Information Governance

Effective from March 2025

Public health emergency privacy notice describes how we may use your information to protect you and others during public health emergencies, such as the Covid-19 outbreak. 

This notice has been produced to supplement our current privacy notices and describes how University Hospitals of Derby and Burton (UHDB) NHS Foundation Trust may use your personal information to protect you and others during the public health emergencies. It is designed to be adaptable for any future public health crises and complies with the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018.

For general data protection practices across UHDB, including those unrelated to public health emergencies, please view general privacy notice.

This notice was significantly updated in 2022 after a change to the law. The Covid-19 and Coronavirus Testing privacy notices were first written when the emergency response began in 2020.

Organisations that existed in 2020 have also changed. NHSX merged with NHS England and Improvement and NHS Digital. Public Health England is now the UK Health Security Agency.

Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health.

Access GOV.UK website for Coronavirus (Covid-19) testing privacy information (opens in new window) >

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency was used during the first two years of Covid-19. Access GOV.UK website for Coronavirus (COVID-19): notification to organisations to share information (opens in new window) >. The continuing use of personal or confidential data about Covid-19 rests on other lawful bases.

If you require to see archived versions of the Covid-19 privacy notice, please email uhdb.dataprotectionofficer@nhs.net

We may update this privacy notice to reflect changes in our data processing practices or legal requirements. Updates will be posted on our website, and it is encouraged that you review this notice periodically.

Use of health and care information during public health emergencies

During public health emergencies, health and care information becomes crucial to:

• Deliver care to individuals: ensuring that patients receive necessary medical care and support during health crises.
  
  
• Support health and social care services: assisting healthcare providers in managing resources, treatment, and care delivery.
  
  
• Protect public health: contributing to efforts to control and mitigate the spread of disease.
  
  
• This notice is applicable during pandemics, epidemics, or other public health emergencies where the rapid collection, use, and sharing of data are required to respond effectively. 

Legal basis for data use during public health emergencies

The use of personal and confidential data during public health emergencies relies on lawful bases provided under UK GDPR and Data Protection Act 2018. These may include:

• Public task: processing data necessary for the performance of a task carried out in the public interest, such as public health protection and disease control.
  
  
• Legal obligation: compliance with legal requirements, including the reporting of infectious diseases and adherence to public health regulations.
  
  
• Vital interests: processing data to protect someone's life, particularly in urgent situations where consent cannot be obtained.

National testing and vaccination programs 

In the event of a public health emergency, national testing, vaccination, and treatment programs may be implemented. Information on how your data is used and shared as part of these programs will be provided through official channels, such as the Government website and related public health platforms.

Data sharing during public health emergencies

During public health emergencies, the sharing of personal and confidential information may be necessary to:

• Coordinate care: share information with healthcare providers, public health authorities, and other relevant bodies to ensure effective care delivery and public health management.
  
  
• Monitor and control the spread of disease: share data with national and international health organisations to track, manage, and mitigate the spread of infectious diseases.
  
  
• Data sharing during these times will always be conducted with strict adherence to data protection laws, ensuring that only the minimum necessary information is shared.

Amendments to this notice

This privacy notice is intended to be flexible and adaptable for future public health emergencies. The Trust may update this notice as required to reflect changes in the law, public health guidelines, or our data processing practices. The date at the top of this page will be updated with each revision. Please review this notice regularly to stay informed about how your information is being used during public health emergencies. 

Effective from April 2026

University Hospitals of Derby and Burton (UHDB) NHS Foundation Trust recognises the importance of protecting personal and confidential information and committed to ensuring that your privacy is protected.  

The general privacy notice explains how we collect, use, disclose, and protect your personal data, in accordance with the General Data Protection Regulation (GDPR), UK Data Protection Law, Human Rights Act, Common Law Duty of Confidentiality, and other relevant health service legislation.

Data controller

UHDB is the data controller responsible for your personal data.

Key contacts

Email: uhdb.dataprotectionofficer@nhs.net 
Telephone: 07500 052642 or 07384 914130 
Postal address: Information Governance, Level 3, Maternity and Gynaecology Block, Digital and Data Services, Royal Derby Hospital, Uttoxeter Road, Derby, DE22 3NE 
 
The Information Commissioner’s Office (ICO) maintains a public register of organisations that process personal identifiable data.   
The Trust’s registration number is Z8575998.

