largest employer in Devon. Our core services, which we provide for more than 615,000 people, cover more than 2,000 square miles across Devon, while some of our specialist services cover the whole of the peninsula, extending our reach as far as Cornwall and the Isles of Scilly.
We deliver a wide range of emergency, specialist, and general medical services through North Devon District Hospital (EX31 4JB) and the Royal Devon and Exeter Hospital (Wonford) (EX2 5DW). Alongside our two acute hospitals, we provide integrated health and social care services across a variety of settings including community inpatient hospitals, outpatient clinics, and within people’s own homes. We also offer primary care services, a range of specialist community services, and Sexual Assault Referral Centres (SARC).
Our hospitals are both renowned for their research, innovation, and links to universities.
The Royal Devon is registered with the Information Commissioner’s Office to process personal and special category information under UK Data Protection legislation.
What personal information do we collect and how do we obtain it?
Personal information identifies a living individual. Therefore, your personal information is anything that can be attributed to you personally, including your name, weight, height, date of birth, health conditions, and treatments you receive. So long as you can be identified from it, it is your personal information.
Examples of the personal information that we hold about our patients are:
- Name, address, date of birth, NHS Number and next of kin.
- Contact information i.e. telephone number(s), email address.
- Racial or ethnic origin.
- Religious or other beliefs of a similar nature.
- Family, lifestyle, and social circumstances.
- Contacts we have had with you such as clinic visits.
- Details of diagnosis and treatment.
- Allergies and physical or mental health conditions.
- Whether or not you are subject to any protection orders regarding your health, wellbeing, and human rights (safeguarding status).
This information will be collected directly from you and others involved in your care such as your GP, or another healthcare provider, or may be information others have provided in relation to your own care.
Organisations that use personal information must do so in line with the provisions of the UK General Data Protection Regulation and the Data Protection Act 2018. The legislation applies to personal information held in both electronic and paper records.
Why we collect information about you and what we do with it
We collect personal and confidential information about you to support the delivery of your healthcare and treatment. It is important for us to have a complete picture as this information enables us to provide the right care to meet your individual needs.
Your records are used to directly, manage and deliver healthcare to you to ensure that:
- The staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
- Staff have the information they need to be able to assess and improve the quality and type of care you receive.
- Appropriate information is available if you see another healthcare professional or are referred to a specialist or another part of the NHS, social care, or health provider.
The personal information we collect about you may also be used to:
- Remind you about your appointments and send you relevant correspondence.
- Review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement;
- Monitor how we spend public money and support the funding of your care, e.g. with commissioning organisations;
- Plan and manage the health service and prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies;
- Help to train and educate healthcare professionals,
- Report and investigate complaints, claims and untoward incidents,
- Report events to the appropriate authorities when we are required to do so by law,
- Review your suitability for research study or clinical trial,
- Conduct health research and development, click here for more information and see further details below; and
- Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/share the minimum information necessary.
We may share data for approved research projects. In most instances, the information will be made anonymous so that you cannot be identified. If this is not possible, we will ask your permission, or if this is not possible, we will request approval from the NHS Health Research Authority's Confidentiality Advisory Group. The Health Research Authority has further details on patient information and health and care research.
Should you not wish information about you to be used for research, please let us know or speak to the clinical team that is treating you. More details about the National Data-Opt Out can be found here.
What is our lawful basis for processing?
All the personal information that we collect, and use is handled in accordance with the UK General Data Protection Regulation (UK GDPR) principles. These state that personal data processing must be:
- Lawful and fair.
- Specified, explicit and legitimate.
- Adequate, relevant, and not excessive.
- Accurate and kept up to date.
- Kept for no longer than is necessary.
- In a secure manner.
The Royal Devon is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012. As such our business is based upon statutory powers which underpin the legal bases that apply for the purposes of the UK GDPR. The legal bases for the majority of our processing is:
- Article 6(1) (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority,
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Article 6(1)(d) - processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Where we process special categories data, for example, data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UK GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the legal basis for the majority of our processing is:
- Article 9(2) (h) – the provision of health or social care or treatment or the management of health of social care systems and services. care or treatment or the management of health of social care systems and services; or
- Article 9(2)(c) - processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
Where we process special category data for research purposes our legal basis is:
- Article 9(2)(j) - processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
In addition, we may also process personal data for the purpose of, or in connection with legal proceedings (including prospective legal proceedings), obtaining legal advice or establishing, exercising, or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:
- Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
- Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.
Where we process special categories of personal data for these purposes, the legal basis for doing so is:
- Article 9(2)(f) – processing is necessary for the establishment, exercise, or defence of legal claims; or
- Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
Please note consent is not the legal basis for processing information that concerns your direct patient care. The majority of your data processed in relation to your care is under Article 6(1)(e) as our task as an NHS Trust, as described above.
This means we use your personal information to provide you with your direct patient care without seeking your consent. However, you do have the right to object to our use of your information. We will consider your objection, and if we are able to comply with your wishes, we will explain how this could impact on our ability to provide you with that care.
Who we share personal information with and why?
Your personal information will be shared with the team who are caring for you and providing your treatment. Our Trust may securely share your personal information with a number of other NHS Trusts and services and independent treatment centres. We will always endeavour to share the minimum amount of personal information required, anonymising where necessary.
