You are here:>Privacy and cookies
Privacy and cookies2018-09-25T22:08:08+00:00

Privacy and cookies

General Data Protection Regulation 2016 (GDPR)

The General Data Protection Regulation 2016 (GDPR) came into force on 25 May 2018 and it applies to Walsall Healthcare NHS Trust as Data Controller. The legislation will replace current data protection law, giving more rights to individuals and more obligations to organisations processing personal data.

As Data Controller, we determine the purpose and manner of processing personal data for both employees and patients. Where we are responsible for processing personal data on behalf of another data controller we act as a Data Processor.

The Trust has robust processes and systems to support compliance with the new laws, which includes keeping you informed about how your data is used.

The Trust’s policy on the implementation of the GDPR can be found here.

Read more about the legal basis for processing personal and special category date under GDPR here.

Collecting your information

Why do we collect information about you?

The purpose of the NHS is to provide you with the highest quality of health care, and to help us achieve this we must keep records about your health, treatment and care we have provided or plan to provide.

These records are called your healthcare records and may be stored in paper format or electronically.  They include:

  • personal details about you, such as name, date of birth, address, NHS number, next of kin, ethnicity, and next of kin
  • Details of your hospital appointments/visits
  • Notes and reports about your health, treatment and care
  • Results of x-rays, scans and tests
  • Relevant information from people who care for you such as healthcare professionals
  • information based on the professional opinion of the staff caring for you

It is extremely important that your personal details are accurate and we will often check with you at appointments or visits that these details are correct.

We collect this information to ensure we are providing you with the right care and, should you see another health professional or be referred to another part of the organisation, accurate and up to date information is shared to enable a continuation in the quality of care you receive.

If you are employed by Walsall Healthcare NHS Trust we will have your education, training and employment details, and your financial details.

Who do we collect information from?

Walsall Healthcare NHS Trust will collect data about you in a variety of ways. The main source of collection is directly from you and this is likely to be done either face to face, during a telephone call, or via email.

We may receive information from other organisations that are also required by law to share information about you with us.  An example of this could be the Trust receiving a referral for you from your GP, another Trust or any health or social care provider.

Our Trust and our staff may have access to specific clinical systems from other organisations such as the Summary Care Record, in order to access information about you that is relevant to your care. All systems are auditable and access is on a strictly need to know basis.

How long do we keep your information?

We keep your information in accordance with the National Guidance. All our records are destroyed in line with the NHS Retention Schedule, which sets out the appropriate length of time each NHS record is retained.

Records are destroyed confidentially once they reach their retention. We do not keep your records for longer than is necessary.

For further information please see Record Management Code for Practice for Health and Social Care 2016, retention schedules.

Sharing your information

Who do we share your personal information with?

Walsall Healthcare NHS Trust works closely with other organisations to support patient care. This means that information will be shared between hospitals and other organisations that may be caring for you. These may include:

  • your GP
  • other hospitals
  • your pharmacy
  • Clinical Commissioning Groups (CCG)
  • NHS regulatory authorities;
  • The National Patient Safety Agency (NPSA);
  • Out of Hours Health Care services;
  • NHS walk-in centres;
  • Ambulance Services;
  • NHS common services agencies such as dentists;
  • Local Authority departments, including Social Services, Education and Housing;
  • Voluntary sector providers who are directly involved in your care;

The sharing of sensitive personal information is strictly controlled by law. Generally your information will only be seen by those involved in providing or administering your care.

When information is shared, it is transferred securely in line with the requirements of the GDPR, and anyone who receives information from us is also under a legal duty to keep it confidential and secure.

We have to share some information for statistical, research or audit purposes and in these instances we take strict measures to ensure that individual patients cannot be identified and where appropriate anonymisation and pseudonymisation techniques will be used to protect your identity.

If you do not wish your personal data to be used in this way, please contact us. You have the right to object in certain circumstances, but this must be assessed as it may affect our ability to provide you with care or advice.

Sharing your information without consent

We will normally ask you for your consent to share information about you. There are times however when we may be required by law to share your information without your consent. These may be:

  • where there is a serious risk of harm or abuse to you or other people (including child protection or safeguarding vulnerable adult concerns)
  • where a serious crime is being investigated or where it could be prevented;
  • notification of new births;
  • where we encounter infectious diseases that may endanger the safety of others;
  • where a formal court order has been issued;
  • where there is a legal requirement to do so.

Using your information

How do we use your personal information?

