• Safe & Effective
  • Kind & Caring
  • Exceeding Expectation
The Royal Wolverhampton NHS Trust Privacy Notice

Data Controller: The Royal Wolverhampton NHS Trust Privacy Notice

The General Data Protection Regulation 2016 (GDPR) is biggest change in data protection law for 20 years. It applies from 25 May 2018 and will allow greater transparency and control over the way in which your personal data is  used. Personal information can be anything that can be used to identify you. This notice is a statement by the Trust to detail the ways in which we use, disclose, and manage your information. It fulfills a legal requirement to inform you as the patient as to what happens with your personal information and what rights you have in relation to such data.  

The Trust provides its services from the following locations:

  • New Cross Hospital- Secondary and Tertiary Services, Maternity, Emergency Department, Critical Care and Outpatients.
  • West Park Hospital- Rehabilitation Inpatient and Day Care Services, Therapy Services and Outpatients.
  • More than 20 Community sites - Community Services for Children and Adults, Walk in Centres and Therapy and Rehabilitation Services
  • Cannock Chase Hospital- General Surgery, Orthopaedics, Breast Surgery, Urology, Dermatology, and Medical Day Case Investigations and Treatment (including Endoscopy).
  • Primary care vertical integration GP Partnerships – As of 1 April 2023, nine GP Practices are now part of the Trust which will see RWT directly responsible for the delivery of care as listed below:-

Our Vertical Integration practices

  • Alfred Squire Road Health Centre
  • Coalway Road Surgery
  • Lea Road Medical Practice

  • Oxley Surgery
  • Penn Manor Medical Centre

  • Tettenhall Road Medical Practice

  • Thornley Street Surgery

  • Warstones  Health Centre

  • West Park Surgery

At RWT we aim to provide you with safe and effective care to the highest standards. To do this your doctor and the team of health professionals caring for you will keep records about your health and any care you receive from the trust. This is called your Health Records and may be stored in a paper form or on computer systems. This may include:

  • Basic details as your name, address, date of birth, NHS number, gender, next of kin, and ethnicity
  • Details of your hospital appointments/visits
  • Notes and reports about your health, treatment and care 
  • Results of x-rays, scans and laboratory tests 
  • Relevant information from people who care for you and know you well, such as health professionals and relatives    

It is very important that your personal details are accurate and up to date and we will often check with you at appointments or visits that these details are correct.

Why do we collect information about you?
To help in providing you with care:

  • Accurate up to date information helps us provide the right care
  • Full information is available should you see another doctor, or be referred to a specialist or another part of the NHS

To help the NHS:

  • Prepare statistics on NHS performance
  • Audit NHS services
  • Monitor how we spend public money
  • Plan and manage the health service
  • Teach and train healthcare professionals
  • Conduct health research and development

Return to top

As a data controller the Trust must establish and publish the lawful basis that is relied on for processing personal data and data that is special categories (sensitive data). The following table indicates for the main processing legal basis that the  Trust is relying on for processing activities.

Generally most of the processing we carry out is to deliver your care and is covered by the following legal provisions;

  • For the performance of a task carried out in the public interest or in the exercise of official authority, to delivery you a heath care service   
  • For medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

 The table details other reasons we may process and the reasons under the law that support this.

Type of processing GDPR Article 6 Condition for personal data GDPR Article 9 Condition for special categories (sensitive data) Statutory basis or other relevant conditions
Lawful basis for direct care and administrative purposes           

All   health and adult social care providers are subject to the statutory duty to  share information about a patient for their direct care. This would also include

(a) preventive or occupational medicine, 

(b) the assessment of the working capacity of an employee,
(c) medical diagnosis,

(d) the provision of health care or treatment,

(e) the provision of social care, or

(f) the  management of health care systems or services 

(g) waiting list management 

(h) performance against national targets 

(i) activity monitoring 

(j) local clinical audit

6(1)(e)   ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’   9(2)(h)   ‘…medical diagnosis, the provision of health or social care or treatment or   the management of health or social care systems…’   

6(1)(d) is available in life or death situations but should not be necessary for   health or social care organisations to use in the performance of its tasks. This might apply in a situation where an organisation needs to act to prevent harm being caused by a patient or service user, to someone who has no relationship with the organisation.         
NHS Trusts National Health Service and Community Care Act 1990 

NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers 

251B of the Health and Social Care Act 2012 
Lawful basis for commissioning and planning purposes

Most national and local flows of personal data in support of commissioning are established as collections by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).
Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it,

6(1)(c) ‘…for compliance with a legal obligation…’
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’ Commissioners may receive personal data in support of commissioning where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as ‘section 251 support’. This support does not remove the need for GDPR compliance.

