Privacy and fair collection policy

Data Controller – Somerset NHS Foundation Trust

This page provides you with information about how we use and manage the personal data we hold about you, including how we share it with NHS and non-NHS organisations, and how we maintain confidentiality.

What is personal data?

Personal data is information about a living, identifiable individual. Therefore, your personal data is any information that can be attributed to you personally, including your name, weight, height, date of birth, health conditions and treatments you receive. So long as you can be identified from that information, it becomes your personal data.

Organisations that use personal data must do so in line with the provisions of the Data Protection Act. The Act applies to personal data held in both electronic and physical media.

An example of the types of personal data that the Trust uses are:

  • Name, address, date of birth, NHS Number and next of kin
  • Contact information i.e. telephone number and email
  • Contacts we have had with you such as clinic visits
  • Details of diagnosis and treatment
  • Allergies and physical or mental health conditions
  • Racial or Ethnic Origin
  • Religious or other beliefs of a similar nature
  • Offences, criminal proceedings, outcomes and sentences.
  • Family, lifestyle and social circumstances
  • Education and training details
  • Employment details
  • Financial details

Why we collect information about you

We keep records about the health care and treatment you receive as one of our patients and to remain.  This helps to ensure that you receive the best possible care from us and that full information is readily available if you see another doctor, or are referred to a specialist or another part of the NHS.  We collect contact information so that we can make contact and keep you informed about that care and treatment.

We also keep records relating to staff, for the purpose of appointments or removals, pay, discipline, superannuation, work management or other personnel matters. This is to ensure that employment at the Trust is managed to a high standard and that staff are provided with the information and training required to carry out their role.

We may use personal data for the following purposes:

  • To prepare statistics on NHS performance
  • To audit NHS Services
  • To monitor how we spend public money
  • To plan and manage the health service
  • To teach and train healthcare professionals and NHS employees
  • To conduct health research and development

This helps you because:

  • Accurate and up to date information assists us in providing patients with the right care
  • Full information is readily available if you see another doctor or are referred to a specialist or another part of the NHS
  • Accurate and up to date information assists us in providing staff with the information and training required to carry out their role in the Trust

Data Protection Act

All of the personal data that we collect and use is handled in accordance with the Data Protection Act principles. These state that:

  • We must satisfy lawful conditions in order to use personal data. (These conditions include, but are not limited to, obtaining consent from the individual to use their personal data; and/or needing the personal data to protect someone from serious harm; and/or using the personal data in order to exercise one of our statutory duties)
  • We must let individuals know why we are using their personal data. This webpage helps us to do that.
  • We must use the personal data in a manner compatible with that purpose.
  • We must only use the personal data that is relevant to the purpose; i.e., not obtain or use more than we need to.
  • We must keep your personal data accurate and up-to-date.
  • We must not keep your personal data longer than is necessary
  • We must use in line with your Data Protection rights; for example, the right to obtain a copy of the personal data we hold about you.
  • We must keep your personal data safe and secure.
  • We must only transfer your personal data outside of the European Economic Area if we have ensure that adequate safeguards are in place.

The official wording of the 6 Data Protection Act Principles is below:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Organisations that process personal data must register as a ‘Data Controller’, and notify the Information Commissioner (ICO) why they need to process the data.

Somerset NHS Foundation Trust is the Data Controller (registration number is Z1405877) of personal information that is collected by the Trust to help us provide and manage healthcare to our patients and relating to the employment of our staff.  Full details of all the purposes to which data may be used are listed at the ICO website (

Who do we share personal data with?

We share data with a range of organisations.  We will always endeavour to share the minimum amount of personal data required, even anonymising data where we possible. However, there will be some instances where personal data will need to be shared with other organisations for the purposes of caring for a patient. In such instances we will need to ensure that the information shared is adequate so that the patient is properly cared for.