NHS guidance and leadership roles

In accordance with NHS guidance, the Trust has:

• Caldicott Guardian: an executive director who is responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. 
  
  
• Senior Information Risk Owner: an executive director with overall responsibility for information risk within the Trust.

Data Protection Officer

The General Data Protection Regulation requires the Trust to appoint a Data Protection Officer to facilitate compliance with the data protection legislation and requirements. This role acts as an intermediary between relevant stakeholders and be the first point of contact for supervisory authorities.

To contact UHDB's Data Protection Officer, please email uhdb.dataprotectionofficer@nhs.net

Definition of personal and sensitive data

• Personal data is information about an identifiable living person, such as name, address, telephone number, date of birth, email address, online identifiers, and credit card/bank details. This includes, but is not limited to, written correspondence, emails, photographs, audio recordings and video recordings.
  
  
• Sensitive data is special categories of personal data. For example, data concerning health, ethnic origin, race, political opinion, religious beliefs, biometric and genetic data. 

Types of personal data we collect:

We collect and process the following types of personal data:

• personal identifiers: name, date of birth, NHS number
• contact information: address, telephone number, email address
• personal characteristics: ethnicity, gender
• health information: diagnosis, treatment plans, test results
• financial information: billing and payment details for private patients.

Purposes of processing your personal data

We process your personal data for the following purposes: 

• Providing healthcare services: to deliver and manage healthcare services, including treatment, diagnosis, and ongoing care.
  
  
• Administrative purposes: to manage appointments, admissions, and referrals.
  
  
• Legal obligations: to comply with legal and regulatory obligations, including reporting to authorities where required by law.
  
  
• Research and audit: to conduct clinical audits, research, and analysis to improve healthcare services and outcomes.
  
  
• Patient feedback: to gather feedback through surveys and questionnaires to improve our services. 

Legal basis for processing

We process your personal data based on one or more of the following legal grounds:

• Performance of a contract: to fulfil our contractual obligations with you. For example, providing healthcare services.
  
  
• Legal obligation: to comply with legal obligations under applicable laws and regulations.
  
  
• Public task: processing is necessary for tasks carried out in the public interest or in the exercise of official authority vested in UHDB.
  
  
• Consent: where applicable and necessary, we will obtain your consent before processing your personal data for specific purposes. 

 
Data sharing

We may share your personal data with the following recipients:

• Healthcare providers: including doctors, nurses, and other healthcare professionals involved in your care.
  
  
• Public health authorities: for disease control, public health monitoring, and reporting.
  
  
• Regulatory bodies: as required by law or regulatory requirements.
  
  
• Research organisations: for research purposes, subject to appropriate safeguards and ethical standards. 

 
International transfers

Your personal data may be transferred and processed outside the European Economic Area (EEA) if necessary. We ensure such transfers comply with applicable data protection laws and regulations.

How we protect your data and ensure confidentiality of information is maintained

UHDB recognises the importance of protecting personal and confidential information and is committed to ensuring that your privacy is protected. The Trust operates in accordance with the General Data Protection Regulation (GDPR), UK Data Protection Law, Human Rights Act, Common Law Duty of Confidentiality, and other Health Service legislation.

• Confidentiality and security: all NHS organisations and everyone who works for the NHS or in partnership with them has a legal duty to keep information confidential and take great care with the security of information and records. 
  
  
• Staff have a legal responsibility to maintain confidentiality and security of all the personal information (patient and staff) we hold and ensure compliance with the Data Protection Law, Caldicott Principles, NHS Code of Confidentiality and Human Rights Act.
  
  
• Data controller responsibilities: the Trust is the data controller for the data it holds. All information and information systems within the Trust are stored on our secure network with appropriate security controls, which includes access controls, cyber security and assessments against all aspects of data security.  
  
