Privacy Policy & Data Protection

Privacy Notice: 15 March 2024

This Privacy Notice explains how North Bristol NHS Trust ("we," "us," or "our") collects, uses, discloses, and protects personal information as a Data Controller in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting your privacy and handling your personal information responsibly.

Purpose of Processing Personal Information

We collect and process personal information for the following purposes:

  • Providing healthcare services and treatment
  • Managing and administering your healthcare records
  • Facilitating communication between healthcare professionals
  • Conducting research, audits, and clinical trials
  • Ensuring the safety and quality of our services
  • Planning and managing the healthcare system
  • Complying with legal and regulatory obligations

Types of Personal Information Collected

We may collect the following types of personal information:

  • Basic details (e.g., name, address, date of birth)
  • Contact information (e.g., phone number, email address)
  • Health and medical information
  • Relevant social and personal circumstances
  • Financial information (where necessary for payment purposes)
  • Information related to your care and treatment
  • Identifiers (e.g., NHS number, patient identifier)
  • Research data (where applicable and with consent)
  • Any other information necessary for providing healthcare services

What information do we collect online?

You may choose to submit personal information about yourself (e.g., name, email, address) through the webforms we provide. By entering and submitting your details in the fields requested, you are consenting to North Bristol NHS Trust and our service providers to process your data and provide you with the services you select. Any information you provide to the North Bristol NHS Trust will only be used by us, our agents and service providers and will not be disclosed unless we are obliged or permitted to by law to do so.

At North Bristol NHS Trust (NBT) we value your privacy and want to ensure you understand how your data is used and protected.  This notice is to inform you about your rights regarding the use of your personal data.

Under UK data protection legislation you have the right to make choices and have certain rights when it comes to your personal data.  However, there are specific situations where these rights may not apply.  There is an important exception when it comes to your healthcare.

In the UK, patient generally cannot opt out of their healthcare.  The National Health Service (NHS) has a legal obligation to provide healthcare to all residents, and individuals are generally not permitted to refuse necessary medical treatment.

NHS organisations, like NBT have legal grounds to process confidential and sensitive information under various laws and obligations. 

Legal Basis for Processing Personal Information

We rely on the following legal bases for processing personal information:

Legal Obligation: We have a legal obligation to process person identifiable data to provide healthcare services.  This obligation is enshrined in various laws and regulations, including the National Health Service Act 2006 and the Health & Social Care Act 2012.

Public Task: Processing person identifiable data is often necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the NHS.  This includes providing healthcare services, public health initiatives and medical research.

Consent: While consent is an important aspect of data processing, in the context of healthcare, NHS organisations can rely on alternative legal bases such as legal obligations, or public tasks, rather than explicit consent.  However, consent will always be sought whenever appropriate.

Vital Interests: Processing person identifiable data may be necessary to protect the vital interests of the patient or other individuals, particularly in emergency situations where obtaining consent may not be feasible.

Statutory and Regulatory Obligations: NBT must comply with various statutory and regulatory obligations related to individuals’ data protection, including the UK General Data Protection Regulations (GDPR) and the Data Protection Act (DPA) 2018.

Sharing Personal Information

We may share your personal information with the following parties:

  • Healthcare professionals and providers involved in your care
  • NHS organisations and other healthcare bodies
  • Public health agencies and authorities
  • Research organisations (with your consent)
  • Our suppliers and service providers (e.g., IT support, payment processors)
  • Regulatory bodies, auditors, and legal advisors
  • Law enforcement agencies and courts (where required by law)

Please note: When you've shared your contact details with the hospital or provided someone else's telephone or mobile number for your records, that specific number will be used to send you notifications and important information about your care via SMS text messages.

International Data Transfers

In certain circumstances, we may transfer your personal information to countries outside the European Economic Area (EEA). If such transfers occur, we will ensure appropriate safeguards are in place to protect your personal information.

Data Retention

We will retain your personal information in accordance with applicable laws and regulations and in accordance with the NHS Records Management Code of Practice. We will securely dispose of personal information when it is no longer required for the purposes stated in this Privacy Notice.

Your Rights

You have certain rights regarding your personal information, including the right to:

  • Access and obtain a copy of your personal information
  • Rectify inaccurate or incomplete personal information
  • Erase your personal information in certain circumstances
  • Restrict or object to the processing of your personal information
  • Data portability, where applicable
  • Withdraw consent, where applicable
  • To exercise your rights or if you have any privacy-related concerns or questions, please contact our Data Protection Officer or Caldicott Guardian using the details provided below.

Security Measures

We implement appropriate technical and organisational measures to safeguard your personal information from unauthorised access, disclosure, alteration, or destruction. We regularly review and update our security practices to ensure the ongoing protection of your personal information.


If you believe that we have violated your privacy rights or mishandled your personal information, please contact our Data Protection Officer, or make a formal Complaint using the details provided below. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or the relevant supervisory authority in your country of residence.

