How UHDB protects people's data

Privacy notice

We are committed to the privacy of individuals using this website. The site does not collect any personal information about those using this site or track and log information about users. We do analyse the server log files which contain details of the Internet address (IP address) of computers using the site, pages looked at, the times of day and the type of web browser used. None of this information is linked to individuals.

All information provided via any of our forms is treated in the strictest confidence.

This privacy statement is just for this website,

For details of our privacy notices regarding the use and security of your information please see:

Privacy notice - general

University Hospitals of Derby and Burton NHS Foundation Trust recognises the importance of protecting personal and confidential information and is committed to ensuring that your privacy is protected. 

The law determines how organisations can use personal information.  This is covered within the General Data Protection Regulation (GDPR), UK Data Protection Law, the Human Rights Act, Common Law Duty of Confidentiality and other Health Service legislation.

In accordance with NHS guidance, the Trust has in place a:

  • Caldicott Guardian: an executive director who is responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. 
  • Senior Information Risk Owner: an executive director with overall responsibility for information risk within the Trust. 

The General Data Protection Regulation requires the Trust to appoint a Data Protection Officer to facilitate compliance with the data protection legislation/requirements, act as an intermediary between relevant stakeholders and be the first point of contact for supervisory authorities.

The Data Protection Officer for UHDB Trust is: 

The Data Protection Officer for UHDB can be contacted:

This privacy notice is intended to inform you about:

  • the type of information we hold and how we use and manage that information
  • how we ensure that the confidentiality of personal/sensitive information is maintained
  • how and why we may share information with other NHS organisations and non-NHS organisations  

Definition of personal and sensitive data: 

  • Personal data is information about an identifiable living person such as name, address, telephone number, date of birth, email address, online identifiers, and credit card/bank details.  This includes, but is not limited to, written correspondence, emails, photographs, audio recordings and video recordings.
  • Sensitive data is special categories of personal data, i.e. data concerning health, ethnic origin, race, political opinion, religious beliefs, biometric and genetic data. 

How we protect your data and ensure confidentiality of information is maintained

All NHS organisations and everyone who works for the NHS or in partnership with them have a legal duty to keep information confidential and take great care with the security of information and records. 

Staff have a legal responsibility to maintain confidentiality and security of all the personal information we hold and ensure compliance with the Data Protection Law, the Caldicott Principles, the NHS Code of Confidentiality and the Human Rights Act.

The Trust is the Data Controller for the data it holds.  All information and information systems within the Trust are stored on our secure network with appropriate security controls, which includes access controls, cyber security and assessments against all aspects of data security.  

Data Protection Impact Assessments (DPIAs) are completed for all new projects or changes to the way we process personal data to ensure that all potential risks have been considered and addressed appropriately.   These are signed off by the Senior Information Risk Owner and Caldicott Guardian before the project or change can continue.  Details of DPIAs completed can be obtained from the Trust’s Information Governance Team using the contact details below.


Staff are trained to understand their responsibilities regarding the security and confidentiality of patient information and that access is on a strictly need to know basis.They must update this mandatory training on an annual basis.

Audit trails

Records are available to show who accessed what information.  Routine/random audits take place to ensure access in appropriate.  Any inappropriate access identified will be dealt with through the Trusts’ Disciplinary Process.

The Information Commissioner’s Office maintains a public register of organisations that process personal identifiable data.  
The Trust’s registration number is Z8575998.


Security cameras are installed at various locations within this Trust to prevent and detect crime and for the protection of staff, visitors and patients and their property.  Our security staff are also equipped with body worn cameras which are only activated if they need to record a violent or aggressive incident.  Signage about CCTV is posted around the entrances and will be visible on all officers carrying body worn cameras.

Retention of your data

We will retain your information in line with the Department of Health Retention Schedule. Read more about the Information Governance Alliance (IGA) (opens in new window) >

National Data Opt Out

UHDB is compliant with the National Data Opt-out Policy. To find out more about the National Data Opt-out, please visit the NHS Digital website (opens in new window) >

Contact us for further information:

Privacy notice - patients

Here we explain what information we have about you and what we use it for.