  
• Data Protection Impact Assessments (DPIAs): DPIAs are completed for all new projects or changes to the way we process personal data to ensure that all potential risks have been considered and addressed appropriately. These are signed off by the Senior Information Risk Owner and Caldicott Guardian before the project or change can continue. Details of DPIAs completed can be obtained from the Trust’s Information Governance Team using the contact details below:  

Email: uhdb.dataprotectionofficer@nhs.net  

Telephone: 07500 052642 or 07384 914130

Postal address: Information Governance, Level 3, Maternity and Gynaecology Block, Digital and Data Services, Royal Derby Hospital, Uttoxeter Road, Derby, DE22 3NE

Training

Staff are trained to understand their responsibilities regarding the security and confidentiality of patient information, and that access is on a strictly need to know basis. They must update this mandatory training on an annual basis.

Audit trails

Records are available to show who accessed what information. Routine and random audits take place to ensure access in appropriate. Any inappropriate access identified will be dealt with through the Trusts’ disciplinary process.

CCTV

Security cameras are installed at various locations within this Trust to prevent and detect crime and for the protection of staff, visitors and patients and their property.  Our security staff are also equipped with body worn cameras, which are only activated if they need to record a violent or aggressive incident. Signage about CCTV is posted around the entrances and will be visible on all officers carrying body worn cameras.

Retention of your data

We will retain your information in line with the requirements of the NHS England Transformation Directorate Records Management Code of Practice. This document follows current legal requirements and best practices.  

Access NHS England website for records management code of practice (opens in new window) > 

National data opt out -Your Choice About How We Use Your Information

What is the National Data Opt‑Out?

This opt‑out applies only where your information would otherwise be used in a form that could identify you.

Your care is not affected

Your decision will not affect your direct care or treatment in any way. Doctors, nurses, and other healthcare professionals will always have access to the information they need to provide you with safe and effective care.

How we use your information

We may use your confidential patient information, or share it securely with other NHS organisations and approved partners, for:

• Planning and improving NHS services
• Monitoring quality and safety
• Public health purposes
• Approved research

Where the National Data Opt‑Out applies, we will respect your choice and ensure your information is not used for these purposes if you have opted out.

When the opt‑out does not apply

The National Data Opt‑Out does not apply where:

• Information is used for your direct care
• Information is anonymous and cannot identify you
• There is a legal requirement to share information (for example, safeguarding or public health emergencies)
   

How to make or change your choice

You can set or change your National Data Opt‑Out choice at any time:

• Access NHS website to choose if data from your health records is shared for research and planning (opens in new window) >
• Telephone: 0300 303 5678
• Using the NHS App

Your choice applies across the NHS in England.

Access NHS Digital website for information about the National Data Opt-out Policy (opens in new window) >

Your rights

Unless subject to an exemption under legislation, you have the following rights with respect to your personal data:

• Your right of access: you have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. Access Information Commissioner's Office website for information on your right of getting copies of your information (opens in new window) >
  
  
• Your right to rectification: you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. Access Information Commissioner's Office website for information on your right to get your data corrected (opens in new window) >
  
  
• Your right to erasure: you have the right to ask us to erase your personal information in certain circumstances. Access Information Commissioner's Office website for information on your right to get your data deleted (opens in new window) >
  
  
• Your right to the restriction of processing: you have the right to ask us to restrict the processing of your information in certain circumstances. Access Information Commissioner's Office website for information on your right to limit how organisations use your data (opens in new window) > 
  
  
• Your right to object to processing: you have the right to object to processing. Access Information Commissioner's Office website for information on the right to object to the use of your data (opens in new window) > 
  
  
• Your right to data portability: this only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. Access Information Commissioner's Office website for information on your right to data portability (opens in new window) >

If you believe that we have not complied with your data protection rights, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority set up to uphold information rights.  

Contact the Information Commissioner's Office (ICO)

Access the Information Commissioner's Office website (opens in new window) >

Telephone: 0303 123 1113 or use the live chat service on the ICO website

Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Key contacts

Email: uhdb.dataprotectionofficer@nhs.net

Telephone: 07500 052642 or 07384 914130

Postal address: Information Governance, Level 3, Maternity and Gynaecology Block, Digital and Data Services, Royal Derby Hospital, Uttoxeter Road, Derby, DE22 3NE

Changes to the privacy notice

We may update this privacy notice to reflect changes in our data processing practices or legal requirements. Updates will be posted on our website, and it is encouraged that you review this notice periodically. 

