Privacy Notice

Privacy Notice (Fair Processing Notice)

Your Personal Information – what you need to know

Who we are and what we do

The Isle of Wight NHS Trust (the Trust) is a Data Controller and our address is:

St Marys Hospital
Isle of Wight
PO30 5TG

As the only integrated acute, community, mental health and ambulance healthcare provider in England, the Trust is responsible for delivering your NHS services, including planned and emergency hospital care, mental health services as well as healthcare in the community and ambulance services.

For more information please refer to the ‘About Us’ page on the Trust website

For further details regarding the Trust’s registration as a Data Controller, please visit

The NHS aims to provide you with the highest quality of health care. To do this we must keep records about you, your health and the care we have provided, or plan to provide to you.

Health records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and secure at all times in line with Data Protection legislation.

All our staff are trained to handle your information correctly and protect your privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes and is not sold on to any other third parties.

Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care 2016.

Our Commitment to Data Privacy and Confidentiality Issues

We are committed to protecting your privacy and will only process data in accordance with Data Protection Legislation. This includes the General Data Protection Regulation (EU) 2016/679  (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national legislation implementing them as amended from time to time. 

The legislation requires us to process personal and special category data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

In addition, consideration will also be given to all applicable legislation concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations.

Using your information

We need to use information about our patients and population to enable us to deliver services which meet their needs. In undertaking our role as healthcare provider our Trust holds information about you and this document outlines how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this. Within the health sector, we follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.

The Trust has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian and contact details are set out below.

Alistair Flowerdew - Medical Director
Email -
Tel 01983 822099 Ex 5366

The Caldicott Guardian is supported by another senior member of staff who is responsible for information risk and information security, this person is called the Senior Information Risk Owner (SIRO) and contact details of are set out below:

Lois Howell - Director of Governance & Risk
Email -

Tel 01983 822099 Ex 4204

The above roles are supported by our Data Protection Officer (DPO). The DPO is responsible for monitoring compliance with Data Protection legislation (GDPR & DPA 2018), Information Governance (IG) policies, providing advice and guidance, raising awareness, training and audits.  The DPO acts as a contact point for the ICO, employees and the public.  They co-operate with the ICO and will consult on any other matter relevant to Data Protection.  The contact details of our DPO are as follows:

Tel 01983 822099 Ex 4091

The Trust is a Data Controller and is registered with the Information Commissioner’s Office (ICO) to collect data for a variety of purposes. Our registration number is Z3116597 and a copy of the registration is available through the ICO website.

What kind of information do we use?

As a healthcare provider we need to hold personal information about you and this can be collected from you in a number of ways, for example this could be from referral details from your GP or another hospital or service, directly from you or from your authorised representative. We hold the following personal data as defined within GDPR, which includes

  • Your name
  • Address
  • Telephone numbers
  • Date of birth
  • Emergency or preferred contacts/next of kin details
  • Your GP details
  • NHS Number

In addition we may also hold your email address, partnership or marriage status, occupation, residential status (if you are a patient who is an overseas visitor), place of birth and preferred name or maiden name. We may also hold bank account or credit card details for patients when relevant (e.g. using private facilities at St. Mary’s Hospital).

CCTV is used throughout Trust buildings and on some Trust vehicles for the following purposes:

  • To assist in the prevention and detection of crime against both persons and property.
  • To facilitate the identification, apprehension and prosecution of offenders in relation to crime.
  • To ensure the security and safety of our patients, employees and property belonging to the Trust
  • All areas where CCTV is in operation are clearly signposted and include contact details of the organisation holding responsibility.

In addition to the above, we hold ‘special category data’ (as defined within GDPR) which may include:

  • Health records
  • Your religion, race and ethnic origin
  • Genetic and Biometric Data
  • Sex life or orientation

We also hold the following types of data:

  • Confidential Information – this term describes data about identified or identifiable individuals which must be kept private and includes records of the deceased as well as living people. ‘Confidential’ includes information that is ‘given in confidence’ and ‘that which is owed a duty of confidence’.
  • Pseudonymised - this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.
  • Anonymised – this is data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified.
  • Aggregated - anonymised information that is grouped together so that it doesn't identify individuals.

What do we use your Personal and Special Category Data for?

