This page explains why information is collected about you and the ways in which this information may be used: this is called a Fair Processing Notice or Privacy Notice.

It is designed to inform you about how the Trust is complying with the General Data Protection Regulation (GDPR) 2018, the UK Data Protection Act 2018 and the Access to Health Records Act 1990.

We aim to update this information from time to time to reflect any changes. It also explains how you can access or get copies of your information held by the Trust.


We, Midlands Partnership NHS Foundation Trust (the Trust), are a data controller. Our address for communications is:

Trust Headquarters
St George's Hospital
Corporation Street
ST16 3SR

Our telephone number is 0300 790 7000

We are registered to process personal and sensitive information under the Data Protection Act 2018 - our registration number is ZA523971.

Our Caldicott Guardian (senior person responsible for sharing of patient information) is Dr Abid Khan. He is also the Responsible Officer and Medical Director. 

Our Senior Information Risk Owner (SIRO) is Richard Morris (Director of Corporate Affairs and Communications).

Our Data Protection Officer is responsible for information, and advising on data protection regulations and national law. The Data Protection Officer can be contacted by email

We ask information about you so that you can receive care and treatment. We keep this information, together with details of your care, because it may be needed if we see you again, and allows continuity of your care. If you have a complaint regarding this care we will also collect any data you provide to us.

We collect your personal information if you apply for a job or to volunteer with the Trust. We also collect your information if you work for us. 

As data controllers under the GDPR we process personal data (under Article 6) and sensitive data which the GDPR terms as Special Categories (under article 9).

Personal data is defined as information relating to a living individual that can identify them. Examples include name, date of birth, NHS Number or a combination that can also identify an individual.
Special Categories are defined as: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life and sexual orientation.

We act as joint data controllers with Staffordshire County Council to deliver services in relation to Learning Disability, Older People. Physical and Sensory Disability and Mental Health. As part of this agreement data may need to be shared with them. This applies in Staffordshire only and mental health in the north of the county does not fall within this remit. 

Records about you are used by those caring for you to:

  • Provide a good basis for all healthcare decisions by you and care professionals
  • We may offer you services, referrals or information based on your profile Enable you to work in partnership with those providing care
  • Make sure the care we provide is safe and effective care
  • Work effectively with others providing you with care
  • To provide chaplaincy and pastoral care services
  • Remind you about appointments.

Others within the Trust and the NHS may also need to access records about you to:

  • Check the quality of care (called clinical audit)
  • Protect the health of the general public
  • Keep track of NHS spending including goods and services the Trust provides
  • Manage the health service
  • Help investigate untoward incidents, complaints or legal claims
  • Teach healthcare staff
  • Help with research. If we need to use information that identifies you, for more than your direct care or to check the quality of that care we will always seek your consent beforehand.
  • To keep you informed of the work of the Trust such as new services and to carry out surveys.

The Trust processes personal information only when it has a legal basis for doing so.

The primary purpose for which the Trust processes personal information is in order to support its healthcare activities as set out in the National Health Service and Community Care Act 1990. This is the Trust’s source of “official authority.”

The basis for the Trust processing your information is described in Article 6 (Lawfulness of processing) and Article 9 (processing of special categories of personal data) of the General Data Protection Regulation.

The legal basis for using your data will depend on what we need to do but includes:

  • Consent - We have been given clear consent to process the personal data for a specific purpose
  • Contract - The processing is necessary for a contract that we have with an individual
  • Legal obligation - the processing is necessary for us to comply with the law
  • Vital interest - the processing is necessary to protect someone's life
  • Public Task - the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
  • The legislation does not prevent us sharing information if there is a safeguarding concern and data may be shared if it falls in to this arena.

Categories of personal data

Our guiding principle is that we hold your records in strict confidence.

For Patients

Information we collect includes:

  • Your name and address
  • Your medical conditions, allergies and medications
  • Treatment provided and contact you have had with us
  • Results of investigations, such as x-rays, MRI / CT and laboratory tests
  • Reports about your health and the care you need
  • Relevant information from other health professionals
  • Smoking status
  • Any learning disabilities
  • Religion
  • Marital status
  • NHS number
  • Occupation
  • Overseas status
  • Place of birth
  • Preferred name or maiden name
  • Where applicable, the date, cause and place of death
  • Your ethnic origin, in order to help in planning services and ensuring equal access
  • School details
  • Child/Adult protection status
  • Email address
  • Your religious, spiritual or pastoral beliefs (or none)
  • Family details
  • Sexual life
  • Next of Kin details
  • Where applicable, the date, cause (if died in hospital) and place of death
  • Power of Attorney Status / Deputyship under the Mental Capacity Act (Health and Personal Welfare)
  • Photographs, audio and video recordings
  • Financial information for private care

Special category data

Special category data is personal data which the GDPR says is more sensitive (very like sensitive data under the DPA 1998), and so needs more protection:

  • Race
  • Ethnic origin
  • Politics
  • Religion
  • Trade union membership
  • Genetics
  • Biometrics (where used for ID purposes)
  • Health
  • Sex life
  • Sexual orientation.

