Data Protection 

Barts Health NHS Trust was established by the merger of the former Barts and the London NHS Trust with the former Newham University Hospital NHS Trust and the former Whipps Cross University Hospital NHS Trust. It is an acute trust, serving a population of over a million in East London, with a workforce of over 16,500 staff.

Barts Health is committed to protecting your privacy when you use our services. This privacy notice explains how we use information about you and how we protect your privacy.

Where can I get advice?

The Trust has a Data Protection Officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact the Data Protection Officer, Derek Peacock, at or by calling 020 7480 4892 and asking to speak to the Data Protection Officer. Alternatively, you could write to:

Data Protection Officer
Barts Health NHS Trust
3rd Floor
9 Prescot Street
E1 8PR

General Data Protection Regulation

Do you know what personal information is?

Personal information can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person. For example, this could be your name and contact details.

Why the Trust collects information about you?

Your doctor and other health professionals caring for you keep records about your health and treatment from the National Health Services (NHS). It is in your interest for a full record to be collected.

We may also need to use some information about you to:

  • to enable us to provide healthcare services for patients;
  • manage those services we provide to you;
  • help investigate any worries or complaints you have about your services;
  • check the quality of services
  • data matching under the national fraud initiative;
  • to help with research and planning of new services;
  • supporting, training and managing our employees who deliver those services;
  • keep track of spending on services; and
  • the use of CCTV systems for crime prevention.

Staff and volunteers

For the purposes of running the Trust and meeting statutory requirements the Trust must hold records on you. The Trust will also hold information on job applicants.

How the law allows us to use your personal information

There are a number of legal reasons why we need to collect and use your personal information.

Generally we collect and use personal information where:

  • it is necessary to perform our statutory duties
  • it is necessary to protect someone in an emergency
  • it is required by law
  • it is necessary for employment purposes
  • it is necessary to deliver health or social care services
  • you have made your information publicly available
  • it is necessary for legal cases
  • it is to the benefit of society as a whole
  • it is necessary to protect public health
  • it is necessary for archiving, research or statistical purposes
  • you, or your local representative, have given consent
  • you have entered into a contract with us

For further details please see the section on individual’s rights.

Type/classes of information processed

 ‘Processing’ is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

The Trust process information relevant to the above reasons. The information is either written down (manual records), or held on a computer (electronic records). This may include the following but not all items will be relevant to all individuals:

  • personal details;
  • family details;
  • ethnicity;
  • education, training and employment details;
  • financial details;
  • goods and services;
  • lifestyle and social circumstances;
  • visual images, personal appearance and behaviour;
  • details held in the patients record;
  • responses to surveys.

Some information is ‘special’ and needs more protection due to its sensitivity. It is often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:

  • racial and ethnic origin;
  • offences and alleged offences;
  • criminal proceedings, outcomes and sentences;
  • trade union membership;
  • political opinion;
  • physical or mental health details;
  • religious or similar beliefs;
  • sexual life;
  • Genetic/biometric data

Who the information is processed about

The Trust process personal information about:

  • patients;
  • next of kin;
  • suppliers;
  • employees (including students, apprentices, potential employees and volunteers);
  • complainants, enquirers;
  • survey respondents;
  • professional experts and consultants;
  • individuals captured by CCTV images

Where the personal data originates form

The personal data the Trust processes may have been provided by:

  • you
  • your parents, relatives or carers
  • GPs
  • Other hospitals/ NHS Trusts/hospices
  • Ambulance Trust
  • Local authorities
  • Private healthcare
  • Other third parties (including education providers and previous employers)

 How long do we keep your personal information

There’s often a legal reason for keeping your personal information for a set period of time, we try to include all of these in our retention schedule. The Trust policy is based on the Records retention and disposal in line with the Records management Code of Practice for Health and Social Care 2016. (

How do your records help you?

Your records are used to guide and administer the care you receive. They help us to make sure that:

  • We have accurate, up to date information about your health;
  • You receive the best quality of care;
  • Information is easily accessible within the Trust, because this helps us to make decisions about your future healthcare needs;
  • Any concerns you may have about your health are properly investigated;

Who the information may be shared with

Everyone working for the NHS has a legal duty to maintain the highest level of confidentiality.

Your manual healthcare records are kept in secure areas and the electronic records are kept securely with the necessary controls. Generally these records will only be seen by those involved in providing or administering your care. A few administration processes require information that may identify you; however most processes will use anonymous information

The Trust sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the General Data Protection Regulations (GDPR). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

Where necessary or required we share information with:

  • patients;
  • family, associates and representatives of the person whose personal data we are processing;
  • staff;
  • current, past or potential employers;
  • healthcare, social and welfare organisations;
  • suppliers to support systems, service providers, legal representatives;
  • auditors and audit bodies;
  • educators and examining bodies;
  • survey and research organisations;
  • professional advisers and consultants;
  • police forces;
  • security organisations;
  • central and local government;

The Trust will discuss with you before information is shared to ensure we act with your consent. If you are unable to consent for any reason, we will only share information where it is clearly in your best interests to do so or it is required by law. This includes:

  • Notification of new births or deaths;
  • If infectious diseases will endanger the safety of others, such as meningitis, tuberculosis or measles (but not HIV or AIDS);
  • For child protection reasons;
  • When a formal court order is issued.
  • In an emergency when there is risk of loss of life or limb
  • For the prevention or detection of a crime

Information will not be passed to your friends, relatives or careers without your signed consent.

Staff and Volunteers

Information on staff and volunteers may be shared with third parties that provide services to the Trust and in order to comply with statutory requirements.

How do your records help the NHS?