We may need to share personal information with the following organisations for the purposes of delivering or improving healthcare, or where there is a legal requirement for us to do so:
- We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies, Integrated Care System (ICS) etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.
- We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as private healthcare companies, voluntary and private sector providers, Social Services, local council, education services or private care homes.
- There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud (e.g. Department for Work & Pensions).
There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).
There may be requirements to share in the public interest, such as identification of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information is released.
- There may also be times when our Trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure we are legally compliant.
- Data may also be shared for healthcare purposes with other external organisations who are processing the data on behalf of the Trust. This enables the Trust to use the most up to date digital technology to better support your care. Examples of this type of sharing include third party system suppliers such as Epic for our Electronic Patient Record (EPR) system, MY CARE Patient Portal, or NHS Digital for email and other national NHS systems.
- Data is shared with you, the patient, and any family or friends (proxies) that you allow, via the MY CARE Patient Portal (part of Epic). The Patient Portal provides you (and any proxies) with access to key elements of your medical record. Information on the Patient Portal is provided for use to support your relationship with current or future health care professionals.
More information is available at NHS Royal Devon | MY CARE
The Terms and Conditions for using the Patient Portal, which includes more detail of how your information is processed is available at MY CARE - Login Page (exe.nhs.uk)
- Our EPR also allows clinicians in other healthcare organisations access to your data via Epic Care Link, this includes some GP practices, Hospicare, and other NHS Trusts. This enables faster access and better support for you the patient. To opt out of your data being shared via Epic Care Link please contact the Data Protection Officer by emailing: firstname.lastname@example.org.
- Our EPR also allows us to share your medical information directly with other UK hospitals who have the Epic EPR system via Care Everywhere. Sharing will only take place if you are a patient at both hospitals (e.g. you are a patient at the Royal Devon AND Great Ormond Street Hospital). To opt out of your data being shared via Care Everywhere please contact the Data Protection Officer by emailing email@example.com. Please note Care Everywhere is not available for non-UK Epic hospitals.
For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.
The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will only be used for the purposes explained. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, the Caldicott Guardian ensures that the sharing is appropriate.
How we keep your personal information safe and secure
Our staff members are trained to handle your information correctly to protect your confidentiality and keep your information secure. Everyone working in the NHS has a duty of confidentiality under the NHS Code of Practice when handling your personal information.
All new systems undergo appropriate governance reviews to ensure they meet the Trust cyber security standards. Details of Data Protection Impact Assessments are available via our FOI Publication Scheme.
Use of Email - Some services in the Trust provide the option to communicate with patients via email. Please be aware that the Trust cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.
How long we keep your records
Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHSx: Records Management Code of Practice 2021.
The retention of records is dependent on various factors such type of service, continuity of care, litigation, last hospital attendance, etc. Typically, adult care records are retained for eight years, maternity records for 25 years and cancer records for 30 years. All records are destroyed confidentially once their retention period has been met and the Trust has made the decision that the records are no longer required.
What your information rights are and how to request a copy of your data
The UK GDPR gives you certain rights, including the right to:
- Request access to the personal data we hold about you, e.g. in health records. The way in which you can access your own health records is further explained in our ‘Access Your Personal Data / Health Records’ web page.
- Request the correction of inaccurate or incomplete information recorded in our records, subject to certain safeguards.
- Refuse/withdraw GDPR consent where the Trust seeks to use this as it’s lawful basis for processing your data. Please note, this should not be confused with medical consent or research consent and only relates to limited use.
- Request the restriction of the use of your personal information in certain circumstances, this does not relate to direct patient care.
- Request your personal information to be transferred to other providers on certain occasions.
- To challenge decisions made without human intervention (use of automated decision making)
You have the right to choose if data from your health records is shared for research and planning purposes. In certain circumstances you may have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment, for example, to plan and improve health and care services, or to research and develop cures for serious illness.
Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is compliant with the national data opt-out policy which allows you to make your choice by using the online service at www.nhs.uk/your-nhs-data-matters or by calling the NHS Digital Contact Centre on 0300 303 5678.
We will always try to keep your information confidential and only share information when absolutely necessary and in consultation with the Caldicott Guardian. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.
Surveillance Cameras and recordings
We employ surveillance cameras (CCTV and Body Worn Video) on and around the hospital site in order to:
- Provide a deterrent effect and reduce unlawful activity.
- Help provide a safer environment for our staff.
- Protect patients, visitors, staff, and Trust property.
- Apprehend and prosecute offenders and provide evidence to take criminal or civil action in the courts.
We reserve the right to withhold information where permissible under Data Protection legislation and we will only retain surveillance data for 28 days. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV or Body Worn Video data for legal reasons.
All patients and visitors are reminded that mobile phones can be used in public and communal areas to make calls but are not always allowed on wards or clinical areas as they could affect medical equipment or disturb those who require rest.
Patients or visitors who wish to film, record, take photos or video call, please discuss with a member of staff and gain consent so that we can protect the privacy and dignity of staff, other patients, and their visitors.
Data Protection Officer and ICO contact details for any queries
The Data Protection Officer can be contacted at the below email address:
For further details, please see:
The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation. If you are not satisfied with our DPO response or believe we are not processing your personal data in accordance with the law, you can complain to the ICO at:
Information Commissioner’s Office (ICO)
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number