  • To produce a record of all health decisions made about you and the care provided to you (which may involve clinical, support and administrative staff).
  • To respond to your queries, compliments or concerns.
  • For assessment and evaluation of safeguarding concerns.
  • Where there is a provision permitting the use of confidential personal information under specific conditions, for example to ensure that the Trust is paid accurately for the treatment of its patients, which is known as invoice validation.
  • Clinical audit - Further information can be found at:

Personal and Special Category data could also be used in the following cases:

  • We need to respond to patients, carers or Member of Parliament communications.
  • You have freely given your informed agreement (consent) for us to use your information for a specific purpose.
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
  • There is a legal requirement that will allow us to use or provide information (e.g. a Court order).
  • To help teach and train new members of staff.

What do we use non-identifiable data for?

We use pseudonymised, anonymised and aggregated data to plan health care services. Specifically we use it to:

  • Check the quality and efficiency of the health services we provide.
  • To help improve the quality of services for patients and ensure that the right treatment is being provided to patients - for further information visit
  • Prepare performance reports on the services we provide
  • Review the care being provided to make sure it is of the highest standard
  • To help teach and train new members of staff
  • To keep track of NHS spending.

Do we share your information with other organisations?

We will share your information with other organisations to assist with providing you with the best care possible.   Other organisations who receive information from the Trust have a legal duty to keep it confidential and secure.  Only information that is required and appropriate to support your care and treatment will be provided. Where we share your information with other organisations that do not form part of your care, permission from yourself will be obtained before sending the information unless we have a legal obligation to provide the information or we are required to do so because the interest of the public is considered to be of greater importance.

There are occasions where we have a legal duty to share patient information with external organisations which operate to oversee and address issues relating to the management of the NHS as a whole. These may include the following: (list is not exhaustive)

  • The Central Registrar of Births and Deaths.
  • Notification of infectious diseases including Food Poisoning are reported to Public Health England.
  • The Care Quality Commission which has the powers of inspection and access to required documentation.
  • Investigations by regulators of professionals e.g. General Medical Council and the Nursing and Midwifery Council.
  • Coroners investigations into the circumstances of a death.
  • Reports of deaths, major injuries and accidents to the Health and Safety Executive.
  • Information to the Police or other agency when required by law.
  • For safeguarding children or vulnerable adults.
  • To protect your vital interests, your data may be shared in an emergency
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

The Trust hold contracts with other organisations who process data on our behalf (Data Processors) in order to deliver healthcare. We ensure that these Data Processors are legally and contractually bound to operate within agreed security arrangements, and evidence that these are in place where data that could or does identify an individual are processed.

In addition, we may share information outside of the European Economic Area (EEA) in accordance with the GDPR.

Coded information about patient care is sent to NHS Digital who manage information sent to the Department of Health & Social Care. This information is used to review the treatment provided to patients across the NHS and identify trends/changes in the health of the population.

What safeguards are in place to ensure data that identifies you is secure?

The NHS Digital Code of Practice on Confidential Information applies to all Trust staff and anyone acting on behalf of the Trust.   They are all required to protect your information, inform you of how your information will be used, and in certain circumstances allow you to decide if and how your information can be shared. In addition all staff are required to ensure that information is kept confidential and must undertake annual Data Security Awareness training on how to do this. This is monitored by the Trust and can be enforced through disciplinary procedures. 

We also ensure that the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which codes data so that unauthorised users cannot see or make sense of it).

How long do we hold information for?

All records held by the Trust will be kept for the duration specified by national guidance from NHS Digital, Health and Social Care Records Code of Practice 2016. Once information that we hold has been identified for destruction it will be disposed of in the most appropriate way dependent upon the type of information it is. Personal confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures. 

Your right to opt out of data sharing and processing

The NHS Constitution states ‘You have a right to request that your personal and confidential information is not used beyond your own care and treatment and to have your objections considered’. For further information please visit: 

The national data opt-out was introduced on 25 May 2018, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

By 2020 all health and care organisations are required to apply national data opt-outs where confidential patient information is used for research and planning purposes. NHS Digital has been applying national data opt-outs since 25 May 2018. Public Health England has been applying national data opt-outs since September 2018. 

The national data opt-out replaces the previous ‘type 2’ opt-out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient that had a type 2 opt-out recorded on or before 11 October 2018 has had it automatically converted to a national data opt-out. Those aged 13 or over were sent a letter giving them more information and a leaflet explaining the national data opt-out. For more information visit

Lawful basis for processing your data

Your rights under Data Protection legislation.

Under the GDPR the Trust has a legal basis for processing patient information without consent, e.g. clinicians consulting with each other about your care needs within the Hospital. The legal justification for this is documented below:

Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Article 9(2)(h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to below.