Effective from March 2025

University Hospitals of Derby and Burton (UHDB) NHS Foundation Trust collects and uses personal data when delivering care to patients across Derbyshire, Staffordshire and surrounding areas.  

Personal information means any information that can identify you. For example, name, home address and date of birth.  

If you need help understanding this policy, please ask your parents or guardians.

What information do we collect?

We may collect certain personal data about you, including but not limited to:

• Your name, age and consent details. Consent means agreeing to something and we will check what information you want us to collect about you and who it may be shared with.
  
  
• Information about you and your health, such as how you are feeling and what medications you may be taking.
  
  
• Details about your visits to hospital and the staff involved in your care. 

Why do we collect your information?

It is important that we collect information about you to:

• ensure you get the right care and treatment
  
  
• inform clinical staff of your health needs 
  
  
• keep track of your health records.

How do we use your information?

To provide you with the appropriate and best care possible we may:

• Look at how we can improve what we do at our hospitals.
  
  
• Share your information with other health professionals with our hospitals or neighbouring organisations if needed for your treatment.

Who can see your information? 

Only those involved in your care, such as your doctor, nurse or members of their team, will see your information. We may need to share your information with other healthcare professionals or hospitals, but only it's needed for your care.

How do we keep your information safe?

Our Trust takes great care to keep your information private and secure. We use secure systems to ensure staff are properly trained and control access to your data based on job roles.

Your rights

You or your parents/guardians have the right to:

• ask to see the information we have recorded about you
  
  
• request us to correct mistakes
  
  
• say no to us using your information in certain ways

Contact us

If you have any concerns or questions, please ask your parents or guardians to email uhdb.dataprotectionofficer@nhs.net  

Changes to this privacy notice

We regularly review and update this notice to reflect changes in our practices or the legal landscape. The most current version is always available on our website. 
If you have any concerns or questions about your information and how we use it, please talk to your parents or guardians.  

Effective from March 2025

At University Hospitals of Derby and Burton (UHDB) NHS Foundation Trust, we prioritise the privacy and confidentiality of your personal information.

This patient privacy notice outlines how we collect, use, share, and protect patient's personal data in the context of healthcare services. It complies with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

For broader data protection practices that apply to all data subjects within the organisation, please access the general privacy notice.

This notice specifically addresses the handling of patient data within our Trust.

Types of personal data we collect

We hold a range of information about our patients, including:

• Personal identifiers: such as names, date of birth and NHS number
  
  
• Personal characteristics: including ethnicity and gender, which are necessary for ensuring equitable care
  
  
• Contact details: home address, telephone numbers and email addresses (used for communication about your care)
  
  
• Family details: information about your next of kin, vital for emergencies and necessary communications regarding your care
  
  
• Health information: detailed records of your medical history, including referrals, diagnoses, treatment plans, and results from investigations like scans, x-rays, and pathology tests. 

 
Purposes of processing your personal data

We process your information for several key purposes:

• To provide and manage care: your data is essential for administering your treatment, managing your healthcare needs, and ensuring that all healthcare professionals involved in your care have access to necessary information.
  
  
• To communicate with you: we use your contact details to send you appointment reminders, treatment updates and other important communications regarding your care.
  
  
• For operational management: your data is used in clinical audits, health research, and patient feedback initiatives to continuously improve our services and ensure patient safety.
  
  
• For legal and regulatory compliance: we process your data to fulfil legal obligations, such as mandatory disease reporting, compliance with health regulations, and responding to requests from regulatory bodies. 

 
How we share your information

• Within the healthcare system: we may share your data with GPs, specialists, and other healthcare providers involved in your care to ensure that you receive integrated and effective treatment.
  
  
• For research and planning: in certain cases, we may use your data in an anonymised or pseudonymised form for research and statistical purposes. This helps improve healthcare services while ensuring your privacy.
  
  
• Legal and regulatory requirements: your information may be shared with public health authorities or other regulatory bodies when required by law.

Shared care records

To improve the quality and efficiency of your care, we may share your health information within regional shared care records systems. This enables faster access to your health records across different healthcare organisations, ensuring timely and appropriate treatment. You can object to this sharing under certain conditions, but doing so may limit the efficiency and effectiveness of your care.