Your information helps us:

  • Monitor your quality of care;
  • Meet the general public’s health needs;
  • Make sure our services meet future needs;
  • Teach and train healthcare professionals;
  • Conduct health research, development and audit;
  • Transfer to other providers to improve care;
  • Investigate a complaint you have made;
  • Prepare statistics on NHS performance.

Access to your health information used for these purposes is controlled and monitored. When information is used for statistical purposes, we do not identify individual patients’ details.

Some information may also be passed on to other organisations with a legitimate interest (ie planning services with other organisations outside the NHS).


It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the GDPR.

Your rights

Under the GDPR you as a data subject have the following rights

  • the right to be informed;
  • the right of access;
  • the right to accuracy and making changes (rectification);
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the right not to be subject to automated decision-making including profiling

Not all rights will apply depending on the lawful basis chosen by the Trust for that processing. Most of the Trust processing is covered by the public task.



Right to erasure

Right to portability

Right to object




X but right to withdraw consent





Legal obligation




Vital interests




Public task




Legitimate interests





Ask for access to the information we hold on you

We would normally expect to share what we record about you with you whenever we assess your needs or provide you with services. However, you also have the right to ask for a copy of all the information, both paper and electronic, we have about you and the services you receive from us. We will aim to provide the requested information to you within 30 days, but if we are unable to do so then we will explain the problem to you. In most cases we will provide a copy of the information to you for free but there are some circumstances where we will need to charge.

However, at times we may not be able to share your whole record with you particularly if the record contains:  

  • Confidential information about other people; or
  • Data a professional thinks will cause serious harm to your or someone else’s physical or mental wellbeing; or
  • It might affect a police investigation

We may need to ask for further information to help us reply to your request and the Trust has a form which you can download.

Details of how to make a request and the form can be obtained on

Staff & Volunteers

You have the right to ask for a copy of all personal information relating to you held by the Trust. Please send your request to

Ask to change information you think is inaccurate or incomplete

 You should let us know if you disagree with something written on your file.


We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.  

Ask to delete information (right to be forgotten)

In some circumstances you can ask for your personal information to be deleted, for example: 

  • Where your personal information is no longer needed for the reason why it was collected in the first place
  • Where you have removed your consent for us to use your information (where there is no other legal reason for us to use it)
  • Where there is no legal reason for the use of your information
  • Where deleting the information is a legal requirement

Where your personal information has been shared with others, we’ll do what we can to make sure those using your personal information comply with your request for erasure.

Please note that we can’t delete your information where:  

  • we’re required to have it by law
  • it is used for freedom of expression 
  • it is used for public health purposes
  • it is for, scientific or historical research, or statistical purposes where it would make information unusable
  • it is necessary for legal claims 

 Ask to limit what we use your personal data for.

You have the right to ask us to restrict what we use your personal information for where:

  • you have identified inaccurate information, and have told us of it
  • where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether

When information is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of the UK.

Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.

Where possible we’ll seek to comply with your request, but we may need to hold or use information because we are required to by law.

Ask to have your information moved to another provider (data portability)

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.

However this only applies if we’re using your personal information with consent (not if we’re required to by law) and if decisions were made by a computer and not a human being. 

It’s likely that data portability won’t apply to most of the services you receive from Barts Health. 

You can ask to have any computer made decisions explained to you, and details of how we may have ‘risk profiled’ you.

You have the right to question decisions made about you by a computer, unless it’s required for any contract you have entered into, required by law, or you’ve consented to it. 

You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information. 

If and when Barts Health uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed. 

How do we protect your information?

We’ll do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we’ll only make them available to those who have a right to see them. Examples of our security include:

  • Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’.
  • Pseudonymisation, meaning that we’ll use a different name so we can hide parts of your personal information from view. This means that someone outside of Barts Health could work on your information for us without ever knowing it was yours
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
  • Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches) 

Where can I get advice?

The Trust has a Data Protection Officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact the Data Protection Officer, Derek Peacock, at or by calling 020 7480 489. Alternatively, you could write to

Data Protection Officer
Barts Health NHS Trust
The Royal London Hospital
Room 701, 7th Floor, John Harrison House, Philpot Street
London. E1 2DR

Telephone: 02035946027

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire. SK9 5AF

Telephone: 03031231113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit or email




Barts Health NHS Trust uses cookies to help us understand how people use our website. We use cookies to capture which pages are most popular, how long people spend on each page and what links they use to access the information they are seeking. We may also use cookies to enable the website to ‘remember’ details that you voluntarily give, such as when you complete online forms, so that you do not have to retype the information next time you use the website.

By using this website you are implying consent for these cookies to be placed on your computer. If you would like to remove these cookies and opt-out of the services that use them you can by selecting the appropriate settings on your browser.

What is a cookie?

A cookie is a simple text file that is stored on your computer or mobile device by a website’s server and only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the site name and some digits and numbers. It allows a website to remember things such as your preferences or remembers your details when filing out a form. They are controlled by your computer. If you visit the Tools section in your browser menu, you will find details of your cookies settings.

Cookies may come with or without an expiry date. Cookies without an expiry date exist until the browser is closed, while cookies with an expiry date may be stored by the device until the expiry date passes.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

You can set your browser to warn you before accepting cookies, or you can set it to automatically reject them. Please note that by rejecting cookies it may inconvenience you in browsing our website. See your browser 'help' button for how to change your cookie settings.

Google analytics

Google Analytics

The Barts Health website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses cookies, which are text files placed on your computer, to help the website analyse how users use the site.

By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Links to other websites

Barts Health NHS Trust website contains links to other websites of interest. However, once you have used these links to leave this website, you should note that we do not have any control over that other website. We cannot be responsible for the protection and privacy of any information which you provide while visiting such websites, and such websites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question. We recommend that you review the websites privacy policy as a precautionary measure. The trust does not endorse any external sites and is not responsible for their content.