We may share personal data with the following organisations for the purposes of delivering or improving healthcare, or where there is a legal requirement for us to do so:

  • Clinical commissioning groups
  • Health authorities
  • Other NHS organisations
  • General practitioners (GPs)
  • Ambulance services
  • Other NHS common services agencies such as primary care agencies
  • Social services
  • Education services
  • Local authorities
  • Police
  • Department for Work & Pensions
  • Voluntary sector providers and private sector providers.

Shared computer systems

Health and Social care services are developing shared record systems to share data efficiently and swiftly.  It is important for any health and care professional treating you to be able to access your shared record where there is a legitimate reason, so that they have all the information they need to care for you. This will be during your routine appointments and also in urgent situations such as attendance at A&E, call to 111 or attending an Out of hours appointment.  It is also quicker for staff to access a shared record than to try to contact other care professionals by phone or email.

Only authorised staff can access the systems and the information they see is carefully checked so that it relates to their job role.  Systems do not share all your data, just data which services have agreed is necessary to include.  Staff providing your care can only access the information they need to provide the best care to you, wherever that care is being provided, whether that is in your local services or if you need specialist care or emergency care in another area.

How long do we retain your records?

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary.

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Records Management Code of Practice for NHS and Social Care 2016

How do we keep your personal data safe and secure?

We are committed to securing your personal information from unauthorised access, use of disclosure.  We secure the personal data you provide on computer servers in a controlled, secure environment.  We also train our staff and have policies and procedures in place so that everyone working in the Trust is aware of the high standards we expect them to adhere to when handling your personal data.

Everyone working for the NHS is subject to the Common Law Duty of Confidence.  Information provided in confidence will only be used for the purposes advised and consent given by the individual to whom the information relates, unless there are other circumstances covered by the law.

Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.  This will be noted in your records.

Information sharing with non-NHS organisations

For your benefit, we may also need to share information from your health records with non-NHS organisations, from which you are also receiving care, such as social services or private healthcare organisations. This information is only routinely shared with data processors with whom we have written contracts to undertake work for us. These non-NHS organisations are not allowed to use the data for their own purposes.

Where there is no written contract we will not disclose any health information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.

Where patient information is shared with other non-NHS organisations, an information sharing agreement is drawn up to ensure information is shared in a way that complies with relevant legislation.

These non-NHS organisations may include, but are not restricted to: social services, education services, local authorities, the Police, voluntary sector providers and private sector providers.

Third Parties

We do not sell, rent or lease its customer lists to third parties.  From time to time we may contact you on behalf of external business partners about a particular offering that may be of interest to you.   In those cases, your unique personally identifiable information (e-mail, name, address, telephone number) is not transferred to the third party.  In addition, we may share data with trusted partners to help us perform statistical analysis, send you email, postal mail and/or appointment reminders, provide customer support or arrange for deliveries.  All such third parties are prohibited from using your personal information except to provide these services to the Trust, and they are required to maintain the confidentiality of your information.

Somerset NHS Foundation Trust uses the following third party organisations/providers to assist in the delivery of IT services:

IMS MAXIMS             Synertec         SDL                 IBM               RiO

iPP/SPS                     Netcall            WORD360      DeepMind

Note: This list is not exhaustive of all third party organisations used by the Trust. Information may sometimes be shared with system suppliers for the purposes of maintenance.


A new service called SIDeR (Somerset Integrated Digital electronic Record) is being rolled out across Somerset over the next few years to allow GP practices, hospitals and Social Care to securely view your health and care information.

SIDeR will help us to link up our existing IT systems that record and securely store your information, so that medical and care staff can view your information to help them deliver better and safer care for you. For example, they will be able to see what medications you’re taking, what allergies you have and what appointments you have coming up. If you have a care plan in place, they will also be able to see this to understand what your exact needs are.

Direct Marketing

Somerset NHS Foundation Trust may also use your personally identifiable information to inform you of other products or services available from Somerset NHS Foundation Trust and its affiliates.  Somerset NHS Foundation Trust may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered.