What information we have about you

  • Name, date of birth, ID numbers
  • Home address, telephone number, email address
  • Family details
  • About your visits to our hospitals
  • About your health and treatment
  • Details tests, scans, x-rays, etc
  • Who your doctors and nurses are
  • What you say or write about your care

We will use your address and telephone number to contact you or your family about your care.

We follow NHS rules about how long to keep information for.

Why we keep information about you

We need a complete picture of you to make sure you get the best care for you.  Your information is only used by people caring for you.

Your information is used by doctors and nurses to:

  • Know about your health
  • Decide what care and treatment you need
  • Work together to care for you
  • Book appointments and send out reminders

Each time you come to see us we record information about that visit – things you tell us, things we tell you, any tests or medication. This allows us to look back and see what we have done for you to make sure you are getting the best treatment. 

We also use information to:

  • Make sure our services meet patient’s needs
  • Find out what you think about your care so we can make our services better
  • Look into concerns and complaints

Who we share your information with

We will write to your GP to let them know about your health and what we are doing for you.  We will provide your family member with a copy of these letters. We will share it with other people involved in your care who need to know.  We might share it with your school if we think it is important for them to know.

Sometimes we have to share information about a patient because the law tells us to. For example, when someone might be harmed, when a judge in a court tells us to, or if there is a special law about a disease.

More detail

You can read more about how we protect patient data by downloading patient privacy notice [pdf] 640KB (opens in new window) >

Contact details

If you have questions about how we use your information, you are unhappy, or you think your information may be incorrect you can talk to your doctor. You can also contact the Data Protection Officer:

If you are still unhappy about how we use your information you can write to:

The Information Commissioner
Wycliffe House
Water Lane

Telephone: 01625 545 700

Privacy notice - employment records

During the course of its employment activities, University Hospitals of Derby and Burton NHS Foundation Trust collects, stores and processes personal information about prospective, current and former staff.

This privacy notice includes applicants, employees (and former employees), workers (including agency, casual, honorary and contracted staff), volunteers, trainees and those carrying out work experience. 

We recognise the need to treat our staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. 

What types of personal/sensitive data we hold 

In order to carry out our activities and obligations as an employer we handle data in relation to: 

  • Personal demographics (including gender, race, ethnicity, sexual orientation, religion) 
  • Contact details such as names, addresses, telephone numbers and Emergency contact(s) 
  • Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks) 
  • Bank details 
  • Pension details 
  • Medical information including physical health or mental health conditions (occupational health information)
  • Information relating to health and safety 
  • Trade union membership 
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences 
  • Employment Tribunal applications, complaints, accidents, and incident details

Our staff are trained to handle your information correctly and protect your confidentiality and privacy.  We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected or sold for direct marketing purposes. 

Purpose of processing data:

  • Staff administration and management (including payroll and performance) 
  • Pensions administration 
  • Business management and planning 
  • Accounting and Auditing 
  • Accounts and records 
  • Crime prevention and prosecution of offenders 
  • Education 
  • Health administration and services 
  • Sharing and matching of personal information for national fraud initiative 

We have a legal basis to process this as part of your contract of employment (either permanent, temporary or working arrangements) or as part of our recruitment processes following data protection and employment legislation. 

Sharing your information

There are a number of reasons why we share information. This can be due to: 

  • Our obligations to comply with legislation
  • Our duty to comply any Court Orders which may be imposed

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Use of Third Party Companies 

To enable effective staff administration University Hospitals of Derby and Burton NHS Foundation Trust may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer.

Employee Records: Contracts Administration (NHS Business Services Authority) 

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

NHS Streamlining

Details may be transferred from this Trust to other NHS Trusts to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS Organisation to another NHS Organisation.  The personal data that is shared includes: name, address, date of birth, national insurance number, completed training and registration details.

Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.  

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation. 