The commissioning of individually tailored services, or for example the approval of individual funding requests should operate on the basis of consent for confidentiality purposes.

Lawful basis for research 6(1)(f)’…legitimate interests…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…’ 9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable  and specific measures to safeguard the fundamental rights and interests of the data subject …’

A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support.
Lawful basis for regulatory and public health functions 

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or
(ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

6(1)(c) ‘…necessary for compliance with a legal obligation… 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices… Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008
Lawful basis for safeguarding 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ 9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’ Children Acts 1989 and 2004, and the Care Act 2014
Lawful basis for employment purposes 6(1)(b) ‘For the performance of a contract to which the ‘individual’ is a party’


6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’ Safeguarding Vulnerable Groups Act 20069 as a basis for Disclosure and Barring Service (DBS) checks and other processing of such data

Return to top

We may share information about you with the following agencies in order to support the delivery of your care:

  • Department of Health and other NHS bodies
  • Clinical Commissioning Groups (CCG’s)
  • Other providers involved in your care- such as hospitals
  • General Practitioners (GP’s) in Wolverhampton and out of areas you are not from Wolverhampton.
  • Ambulance Service
  • Mental health services
  • Social services

We may also share your information, with your consent and subject to strict sharing protocols about how it will be used with:

  • Education services
  • Local authorities
  • Voluntary sector providers
  • Private sector

We may also share your information with others that need to use records about you to carry out the following:

  • Check the quality of treatment of advice we have given you
  • Protect the health of the general public
  • Manage the health service
  • Help investigate any concerns or complaints you or your family have about your healthcare

We are also working with other providers of healthcare services to bring you new technologies, such as Sensyne for example. They are supporting the Trust to help us offer you better service and manage the services and data we have to provide you a better care experience.

This will be done with protocols or agreements in place to govern the sharing of data to ensure it is adequate and relevant to the purpose listed above.

Some information we have to share is used for statistical, research or audit purposes, and in these instances we take strict measures to ensure that individual patients cannot be identified and where appropriate anonymisation and pseudonymisation techniques will be used to protect your identity.

Anyone who receives information from us also has a legal duty to keep it confidential and secure.

Please note the public car parks on our New Cross site have Vehicle Number Plate Recognition (VNPR) systems to monitor access and calculate appropriate car parking charges. This information is not processed by the Trust but by a third party organisation called Veripark. For further information on how they process your personal data, their legal basis to do so and for what purpose and who to contact with regards to the any personal data they may hold about you, please see Privacy Policy – VeriPark.

If you do not wish personal data that we hold about you to be used in the way that is described in this notice, please discuss the matter with us. You have the right to object in certain circumstances, such as where you have given consent to the processing or have entered into a contract you have given consent, but this may affect our ability to provide you with care or advice. 

Return to top

The Trust will collect data about you in a numbers of ways. The main method of collection is from you directly.

Face to face:
Most of the information we hold about you will be collected from you at the time you engage with the service. Any data provided will be used for the reasons listed in this notice and will only relevant data will be requested and recorded.

Telephone calls: 
The information you disclose over a telephone call may be recorded by the Trust either to support your care or as a record of the conversation. Ordinarily we will inform you if we record or monitor any telephone calls you make to the Trust. This is to increase your security, for our record keeping of the phone call and for training and quality purposes.

Video consultations: 
The information you disclose during a video conference may be recorded by the Trust or a third party supporting our provision of video consultation services. This will be for the purposes of supporting your care or as a record of the consultation. Information about the consultation may also be used to improve the availability and quality of video consultations.

If you email us we may keep a record of your contact and your email address for our record keeping

Other organisation: 
We may receive information from other organisations that are also required by law to share information with us about you, to help us have a full picture of your needs and provide you with care.

Referrals - We may receive referrals or a transfer of your notes to specific specialties as a result of your care being transferred to our organisation. This can be from another Trust, your GP or any health or social care provider initiating a referral. 

Direct access - The Trust and its staff may, on a need to know basis have access to specific clinical systems from other organisation such as the summary care record, other Trust clinical systems in order to access information about you that is relevant to your care delivery. All systems are auditable and access is on a need to know basis

Return to top

Below is a list of the rights you have in relation to your data and when they apply. To make an application for any of the below rights please contact the Health Records Access Team  rwh-tr.healthrecordsaccess@nhs.net in the first instance. All rights should be considered within 30 calendar days from date of receipt, but may be extended if complex. 


