How we use your information

Fair Processing Notice, privacy notice

Note: For information about how website users’ information is used when browsing this website, please see the website privacy statement.

Your information your rights (fair processing notice)

(Fair Processing Notice is also known as Privacy Notice)

Our hospitals and other sites come under the legal entity of Chelsea and Westminster Hospital NHS Foundation Trust. As we process personal data, we are legally obliged to be on the Data Protection Register held by the Information Commissioner’s Office (ICO). Our registration number is Z5779617.

Our Data Protection Officer is Graham Trainor—he can be contacted by emailing 

This Data Privacy Notice is to assure you of our compliance with the General Data Protection Regulation (EU) 2016/679 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

All individuals for whom we hold data have the same rights under the General Data Protection Regulation, although the legal basis for processing the data and the retention periods for individual records may vary depending on the reason we hold the data—ie whether you are a patient, member of staff, volunteer, Foundation Trust Member or other. Please see the NHS Digital website for how long we are required to keep records.

What information do we keep about you?


For patients collectively, all the information we hold about you is called your health record. It includes general personal information (such as your name, address, next of kin and GP) and Special Category Personal Data relating to health (such as reports, test results, operations and other treatments), ethnicity, religion and, where appropriate, genetic, sexual orientation etc. These records exist in either paper or electronic formats or both. They are secured by appropriate security measures to comply with UK legislation, eg Computer Misuse Act 1990. We obtain and hold this data under GDPR Article 6 (1) (e), (b), (c) and in special cases (d). For Special Category Personal Data, under Article 9 (2) (h). Please see the EU Commission website for further details.

Carers/next of kin

As part of a patient’s health record we record next of kin and, where relevant, carers’ details. There may be occasions where we will contact this demographic for the sake of clinical audit—for example, the National Audit of Care at the End of Life (NACEL).


If you are a member of staff then the information we hold is about your employment and related information—this is known as your staff record. We hold this information mainly in electronic formats, though for older records it may be in paper formats at this time. We obtain and hold your information under Article 6 (1) (b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” and (c) “processing is necessary for compliance with a legal obligation to which the controller is subject”—and Article 9 (2) (b) “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.”

If you are both a member of staff and a patient, then two sets of records are maintained.

How is information about you used?

Records about you are used by those caring for you to:

  • Provide a good basis for all healthcare decisions by you and healthcare professionals
  • Enable you to work in partnership with those providing care
  • Make sure the care we provide is safe and effective
  • Work effectively with others providing you with care
  • Remind you about appointments

Others within the Trust, the NHS and other government bodies may also need to use records about you to:

  • Check the quality of care (called clinical audit)
  • Protect the health of the general public
  • Keep track of NHS spending
  • Manage the health service
  • Help investigate untoward incidents, complaints or legal claims
  • Prevent fraud
  • Teach healthcare staff
  • Help with research

If we need to use information that identifies you for more than your direct care, or to check the quality of that care, we will always seek your consent beforehand.

Who do we share your information with?

The above uses of your data will involve sharing your information with other health and social care professionals involved in your care, such as doctors, nurses, therapists and your GP as well as some administrative staff.

There are some sector-wide and national initiatives where data is shared due to UK legislation between organisations to speed up access to patient records for direct care purposes, such as the NWL digital integrated care initiative. The governance and access controls around these initiatives are very strict.

We also participate in some national audits and submit your data anonymously to the Secondary Uses Service (SUS) which is the single repository for healthcare data in England. This enables a range of reporting and analyses to support the NHS in the delivery of healthcare services—and is mandated by law. Access to these records is strictly controlled on a need-to-know basis. For example, the organisations who commission health services from the hospitals (Clinical Commissioning Groups/CCGs) cannot, as a rule, gain access to personal information about you—just aggregated data to enable them to commission the most appropriate services. Exceptions exist where direct management of healthcare budgets is requested by individuals and also for certain procedures where proof of need is required, an approved process.

To assist in the management of the health service, and to protect the health of the general public, we may share information with other parts of the NHS or with other public sector organisations.