Somerset NHS Foundation Trust keeps track of the Web sites and pages our customers visit in order to determine which of our services are the most popular. This data is used to deliver customised content and advertising within to customers whose behaviour indicates that they are interested in a particular subject area.  You have the right to refuse / withdraw consent to direct marketing at any time.

Patient satisfaction

We may use your details to contact you with patient satisfaction surveys relating to services you have used. This is to improve the way we deliver healthcare to you, our patient.

Your right to withdraw consent for us to share your personal information

You have the right to refuse / withdraw consent to information sharing at any time.  The possible consequences will be fully explained to you and could include delays in receiving care.

Data Subject Rights

The right to be informed

Individuals have the right to be informed about the collection and use of their personal data.

The right to access records – Subject Access Request (SAR)

The public can request to see all the data that the Trust holds about them or someone they have a legal responsibility for. The Trust Subject Access Procedure is published on the intranet.

The right to request rectification – the correction of incorrect information

If a data subject identifies that information we hold about them is incorrect the Trust must investigate and if the law allows correct the error. However, in many cases the Trust will be required to keep the old record by law and will instead append a note to the record advising of the suggested correction.

The right to request erasure / deletion of their records (right to be forgotten)

A data subject can request that we delete records we hold about them. However, in the majority of cases the Trust will be required to keep the record by law and will instead append a note to the record advising that the request was made but declined.

The right to restriction – restricting the processing of personal data

When a data subject requests that we rectify or delete records we hold about them we are obliged to cease processing the record. However, in the majority of cases the Trust will be required to continue processing the record by law and will instead append a note to the record advising that the request was made but declined.

The right to portability

A data subject can request that we ask that we transfer their personal data records to another data controller in a machine-readable form. This is highly unlikely to occur in normal Trust business and only applies to electronic records.

The right to object to processing

A data subject can object to the Trust processing their personal data and we could be obliged to do this. However, in the majority of cases Trust will be required to continue processing the record by law and will instead append a note to the record advising that the request was made but declined.

Can I see my information?

Under the Data Protection law a person may request access to information (with some exemptions) that is held about them by an organisation.  This is known as the Right of Subject Access.  If you require access to your health records you must make a written request to Medico-Legal Department at Somerset NHS Foundation Trust depending on where you were seen:

Data Access and Disclosure Office
Medical Records Department
Unit J, Crown Close
Taunton TA2 8RX

Download the Personal Data Request From.

The Trust can only provide access to information it holds. For example to see the records held by your GP you have to contact the surgery.

The Access to Health Records Act 1990 also allows access, in certain circumstances, to information that we hold on deceased patients.

Raising a concern

If you have a concern about any aspect of your care or treatment at this hospital or about the way your records have been managed, please contact:

Patient Advice & Liaison Service (PALS)

Somerset NHS Foundation Trust

Musgrove Park Hospital

Taunton TA1 5DA

Tel: 01823 343536


Additionally, you have a right to complain to the Information Commissioner if ever you are unsatisfied with the way the Trust has handled or shared your personal information:

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire SK9 5A

Tel: 0303 123 1113 (or 01625 545745 or 44 1625 545745 if calling from overseas)
Fax: 01625 524510

Changes to this Statement

Somerset NHS Foundation Trust will occasionally update this Statement of Privacy to reflect company and customer feedback. Somerset NHS Foundation Trust encourages you to periodically review this Statement to be informed of how Somerset NHS Foundation Trust is protecting your information.

Contact Information

Somerset NHS Foundation Trust welcomes your comments regarding this Statement of Privacy. If you believe that this Statement has not been adhered to, please contact Somerset NHS Foundation Trust.  We will use commercially reasonable efforts to promptly determine and remedy the problem.

Further information

To learn more about how we use, manage and maintain confidentiality of your information, or to exercise your rights as a data subject please contact:

Louise Coppin
Data Protection Officer
Somerset NHS Foundation Trust
Musgrove Park Hospital
Taunton TA1 5DA

Tel: 01823 320452