The Care Records Guarantee outlines the duty we have to maintain accurate records of the care we provide to you; keep these records confidential and secure; and provide information in a format that is accessible to you.

For staff, volunteers and job applicants and others

  • Employees, job applicants, apprentices, complainants, enquirers, survey respondents, suppliers, professional experts, consultants, people captured in closed circuit television images
  • Information is also held on job applicants for the purposes of processing their application and ensuring equality and patient safety
  • Information on staff, volunteers and apprentices may be shared with third parties that provide services to the trust and in order to comply with statutory requirements and to facilitate the running of the Trust.
  • Staff, Volunteers and apprentices need to be aware however their information will be processed as part of their contract / agreement with the Trust. This will be fully explained to you by The Human Resources team and / or your manager.
  • Staff, volunteers and job applicants should contact the Trust Human Resources department for further information on how their information is processed.

Not a patient or staff?

It is possible that the Trust holds information on you as part of someone else’s record. Under GDPR you may still be entitled to receive a copy of this information, so long as it would not breach the confidentiality of the person whose records hold the information, or there is another reason not to provide it.

We will share information with you the patient and other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.

We will also share information as required by law, for example, to comply with a court order.

We will anonymise or pseudonymise your information wherever possible to protect confidentiality.
In particular, as a patient we will inform your GP and others involved in your care of your progress unless you ask us not to.

You need to be aware however that there are possible consequences if you do not allow us to share. These will be fully explained to you by your clinician, and could include delays in receiving care and you being harmed.

We may share your information with other organisations and individuals where it may benefit you or we are required to do so, for example with:

  • Hospitals and Health care organisations
  • Social services
  • Community services
  • General Practitioners (GP)
  • Clinical commissioning groups (who commission hospital services– usually information is partly or fully anonymised)
  • Education Services, such as research at universities and examining bodies.
  • Ambulance services 
  • Companies that provide services on behalf of the trust.) this maybe via an Integrated Clinical Care Record (IDCR)
  • Family, associates and representatives (with your consent or under Lasting Power of Attorney/Deputyship under Mental Capacity Act – Personal Welfare)
  • Staff
  • Healthcare social and welfare organisations
  • Suppliers, service providers
  • Auditors and audit bodies
  • Financial organisations; including in order to process payments you make for goods and services.
  • Professional advisers and consultants, legal representatives, debt recovery
  • Security organisations
  • Voluntary sector providers, such as patient groups or health charities
  • Care homes including private sector care homes
  • Private health care providers
  • Police forces
  • Chaplaincy & Pastoral Care
  • Hospital Hotel Services
  • The Health and Safety Executive

When we share your information with other organisations the sharing will be covered by an agreement describing how the information is to be used (an Information Sharing Protocol)

We are also required by law to report certain information to the appropriate authorities. 

Whenever we share information with other organisations we will do this line with the Data Protection Act and the NHS Confidentiality Code of Practice (2003).

We may obtain your personal information from the organisations or individuals listed above that we share with or others that have information that may assist with the provision of your care.

The Trust does not carry out automated decision making but will endeavour to identify people who may benefit from additional services (profiling) for example those who attend our emergency department frequently.

Appropriate staff, for example clinicians, would make the actual decisions based on the available information.

It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA) unless additional safeguards have been put in place to protect your information.

Any transfers made will be in full compliance with all aspects of the Data Protection legislation. If this is to happen you will be informed by the Trust.

We retain health records for at least eight years from the last date that you presented at the Trust and until 25th birthday for children. 

These are the minimum times for which we keep information; we may keep it for longer if we believe doing so will be of benefit to you or in regard to any other legal obligation.

We have a duty to:

  • Maintain full and accurate records of the care we provide to you
  • Keep records about you confidential and secure

You have the right to see, or have a copy, of your personal information.

You do not need to give a reason, and normally there will be no charge.

We may charge a 'reasonable fee' when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information.

Any fee will be based on the administrative cost of providing the information.

If you want to access your health records please log your request via our online portal. The portal contains various application forms and guidance on how to make your request. Further information can be found on the 'Your Rights' page (under 'Accessing your Health and Social Care Records').

You may also make a written request to the Trust's Subject Access Team at the following address:

Records Manager
Records Department
St. George's Hospital
Trust Headquarters
Corporation Street
ST16 3SR

Telephone: 0300 790 7000

The Records Department can provide you with a paper form, however this is not a requirement as long as you provide us with the information we require to process your request. We can also take verbal requests for records.

We will normally provide your information within one month (four weeks) of receiving all the information we need to respond to your request. It maybe that we have to extend the time period by a further two months (eight weeks) if your request is complex, numerus, or large. We will inform you within the month of receipt if this is the case and explain why the extension is necessary.