We may also use third party service providers to process data on our behalf. If we do, then we will always have an appropriate agreement in place to ensure that they keep the data secure, and that they do not use or share information other than in accordance with our instructions. Examples of functions that may be carried out by third parties include:

  • Systems providers which facilitate and manage appointment bookings on our behalf such as DrDoctor
  • Companies that provide IT services & support, including our core clinical systems, data hosting service providers or document management services;
  • Delivery services (for example if we were to arrange for delivery of any medicines to you).

Further details regarding specific third party processors can be provided on request to the Data Protection Officer.

We are also required by law to report certain information to the appropriate authorities—for example notification of new births and incidences of certain communicable diseases, crimes or suspicion of terrorist acts to the police or other UK bodies, for example General Medical Council, Healthcare Safety Investigation Branch of NHS investigations.

Whenever we share information with other organisations we do this in line with the Data Protection Act and the NHS Confidentiality Code of Practice (2003) and relevant legislation or court order and we share the minimum amount of information.

We do not share information, in the ways described above, regarding treatment you may have received in the specialities of sexually transmitted infections and human fertilisation and embryology (not withstanding any legal requirements imposed on the Trust).

The future of healthcare: digital, data and technology in health and care

There has been a rapid growth of digital health technology and the use of apps and artificial intelligence (AI) over the past few years. This work is actively encouraged by the government with the ultimate objective of the provision of better care and improved health outcomes for people in England.

We want to be at the forefront of digital innovation to secure better outcomes, improve clinical care and reduce costs and have entered into an agreement with Sensyne Health who offer a new approach to the discovery and development of new medicines using AI to generate real-world evidence. We believe this will allow us to move forward as an organisation driven by research, innovation and discovery.

With Sensyne we only use anonymised datasets so your confidentiality is protected.

Electronic patient records

We want to make the best use of digital technology to deliver great patient care. That's why we are introducing a new electronic patient record system called CernerEPR across the Trust and other clinical systems.

How do we protect your information?

We abide by the principles of the Data Protection Act (DPA) and self-assess our state of compliance with Information Governance (IG) Standards via the Data Security & Protection Toolkit (DSPT). We also use internal auditors to scrutinise our self-assessment scores.

All NHS staff—whether permanent, temporary, bank or volunteer—have to comply with the UK legislation, and confidentiality is part of statute and common law. Maintaining your confidentiality at all times is treated with the utmost seriousness and staff contracts ensure this  even after leaving the Trust. Clinicians also have professional codes of conduct with which they need to comply and these deal with confidentiality of healthcare.

Please see appropriate organisations:

All staff are required to undertake annual Information Governance training and, where appropriate, additional training in line with their responsibilities. Staff are reminded throughout the year of various aspects of their responsibilities.

It is illegal for a member of staff to access any record, including those of their friends and colleagues, unless they are directly involved in their care. Even checking a friend’s phone number on the administration system is a disciplinary offence.

Our IT systems are provided either in-house or by specific suppliers who are required to manage the data securely in a manner compliant with UK legislation. 

We have perimeter and internal protection of our IT systems and monitor access and security in a proactive manner. Only individuals with legitimate reasons are allowed access to areas storing data.

There is a programme of work to retrospectively carry out Data Protection Impact Assessments on existing systems that hold personal data that we consider a risk and, in the future, work to the principles of privacy by design to ensure that we remain within UK legislation.

Objections to the use of your data

You may object to having your data used for any secondary purpose by contacting the Information Governance Department at . We would hope—with the controls we have in place and the necessity of using your data in the way described—that you would have no objection to our sharing of your data.

We understand, however, that this is your personal information and where we are allowed by UK legislation we will implement your requests. Where we are unable to, we will inform you of the legal reasons and explain what redress and escalation exists, and whom to contact with your concerns and requirements.

What rights do you have as a patient?