Your information rights under General Data Protection Regulations (GDPR)/UK Data Protection Law: 

  • The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice and patient leaflets.
  • The right of access - for details about how to access your personal data, please visit the medical records page >
  • The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us so that we are able to contact the person who entered the information.  We will correct factual mistakes and provide you with a copy of the corrected information.   
  • The right to erasure – this is also known as your ‘right to be forgotten’, where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed. 
  • The Trust is required to retain your employment record in order to carry out activities and obligations as an employer and therefore cannot delete the record until it reaches the required DoHSC retention period.
  • The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue that requires us to restrict processing, we will investigate your concerns. 
  • The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process.  At present we do not process any personal data that meets this requirement. 
  • The right to object – this is your right to object the processing of your data because of your particular situation.  Because of our obligation as an employer it is extremely rare that we would stop processing your data whilst you are still employed by this Trust. If you believe you have compelling grounds for us to stop processing your data you should contact our Data Protection Officer.
  • Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. While the hospital may use automated systems to determine how well a patient is, it does not use automated decision making for the purpose of managing employment.

Code of Data Matching Practice

This organisation is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed on the GOV.UK website (opens in new window) >

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018.

Data matching by the Cabinet Office is subject to a Code of Practice. Visit GOV.UK website for further information (opens in new window) >

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information (opens in new window) >. For further information on data matching at this organisation please contact Daniel Mason on 07464 521746 or email

Retention of your data

We will retain your information in line with the Department of Health and Social Care Retention Schedule. If you have cause to complaint please contact the Human Resource Department. If you wish to discuss any other issues regarding your data the contact details are:

Information Governance
Level 3 M&G
Royal Derby Hospital
Uttoxeter Road
DE22 3NE


Telephone:  01332 788645 

For employment references please email

If you are still unhappy with the outcome of your enquiry you can write to: 

The Information Commissioner
Wycliffe House
Water Lane

Telephone: 01625 54570

Privacy notice - COVID-19

Date of issue: July 2022

This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It has been produced to supplement our current privacy notices which can be found lower on this page.

This notice has been significantly updated in 2022 after a change to the law. The Covid-19 and Coronavirus Testing privacy notices were first written when the emergency response began in 2020.

Organisations that existed in 2020 have also changed. NHSX merged with NHS England and Improvement and NHS Digital. Public Health England is now the UK Health Security Agency.

Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health.

A notice about the national Covid19 testing program can be found here: access GOV.UK website for Coronavirus (COVID-19) testing privacy information (opens in new window) >

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency was used during the first two years of Covid19. These were withdrawn on 30 June 2022. You can read more about them here: access GOV.UK website for Coronavirus (COVID-19): notification to organisations to share information (opens in new window) >

The continuing use of personal or confidential data about Covid19 rests on other lawful bases.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

If you require to see archived versions of the Covid-19 privacy notice, please contact

Privacy notice - Occupational Health

This privacy notice explains how Occupational Health Services (OHS) at University Hospitals of Derby and Burton NHS Foundation Trust processes your personal data and your rights in relation to the personal data we hold.

Cookie policy

How we use cookies

A cookie is a small file which is placed on your computer’s hard drive and can help analyse web traffic. They can enable web applications to tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. However, the University Hospitals of Derby and Burton website does not do this.

We do use traffic log cookies to identify which pages are being used. This helps us to improve our website, making it better for users. We only use this information for statistical analysis purposes.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. 

You can choose to accept or decline cookies on your web browser. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer, see the section below ‘ How to control and delete cookies’.


Cookies used by this site

Google Analytics

Cookies are used for statistical analysis purposes.


You Tube cookies

This site does have some You Tube videos embedded. These videos are privacy enabled which means they don’t load the cookie unless you watch the video.

How to control and delete cookies

University Hospitals of Derby and Burton NHS Foundation Trust will not use cookies to collect personally identifiable information about you. However, if you wish to restrict or block the cookies on this site, or indeed any other website, you can do this through your browser settings. The Help function within your browser should tell you how.

You may wish to visit which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer (including those from this visit) as well as more general information about cookies. For information on how to do this on the browser of your mobile device you will need to refer to your handset manual.

Read a guide to controlling and deleting cookies (opens in new window) >




While we have tried to compile accurate information on this site and within our mobile applications - and to keep it updated we cannot guarantee that it is 100% complete or correct.

The information provided on this site and within our mobile applications does not constitute professional advice and is subject to change.



We cannot guarantee uninterrupted access to this website or our mobile applications, or the sites it links to. We cannot accept responsibility for any damages, which arise from the loss of use of this information.



If our website disclaimer, copyright notice or privacy notice change we will post the changes to the respective pages so you are aware of any new developments.