If you view or manage your hospital appointments, test results, letters, questionnaires, or care plans via the NHS App, UHDB shares your data with NHS England, who operate the NHS App and provide this functionality, known as NHS Wayfinder services.

For more information, see the NHS Wayfinder services > privacy policy.

Legal basis for processing

Under UK GDPR, we must have a lawful basis for processing your personal data:

• Public task: the majority of our processing activities are necessary for the performance of tasks carried out in the public interest, especially within public health and healthcare services.
  
  
• Consent: we may seek your consent for specific uses of your data, particularly for non-standard treatments or when sharing your information with non-healthcare third parties.
  
  
• Legal obligations: we process your data to comply with legal requirements, such as disease control, public health duties, and statutory obligations.

Your rights under data protection law

As a patient, you have the following rights under UK GDPR and the Data Protection Act 2018:

1. Right to be informed: you have the right to know how your personal data is being collected, used, and shared. This notice is intended to keep you informed of these practices.
2. Right of access: you can request access to your personal data, including your health records. Access may be restricted if it could cause serious harm to you or others, or if it infringes on the rights of others mentioned in your records.
3. Right to rectification: if you find that your personal data is inaccurate or incomplete, you have the right to have it corrected. We will address your request, but some exceptions may apply, such as when correcting data could lead to medical inaccuracies.
4. Right to erasure (‘right to be forgotten’): you can request the deletion of your personal data, but this right is limited in healthcare due to our obligation to retain medical records for specific periods to ensure continuity of care.
5. Right to restrict processing: you can request that we limit the processing of your data in certain circumstances, such as when you dispute its accuracy or object to its use. However, this may not be possible if the data is necessary for your ongoing care.
6. Right to data portability: you can request to receive your personal data in a structured, commonly used, and machine-readable format. This right typically does not apply to medical records as they are processed based on public interest and legal obligations.
7. Right to object: you can object to certain types of data processing, such as direct marketing. In healthcare, you may object to the use of your data for purposes beyond your direct care. However, if the processing is necessary for public health tasks or legal obligations, your objection may not be upheld.
8. Rights related to automated decision-making and profiling: you have the right not to be subject to decisions made solely based on automated processing that significantly affect you. In healthcare, while automated systems may assist in clinical decisions, they are always supported by professional clinical judgement. 

To exercise any of these rights, please contact our Data Protection Officer: 

• Email:  uhdb.dataprotectionofficer@nhs.net  
• Telephone: Phone: 07500 052642
• Postal address: Information Governance, Level 3, Maternity and Gynaecology Block, Digital and Data Services, Royal Derby Hospital, Uttoxeter Road, Derby DE22 3NE 

If you are not satisfied with how we handle your request, you can lodge a complaint with the Information Commissioner’s Office (ICO):

Access the Information Commissioner's Office website (opens in new window) >

Telephone: 0303 123 1113 or use the live chat service on the ICO website.

Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

How long we keep your information

We retain your personal data for as long as necessary to provide healthcare services and as required by law. For example, adult health records are typically retained for at least eight years after your last treatment. Some records may be kept longer depending on specific legal or clinical needs.

How we protect your information

Your information is stored securely, whether in electronic systems, paper records, or other formats. We use appropriate technical and organisational measures to protect your data from unauthorised access, disclosure, alteration, or destruction.

Updates to this notice

We regularly review and update this notice to reflect changes in our practices or the legal landscape. The most current version is always available on our website. 
 

Effective from March 2025

University Hospitals of Derby and Burton (UHDB) NHS Foundation Trust, collects, stores and processes personal information about prospective, current and former staff related to employment activities.

This privacy notice includes applicants, employees (and former employees), workers (including agency, casual, honorary and contracted staff), volunteers, trainees and those carrying out work experience.  

We recognise the need to treat our staff's personal and sensitive data in a fair and lawful manner, and no personal information held by Trust will be processed unless the requirements for fair and lawful processing can be met.

For information on how we manage data at the Trust, including patient data and non-employment related records, please view general privacy notice.