You have the right to:

  • Confidentiality and privacy under GDPR, the DPA, the Human Rights Act 1998 and the common law duty of confidence.
  • Request to access your health records (this needs to be in writing) either by asking for a copy of all records about you, or individual items, to be sent to a specific location—or coming in to view your records, under supervision, on site (please see below for detailed information on how we provide your records). We have a duty to explain what your record states.
  • Have errors in your record corrected.
  • Not have your data used for purposes not directly relating to your healthcare—for example, staff duties relating to your employment.
  • You have the right to appoint others to view and look at your record (request needs to be in writing, see below).
  • Ask to be forgotten, however, health records and staff records have specific retention periods imposed by law and this cannot always happen, we will inform you of the appropriate legislation if you make such a request and any escalation process.
  • Be provided with information on the individual who is collecting data on the Trust’s behalf.
  • Be provided the name and contact details of the Trust’s Data Protection Officer.
  • Be provided with information on how your data will be stored.
  • Be provided with information on why we are collecting personal data and special category personal data.
  • Be provided with information on  how your data may be shared, with whom, and what data will be shared.
  • Ask for the period of retention of your data or what criteria we will use to determine this.
  • Be informed of how and to whom you can raise complain about how the Trust handles your Personal Data and Special Category Personal Data.
  • Be informed under what legislation we are collecting and storing your data.
  • Be informed of any automated processes (not involving a human) that the Trust will use to make decisions about your healthcare or employment.

Help us to help you—accuracy of data

Our staff should always verify your basic details such as name, address and GP practice each time you visit one of our sites. If they forget, please remind them. If you spot errors when using an automated check-in kiosk then please inform a member of staff.

Always ensure that you:

  • Give us accurate and full information on first contact and check it.
  • Let us know immediately if any of your personal details have changed or are incorrect—there is a danger you will miss crucial appointments or that we won’t be able to contact you quickly in an emergency.
  • Provide your NHS number if possible.
  • Always give your full regular registered name rather than a nickname/short name or other name—we need to match our records with your GP practice records. The spelling and order of names is particularly important and accounts for around 70% of errors.

The Trust will not regularly contact you to ask for an update of your details, as we value your privacy—we do, however, request that you do update us if your circumstances change to ensure we keep our records up-to-date. 

Access to your health records (Subject Access Request/SAR)

If you are a patient and require a copy of your health records, please see Requesting your medical records. There is no charge for this service, except in exceptional circumstances.

You can come in and view your records, under the supervision of a clinician or appropriate professional to explain any items. Under GDPR legislation there are no fees for the first request. We usually provide this electronically. Making paper copies costs the Trust more than £170k per annum in staff time, printing and postage, and we want to avoid costs where possible.

Staff, volunteers and job applicants should use the same form to obtain access to the information the Trust holds on you.

CCTV/body-worn cameras

The Trust uses CCTV in various parts of the Trust. Security wear body-worn cameras. These are used for the safety and security of our patients and staff. 

The recordings are classed as personal data but do not form part of any health or staff record. Images are held for a period of 31 days, or longer if required for any investigation. 

Staff movements when using your security passes are also recorded.

Preventing fraud

Chelsea and Westminster Hospital NHS Foundation Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office under the NFI is responsible for carrying out data matching exercises. Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. 

No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

As the Trust participates in the Cabinet Office’s National Fraud Initiative it is required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. It then receives a report of matches which it will be required to investigate, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update its records accordingly.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014 (LAAA) and the data sets which the Trust submit can be found in the Cabinet Office guidance.

As the process is mandated by the Cabinet Office it does not require the consent of the individuals concerned under the Data Protection Act 2018 or the General Data Protection Regulation.

Data matching by the Cabinet Office is subject to a Code of Practice

The Trust has a dedicated counter fraud service provided by RSM. Please contact our local counter fraud specialists to discuss any concerns.

Gemma Higginson
E: /
M: 07800 718 680

Natalie Nelson
T: 020 3201 8358 

In addition to the above, all patients are checked for Overseas Visitor Cost Recovery and fraud purposes, and we will share information with the Home Office and/or other relevant government departments and agencies where we are required to do so, in accordance with our legal obligations.

Guidance from the Information Commissioner's Office

The Information Commissioner’s Office (ICO) provides guidance on data sharing, subject access requests, freedom of information requests and many other subjects. It is the body responsible for regulating GDPR and other related legislation.

If you have any concerns about the way we have handled your data or are not happy with the Trust’s response to any complaint or concern you have raised, you are entitled to contact the Information Commissioner’s Office as below.

The Information Commissioner's Office
Wycliffe House
Water Lane

T: 0303 123 1113


Was this page useful to you?

Share this page