The Trust processes personal information about:

  • patients;
  • next of kin;
  • suppliers;
  • employees (including students, apprentices, potential employees and volunteers);
  • complainants, enquirers;
  • survey respondents;
  • professional experts and consultants;

Health professionals caring for you manage information about your health and the care you receive from the NHS. This information is recorded in a healthcare record which is held either manually or electronically. It is important as it helps to ensure that you receive the best possible care from us. Your information is used in the following ways to guide and administer the care you receive:

  • To ensure that your health professional has accurate and up to date information to provide a good basis for any treatment or advisory services we provide to you.
  • To ensure that full and correct information is available to other healthcare providers from whom you may be receiving treatment.
  • To ensure your treatment is safe and effective, and the advice we provide is appropriate and relevant to you.
  • To ensure that there is a good basis for referring to and checking on the type and quality of treatment you have received in the past.
  • To ensure that your concerns can be properly investigated should you wish to raise a complaint.

Your rights

Your rights in relation to my personal information

You have a number of rights in relation to your personal information. These are described in detail below:

The right of access

You have a right to request a copy of any of your information held by the Trust. Alternatively, you can request to view the information that relates to you, free of charge.

The Trust does have the right to charge an administration fee in situations where requests are repetitive or if it is deemed to be excessive. You are required to prove your identity at the time of making your request and provide specific details in relation to the information you require access to.

Subject Access Request under GDPR will be processed within 30 days. However, this can be extended by up to a further two months; in particular if there are significant personal data to review. If this is the case, you will be contacted within 30 days.

A Subject Access Request (SAR) can be submitted in relation to your healthcare record.

If you would like further information about accessing your healthcare record please contact the Health Records Manager below:

Tel: 01922 721172 ext. 7458

Walsall Healthcare NHS Trust
Walsall Manor Hospital
Moat Road

The right to object

The right to object means that data should stop being processed if requested. This only applies where data is obtained with your consent. Generally, we rely on our legal basis to process your data and not consent and therefore for healthcare purposes, this right may not apply. However, if your data is used for any other reason this right may apply to you.

The right to rectification

If you believe your personal information may be inaccurate or incomplete, you can make a request to have your information reviewed.

The right to erasure

The right to erasure is also known as the ‘right to be forgotten’. This allows you the right to have your personal data erased. Generally, this right is not available within healthcare data due to the information we process often being essential to us in continuing to provide you with services. You will be notified where the right is available for specific processing activities.

The right to restrict processing

This right enables you to request a restriction or limit to the processing of your personal data. The right is closely linked with the right to rectify and the right to object and will only apply if:

  • You believe your personal data is inaccurate and it is verified by the Trust;
  • The data has been unlawfully processed;
  • The personal data is no longer needed but we need to keep it in order to establish, exercise or defend a legal claim.

The right to object

The right to data portability enables you to obtain and reuse your personal data across different services. The process should allow for moving, copying or transfer of personal data from one IT environment to another in a safe and secure way, without hindrance or usability. The right to data portability is not an absolute right and generally will not apply to your healthcare records unless the processing is based on your consent, or processing is carried out by automated means.

Making a complaint

If you have any questions or complaints about your care, please speak to your health professional in the first instance. If this is not resolved to your satisfaction you can contact Patient Relations.

The Data Protection Officer (DPO) is a point of contact for advice and guidance in relation to your rights. The DPO is responsible for monitoring the Trusts compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2016 as well as any policies the Trust has in relation to the protection of personal data.

The DPO shall perform their duties in an independent manner with due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

The Data Protection Officer is:

Sharon Thomas
Walsall Healthcare NHS Trust
Walsall Manor Hospital
Moat Road
WS2  9PS

Tel: 01922 721172 ext. 5806

You also have the right to complain directly to the Information Commissioner’s Office if you feel the Trust has not responded effectively. The Commissioner can be contacted at:

Information Commissioners Office
Wycliffe House
Water Lane

Tel: 0303 123 1113


When someone visits we collect anonymous information to help us provide better customer service. For example, we keep track of the domains from which people visit and we also measure visitor activity on the website, but we do so in ways that keeps the information anonymous.

We use the information that we collect to measure the number of visitors to the different areas of our site, and to help us make the site more useful to visitors. This includes analysing these logs periodically to measure the traffic through our servers, the number of pages visited and the level of demand for pages and topics of interest. The logs may be preserved indefinitely and used at any time and in any way to prevent security breaches and to ensure the integrity of the data on our servers.

We collect the anonymous information we mentioned above through the use of various technologies, one of which is called “cookies”. A cookie is an element of data that a website can send to your browser, which may then be stored on your hard drive. For example, on a website with a login system (if users register for it), cookies are used to save the visitor’s password so that it does not have to be entered at each new visit.

This anonymous information is used and analysed only at an aggregate level to help us understand trends and patterns. None of this information is reviewed at an individual level. If you do not want any transaction details used in this manner, you can disable your cookies.

This website uses cookies and third-party services to improve your experience. Read more about our privacy policy and how we handle your data. I understand