The Right of Access
You have the right to request a copy of any information held by the Trust as well as any supplementary information.  See How do I request my information? for details on how to request your information. 



Right to Rectification
If you believe your information may be inaccurate or incomplete you can make a request to have your information reviewed. 


The Right to Erasure
The right to erasure is also known as the ‘right to be forgotten’ introduces a right for you to have personal data erased.  Generally this right is not available with health care data. Where this right is available for specific processing you will be notified. 

restrict processing

The Right to Restrict Processing 
The right to restriction allows you to request the restriction or suppression your personal data. This right is closely linked with the right to rectify and the right to object and will only apply if: 

  • you contest the accuracy of your personal data and the accuracy is being verified by the trust; 
  • the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and you oppose erasure and requests restriction instead; 
  • the personal data is no longer needed but we need to keep it in order to establish, exercise or defend a legal claim.


The Right to Data Portability 
The right to data portability allows you to obtain and reuse your personal data across different services. The process should allow for moving, copying or transfer of personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability is not an absolute right and generally will not apply to your health care record unless: 

  • The processing is based on your consent or in the performance of a contract; 
  • When processing is carried out by automated means.

The Right to Object

The right to object to processing means that data should cease to be processed. This right applies only where data is obtained with your consent. In most cases we rely on our legal basis to process your data and not consent and therefore for care purposes this right may not apply. If your data is used for any other reason this right may apply, but would have to be assessed on an individual basis.


Use of profiling
Profiling is automated processing of personal data to evaluate certain things about an individual.  The Trust may use profiling techniques for health care planning purposes.  An example of this type of processing is the process of risk stratification of patients based on frequency of attendance. 

Return to top

RWT is working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments 
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. 

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.  This is called the National Data Opt Out. 

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone 
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and  https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. 

Our organisation is currently compliant with the national data opt-out policy.

Return to top

You have a right to see or have copies of any information held by the Trust that relates to you free of charge. We have the right to charge an administration fee in situations where repeated requests are received for the same information or the request is excessive. You will be required to prove your identity when making requests.

Subject Access Requests under GDPR rules (post 25 May 18) will be processed within 30 days. However, once our teams have established the volume of records requested there may be a requirement to extended this up to a further 2 months. We will contact you within 30 days should this be the case.

To request access to health records please complete a Subject Access Request form, link provided below, and forward on to: 

Health Records Access Team 
Health Records Library 
Location B19 
New Cross Hospital 
Wednesfield Road 
WV10 0QP

Email: rwh-tr.healthrecordsaccess@nhs.net  
Telephone: 01902 307999 Extension 85544/85545/88093

Subject Access Request form  (PDF, 171Kb)   

Subject Access Request form (Word, 54Kb)

The Health Records Access Team also deal with the Health Records of deceased persons.

Access to the health records of a deceased person is governed by the Access to Health Records Act (1990). Under this legislation when a patient has died, only their personal representative, executor or administrator of their will, or anyone having a claim resulting from the death (this could be a relative or another person), has the right to apply for access to the deceased’s health records.

Access to Health Records Request form (PDF, 111Kb)

Access to Health Records Request form (Word, 53Kb)

Return to top 

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary. 

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required. For more information please see the Record Management Code for Practice for Health and Social Care 2016, retention schedules

Return to top

Data Protection Officer (DPO): Raz Edwards
Email: rwh-tr.IG-Enquiries@nhs.net   
Address: New Cross Hospital, Wolverhampton Road, Heath Town, Wolverhampton WV10 0QP

The Data Protection Officer is a point of contact for advice and guidance in relation to your rights.  The DPO is responsible for monitoring the Trusts compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2016 as any policies the Trust has in relation to the protection of personal data.   The DPO shall perform their duties in an independent manner with due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. 

If you have any questions about your care or a complaint, please speak to the health professional with your care in the first instance.If this is not resolved to your satisfaction you can contact the  Patient Advice and Liaison Service (PALS).

If you have any concerns about how your information is being processed or any of the rights as detailed above, please contact the Trust in the first instance through:

Health Records Access Team 
Health Records Library
Location B19
New Cross Hospital
Wednesfield Road
WV10 0QP

Email: rwh-tr.healthrecordsaccess@nhs.net
Telephone: 01902 307999 Extension 85544/85545/88093

You also have a right to complain directly to the Information Commissioner’s Office if you feel the Trust has not responded effectively to any of the above.

Information Commissioners Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113
Website: https://ico.org.uk/

Return to top

A Teaching Trust of the University of Birmingham