Communicating about your care within the NHS does not require your consent to process your personal data to deliver your healthcare and treatment. However, an individual has the right to object to the processing of their information for purposes other than direct care e.g. performance management of services, external clinical audits - see above section.

It is your choice whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out of your information being used in this way, your confidential patient information will still be used to support your individual care.

The Data Protection legislation provides you with the following rights:

  • Right of Access - Request access to the personal data we hold about you, e.g. health records. The way in which you can access your own health records is explained in more detail in our ‘access to records’ section -
  • Right to Rectification - Request the correction of inaccurate or incomplete information recorded in your health records. This is also explained in our 'Access to records’ section.
  • Right to Erasure (right to be forgotten) - This is not an absolute right and does not apply when an organisation’s legal basis for processing is the performance of a task carried out in the public interest or the exercise of official authority - please see above section.
  • Right to Restrict Processing - This applies when you contest the accuracy of your personal data and usually only restricts processing whilst we ascertain whether another right applies.
  • Right to Data Portability - This is not an absolute right and does not apply when an organisation’s legal basis for processing is the performance of a task carried out in the public interest or the exercise of official authority - please see above section.
  • Right to Object to Processing - This is not an absolute right but you can object on the basis of processing in the performance of a task carried out in the exercise of our official authority. However, this request may not always be met if we can demonstrate compelling legitimate grounds for the processing which override the interests and rights and freedoms of the individual.
  • Rights related to automated decision making including profiling - This is you right to challenge any decisions made without human intervention (automated decision making).

If you wish to exercise any of the above rights please contact the Data Subject Rights TeamData Subjects Rights Team

Information Governance Department
St Marys Hospital
Isle of Wight
PO30 5TG

Tel 01983 822099 Ex 4091

Email -

For access to health records of deceased individuals the Access to Health Records 1990 must be applied. Please contact the Data Subjects Rights Team at the above address.

Requesting Non-Personal Information

The Freedom of Information Act 2000 (FOIA) gives individuals a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. You can request any information that the Trust holds, that does not fall under an exemption. This does not include information that is covered by Data Protection Legislation.  However you can request this under a right of access request – see section above

Your request must be in writing and can be either emailed or posted to:

Information Governance Department
St Marys Hospital
Isle of Wight
PO30 5TG

Email -

Complaints or concerns:

If you have a complaint or concern about how we have handled your personal data, please contact our Data Protection Officer who will address your concerns and investigate the matter further.

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office
Wycliffe House, Water Lane

Telephone: 0303 123 1113 (local rate) or 01625 545 745
Visit the ICO website.
Cookies and other Tracking Technologies

Our analytics provider uses technologies such as cookies, beacons, tags and scripts, to analyze trends, administer the website, track users’ movements around the website, and gather demographic information about our website visitors as a whole. A cookie is a small file stored on your computer by a website which gives you a numeric user ID and stores certain information about your activity on the site. We use cookies to let us know that you are a returning visitor and to provide certain features to you. Most web browsers automatically accept cookies, but most allow you to instruct your browser to prevent the use of cookies. If you disable this feature, you will not experience any functionality problems with our website.

Use of Email and SMS text

Some services in the Trust now provide the option to communicate with patients via email and SMS text. Please be aware that the Trust cannot guarantee the security of this information whilst in transit, and by using this service you are accepting this additional risk.

Any e-mails sent by Trust staff for the purpose of your healthcare which contain your personal information are appropriately protected by NHS Security Standards including encryption where required. More information can be found at:

Links to other websites

This privacy notice does not cover the links included within this notice linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This Privacy Notice was last updated in August 2020. 

If you would like to submit any comments or feedback regarding our Privacy Notice please email these to

Appendix A

Activity Rationale
GP Referral Review

Purpose – To process your GP referral via the Trusts Electronic Referral System (ERS) which will include personal information as well as special category data (health information) regarding your referral.  Medefer will be provided with any relevant tests and clinical letters in relation to your referral either by the GP directly or by accessing the Trust’s electronic patient records. Medefer  will then contact you regarding your referral and provide you with further information of how your referral will be progressed.

Legal Basis - GDPR Art. 6(1) (e) and Art.9 (2) (h).Data Controller – The Trust use a company called Medefer for which we have an NHS contract in place. For the purpose of the contract the Trust and Medefer are joint data controllers. For further details please visit Medefer’s website


Keep up to date with the latest news

Find out what is happening in our services here.

Tell Us Your Views

Click here to find out how you can feedback to us about your experiences, along with how to raise any concerns, complaints or questions.