What types of personal and sensitive data we hold 

In order to carry out our activities and obligations as an employer, we handle data in relation to: 

• personal demographics (including gender, race, ethnicity, sexual orientation, religion) 
• contact details (names, addresses, telephone numbers and emergency contacts)
• employment records (professional membership, references and proof of eligibility to work in the UK and security checks) 
• bank details 
• pension details 
• medical information (physical health, mental health conditions, occupational health information)
• information relating to health and safety
• trade union membership 
• offences (including alleged offences), criminal proceedings, outcomes and sentences 
• employment tribunal applications, complaints, accidents, and incident details

Our staff are trained to handle your information correctly and protect your confidentiality and privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes. 

Purpose of processing data:

Staff administration and management (including payroll and performance) 

• Pensions administration 
• Business management and planning 
• Accounting and auditing 
• Accounts and records 
• Crime prevention and prosecution of offenders  
• Education 
• Health administration and services 
• Sharing and matching of personal information for national fraud initiative

We have a legal basis to process this data as part of your contract of employment (either permanent, temporary or working arrangements) or as part of our recruitment processes following data protection and employment legislation.  

Sharing your information

There are a number of reasons why we share information. This can be due to: 

• Obligations to comply with legislation
• Duty to comply any court orders which may be imposed.

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Use of third party companies 

To enable effective staff administration, University Hospitals of Derby and Burton NHS Foundation Trust may share your information with external companies to process your data on our behalf, in order to comply with our obligations as an employer. These companies are required to comply with data protection laws and implement adequate security measures.

Employee records: contracts administration (NHS Business Services Authority) 

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

NHS streamlining

Details may be transferred from this Trust to other NHS Trusts to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS organisation to another NHS organisation. The personal data that is shared includes: name, address, date of birth, national insurance number, completed training and registration details.

Prevention and detection of crime and fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.  

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you if there was a legal or statutory obligation. 

Your information rights under General Data Protection Regulations (GDPR) and UK Data Protection Law: 

• The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice and patient leaflets.
  
  
• The right of access - for details about how to access your personal data, please visit the medical records page >
  
  
• The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us so that we are able to contact the person who entered the information. We will correct factual mistakes and provide you with a copy of the corrected information.   
  
  
• The right to erasure – this is also known as your ‘right to be forgotten’, where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed. 
• The Trust is required to retain your employment record in order to carry out activities and obligations as an employer and therefore cannot delete the record until it reaches the required NHS England's Records Management Code of Practice retention period.
  
  
• The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue that requires us to restrict processing, we will investigate your concerns. 
  
  
• The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process. At present we do not process any personal data that meets this requirement. 
  
  
• The right to object – this is your right to object the processing of your data because of your particular situation. Due to our obligation as an employer, it is extremely rare that we would stop processing your data whilst you are still employed by the Trust. If you believe you have compelling grounds for us to stop processing your data, you should contact our Data Protection Officer.
  
  
• Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. While the hospital may use automated systems to determine how well a patient is, it does not use automated decision making for the purpose of managing employment. 

Code of data matching practice

University Hospitals of Derby and Burton (UHDB) are required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or location of a public function, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative; a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. Access GOV.UK website for information about the National Fraud Initiative collection (opens in new window) >  

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018.

Data matching by the Cabinet Office is subject to a Code of Practice. Access GOV.UK website for Code of Data Matching Practice for the National Fraud Initiative guidance (opens in new window) >

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information (opens in new window) > 

For further information on data matching at (UHDB), please contact: 
Telephone: 07464 521746 
Email: daniel.mason15@nhs.net   

Retention of your data 

University Hospitals of Derby and Burton will retain your information in line with the Department of Health and Social Care Retention Schedule. If you have cause to make a complaint, please contact the Human Resource (HR) team. If you wish to discuss any other issues regarding your data, please contact: 

Email: uhdb.dataprotectionofficer@nhs.net
Telephone: 07500 052642 
Postal address: Information Governance, Level 3, Maternity and Gynaecology Block, Digital and Data Services, Royal Derby Hospital, Uttoxeter Road, Derby DE22 3NE

For employment references, please email uhdb.esrteam@nhs.net 

If you are still unhappy with the outcome of your enquiry, please contact:

Postal address: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 
Telephone: 0303 123 1113 or use the live chat service on the ICO website

Updates to this notice 

We regularly review and update this notice to reflect changes in our practices or the legal landscape. The most current version is always available on our website.