Contact Information

If you have any questions or concerns about our privacy practices or this Privacy Notice, please contact our:

Data Protection Officer

Helen Williamson
Head of Information Governance

Caldicott Guardian(s)

Tim Whittlestone
Chief Medical Officer

Sanjoy Shah
Deputy Chief Medical Officer


Patient Advice and Liaison Service (PALS)
Telephone: 0117 414 4569


The Complaints Team
Telephone: 0117 414 4567 or 0117 414 3669

Managing preferences and withdrawing consent

Consent means offering individuals genuine choice and control. Under the General Data Protection Regulation, consent requires a positive opt-in.

We will not use pre-ticked boxes or any other method of consent by default.

As explicit consent requires a very clear and specific statement of consent, we will ensure that this is done.

  • We will keep consents separate from other terms and conditions
  • Be specific and granular, clear and concise
  • We will name any third-party controllers who will rely on consent as required
  • Make it easy for people to withdraw consent.

We will:

  • keep evidence of consent - who, when, how and what individuals were told
  • keep consent under review and refresh if and when anything changes
  • avoid making consent a precondition of a service.

Using personal information in the wider Health Service

Prior to the launch of the national data opt-out individuals could set two types of general opt-outs, via their GP practice:

  • A type 1 opt-out prevents information that identifies individuals being shared outside of their GP practice, for secondary uses.
  • A type 2 opt-out prevented confidential patient information from being shared outside of NHS Digital for purposes beyond individual care.

Type 1 opt-outs continue to be honoured until September 2020 at the earliest when the Department of Health and Social Care (DHSC) will consult with the National Data Guardians before confirming their removal.

Type 2 opt-outs have been replaced by the national data opt-out and are no longer valid. All type 2 opt-outs recorded in GP practices up to and including 11 October 2018 have been migrated to become national data opt-outs.

NHS Digital would have written to inform people who previously registered a type 2 opt-out of this change.

More information on the conversion of type 2 opt-outs can be found on the NHS Digital website.

Other national and local opt-outs for specific purposes (for example summary care record opt-out) remain in place and should continue to be applied, when appropriate, alongside the national data opt-out.

Who can opt out?

Any person registered on PDS (and consequently with an NHS number allocated to them) is able to set a national data opt-out.

This covers most patients who have received health or care services in England and, therefore, have data about them in the health and care system in England.

Channels to set a national data opt-out

Several different channels are available for the public to set a national data opt-out. These are:

  • a digital (online) channel accessed via the national data opt-out service.
  • for those who need support to set their national data opt-out preference online a digitally assisted channel is provided that enables members of the public to set a national data opt-out with assistance from NHS Digital staff via the national helpline.
  • a non-digital (paper based) channel accessed by the national helpline or through forms which can be printed from the webpages, and via the NHS App.

There are some points that apply to specific groups with respect to setting a national data opt-out:

  • Individuals aged 13 or over are able to set a national data opt-out via the digital, digitally assisted and non-digital channels.
  • Those with parental responsibility (parents & legal guardians) are able to set a national data opt-out on behalf of a child under the age of 13 via the non-digital channel only.

There is a specific form that allows a choice to be set for up to 6 children at once. Any national data opt-out that has been set by a person with parental responsibility for a child under the age of 13 will remain in place unless and until it is proactively changed.

  • Those who have a formal proxy relationship to make decisions on behalf of another adult (either a lasting power of attorney or a court appointed deputy) are able to set a national data opt-out on behalf of that person via the non-digital channel only.
  • Individuals in the secure and detained estate (e.g., prisons) are able to set a national data opt-out through the healthcare professionals working in these settings.
  • Individuals who have agreed with their GP for their records to be marked as sensitive will be offered the choice to set a national data opt-out through the established processes to set (or remove) a sensitive flag.
  • A national data opt-out cannot be set for a deceased patient unless they have explicitly stated this in a last will or testament. This can only be done via the non-digital channel.

A national data opt-out is stored against a person’s individual record on the NHS Digital Spine against their NHS number.

In some circumstances individuals may be allocated a new NHS number. The rules of how any existing national data opt-outs are applied to the new NHS number and in relation to other changes of circumstances are outlined in brief below.

Assigning new NHS Numbers

In instances where individuals are allocated a new NHS number any existing national data opt-out will not automatically be transferred to the new record.

This will include the following:

  • Adoptions
  • Gender reassignment
  • Identity protection

Instead, such individuals will receive a letter informing them of the national data opt-out to ensure that they understand their options either via NHS Digital or the individual who is handling their case

Connecting Care Records

Connecting Care is a local electronic patient record that allows health and social care professionals directly involved in your care, to share a summary of your medical record.

Your Connecting Care record will help those caring for you to manage your care better and allow information to be shared quickly and safely. Only authorised staff providing health services across Bristol, South Gloucestershire and North Somerset can access your record.

For more information about Connecting Care, visit the Connecting Care website at which includes information on:

  • What Connecting Care is
  • Why share information
  • How information is protected
  • How to Opt-Out/In
  • Changes to our policy

If our privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

Contact Information Governance

If you have any queries regarding a Subject Access Request, please contact Information Governance.
Telephone: 0117 414 2019 (option 1)

If you have any queries regarding Freedom of Information requests, please contact the FOI team.