Please be as detailed as possible when requesting information, for instance stating date ranges, appointment types, or specific letters.

Before records are released we will seek the advice of the consultant in charge of the patient care to ensure that no information about an individual's physical or mental health or condition will be released if it would be likely to cause harm to either them or another person's physical or mental health condition. We will also withhold information provided by third parties where we don't have consent to release it or where the patient has made it clear that they did not want the information disclosed.

Before providing any information we will need to verify your identity and may request further information from you so we may progress your query as quickly as possible.


Your right to be informed

This means you have a right to be informed about the way we collect and use your data.


Your right to rectification

This means you have the right to have inaccurate (incorrect or misleading as to any matter of fact) personal data corrected or completed.


Your right to have your personal information erased

This right is not absolute and only applies in certain circumstances. 

You have the right to restrict the processing of your information in any one of the following circumstances:

  • You contest the accuracy of your personal data and we are verifying the accuracy of the data.
  • We no longer need the personal data but you need to keep it in order to establish, exercise, or defend a legal claim
  • You have objected to the Trust processing your data under Article 21(1) of UK GDPR, and the Trust is considering whether the Trust's legitimate grounds override yours (the individual).


Your right to data portability

This means that you can request a secure transfer of your data to another Data Controller.

The right to data portability only applies when all the following apply:

  • the automated means data is about you and that it was provided by you to the Trust
  • where the processing is based on your consent or for the performance of a contract
  • when processing is carried out by automated means

If the Trust provides your information to you under the right to portability no fee will be payable and the information will be provided within one month.


Your right to object

This means that you have the right to object to the Trust processing your data where the processing is based on all of the following:

  • legitimate interests or the performance of a task in the public interest / exercise of official authority (including profiling)
  • direct marketing (including profiling)
  • processing for purposes of scientific / historical research and statistics
  • You must have an objection on "grounds relating to your particular situation"


Your right to withdraw your consent

This means that once you have given your explicit consent for your information to be processed you have the right to both:

  • withdraw your explicit consent for the processing of your information
  • withdraw your consent by informing the department / team that took your consent (you can do this in writing or verbally)

The Trust makes use of CCTV systems including body worn cameras for crime prevention in line with the Information Commissioners CCTV code of practice. You have a right of access if you wish to request your data captured on CCTV.

We use a computer system called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patient care, leading to improvements in both care and outcomes.

GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, and Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.

The NHS 111 service (and other services determined locally e.g. other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.

Legal basis for sharing this data

In order for your Personal Data to be shared or processed, an appropriate "legal basis" needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

  • for the processing of personal data: Article 6.1 (e) of the UK GDPR: "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller".
  • for the processing of "Special Category Data" (which includes your medical information): Article 9.2 (h) of the UK GDPR:  "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services".

Your rights

Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same (these are listed elsewhere in our privacy notice).

Find out more about GP Connect on the NHS England website.

MPFT is working collaboratively with other partners in the region (GP Practices, Local Authorities, other Hospital Trusts, Acute, Community and Mental Health) as well as Commissioning Groups to create an integrated care record which will contain data about all patients seen and treated at MPFT. This is not the full record but a snapshot of the data held to help clinicians to provide the most appropriate care.

This will be a central library of information that each organisation can access (for their own patients only) so that clinicians will have a complete picture of a patient's needs, medications etc...

Midlands Partnership NHS Foundation Trust (MPFT) is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency, or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family, and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified, in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you choose to opt out, your confidential patient information will still be used to support your individual care.

To find out more, or to register your choice to opt out, please visit the NHS website: Your NHS Data Matters. On this web page you will:

  • see what is meant by confidential patient information
  • find examples of when confidential patient information is used for individual care, and examples of when it is used for purposes beyond individual care
  • find out more about the benefits of sharing data
  • understand more about who uses the data
  • find out how your data is protected
  • be able to access the system to view, set, or change your opt out preference
  • find the contact telephone number if you want to know any more, or to set / change your preference by phone
  • see the situations where the opt out will not apply

You can also find out more about how patient information is used at: 

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies, nor being used for marketing purposes; and data would only be used in this way with your specific agreement.

Health and care organisations have until 2022 to put systems and processes in place so they can be compliant with the national data opt out, and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

Our organisation is currently compliant with the national data opt out policy.

For further information or if you would like to make a complaint, please contact:

The Patient Advice and Liaison Service (PALS) on 0800 783 2865 or via email

If you would like this leaflet in your own language, in large print, in Braille or audiotape please contact the PALS team.

If you feel that we have not adequately dealt with your complaint regarding how we process your information you can raise the issue with the Information Commissioner who is the supervisory authority for the United Kingdom (the Regulator) at the address below:
Information Commissioner's Office

By phone: 0303 123 1113

By letter:

Wycliffe House
Water Lane

By email

ICO Website


The information on this page is also available in a printer friendly version (PDF).