Data Protection

We recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties. By issuing this privacy information, we demonstrate our commitment to openness and accountability.

Please see our Information Use Framework Policy

Information sharing during the COVID-19 pandemic

Please be aware that during the COVID-19 pandemic the Royal Cornwall Hospitals Trust will be working closely with the Cornwall Partnership NHS Trust, the Kernow Commission Group, Cornwall Council, private providers of healthcare e.g. Duchy Hospital and possibly other organisations to provide the best care we can.

To achieve this, each organisation will be sharing more information about our patients than ever before to ensure we can identify the most vulnerable to provide joined up healthcare and to support each other to ensure there is no disruption of service if staff become unwell.

Our legal basis to do so is as follows:

General Data Protection Regulation (GDPR)

The GDPR allows information to be shared for individual care, planning and research. Where health and care information (which would be classed as special category data) is shared for either individual care or to help tackle the disease through research and planning then the relevant Article 6 conditions (official authority, compliance with a legal obligation, public interest and on occasions vital interests) and Article 9 conditions (substantial public interest, the delivery of health and care, vital interests or for public health purposes and scientific research) should be relied on as applicable to the situation.

Control of Patient Information Regulation 2002

Individual healthcare organisations, arm’s length Bodies (except NHS Digital and NHS England and NHS Improvement which have been separately notified) and local authorities have been given legal notice under this regulation to support the processing and sharing of information to help the COVID-19 response.

Health and Social Care (Safety and Quality Act 2015)

Duty to share information
In Part 9 of the Health and Social Care Act 2012 (health and adult social care services: information).

Summary of GDPR/DPA 2018

General Data Protection Regulation

The new Regulations are designed to harmonise data privacy laws across Europe, to protect and empower data subjects providing more choice about what is done with your data, and to make Organisations more accountable.
Under this new Regulation you have the following rights.

  1. right of access to their data free of charge within 30 days, unless request is considered complex or excessive. An extension of an additional 60 days could be applied but we will inform you of this.
  2. right to rectification. When personal data are inaccurate, the right to request the data is rectified. Although this may not always be possible. We can however note your concerns or objections.
  3. right to erasure or right to be forgotten, although we would not delete Health or Personnel records as there is a legal reason to keep them.
  4. right to restriction of processing. Simply said, the right of the data subject to limit the processing of his/her personal data.
  5. right to be informed. The right to be told what we do with their data, the legal basis for processing it and what future uses we may wish to use it for.

If you need more information about this refer to the Information Commissioners website or contact us and we will be glad to help. 

Email us at rch-tr.infogov@nhs.net.

Why have we issued this privacy notice for our patients, staff and service users?

We recognise the importance of protecting personal and confidential information in all that we do. We take care to meet our legal and other duties, including compliance with the following:

  • General Data Protection Regulation 2018
  • Human Rights Act 1998
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Health and Social Care Act 2012, 2015
  • Public Records Act 1958
  • Copyright Design and Patents Act 1988
  • Re-Use of Public Sector Information Regs 2004
  • Computer Misuse Act 1990
  • Common Law Duty of Confidentiality
  • NHS Care Records Guarantee for England
  • Social Care Records Guarantee for England
  • International information Security Standards
  • Information Security Code of Practice
  • Records Management Code of Practice for Health & Social Care 2016
  • Accessible Information Standards

Legal basis for processing information

Your information could be collected in a number of different ways. This might be from a referral made by your GP or another healthcare professional you have seen, or perhaps directly from you – in person, over the telephone or on a form you have completed.

Our legal reasons for processing your heath information are set out within the Articles of the General Data Protection Regulation and are listed below.

6 (1)(a) ‘…the data subject has given consent to the processing of his or her personal data for one or more specific purposes

  • Consent from Patients to use their data
  • Consent from Staff to use their data
  • Consent from Volunteers to use their data
  • Consent from those donating to charities to use their data
  • Consent from Trust members to be contacted regarding Trust activities.

6(1)(b) ‘…processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  • Used to provide services to staff members with information about their employment.
  • Used to manage contracts of employment.

6(1)(.c) processing is necessary for compliance with a legal obligation to which the controller is subject;

  • Commissioning
  • Planning
  • Confidential information provided to NHS Digital with legal mandate under directions and disseminated to commissioners as pseudonym-ised personal data

6(1)(d) ‘…necessary in order to protect the vital interests of the data subject or of another natural person’
6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

  • To treat patients.
  • To conduct research (does not rely on consent, although consent maybe sought)
  • To conduct business of the Trust other than that of its core function (treatment of patients)

6(1)(f) ‘…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

  • Can be used for the transfer and sharing of staff data.

9(2)(a) ‘…the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment and social protection law (Safeguarding)

  • Used for purposes of processing staff data.
  • Safeguarding children and adults

9(2)( c) ‘…processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent This condition is met if—

  • the processing is necessary to protect the vital interests of an individual, and
  • the data subject is physically or legally incapable of giving consent.

9(2)(d) ‘…processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
9(2)(e) ‘…processing relates to personal data which are manifestly made public by the data subject;
9 (2)(f) ‘…processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

  • Provided to Trust’s solicitors in defence of the Trust and those that are employed by it.
  • Provided to patient solicitors on request (although 9(2)(a) would have been applied)

9(2)(g )‘…processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

  • Provision of direct care to patients within the Trust
  • Sharing of healthcare data with other organisations for direct care purposes
  • To support activities relating to the management of healthcare services

9(2)(i) ‘…processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
9(2)(j) ‘…scientific or historical research purposes or statistical purposes …’ This covers the provision of direct healthcare and administrative purposes such as:

  • waiting list management
  • performance against national targets
  • activity monitoring
  • production of datasets to submit for commissioning purposes
  • Used for Research
  • Used to add data to national registers
  • Used for Clinical Audit

There may also be times when information is collected from your relatives or next of kin – for example, if you are taken to one of our departments but you are unconscious or unable communicate.

Guidance for patients and service users

The staff caring for you do not need your consent to record information about your care and treatment. This is because there are important medical and legal reasons why it is necessary for health and care records to be kept. The law requires all organisations to make information readily available to you that explains this. This will include the legal reasons for keeping health and care records, how and why information will be used, who might be able to access information, and your rights in relation to those records. 

In most circumstances health and care staff will rely upon consent as the basis for accessing and using confidential patient information. This should not be confused with an individual right in Data Protection law. Consent can be implied or explicit.

Implied consent: if your confidential patient information is accessed and used for your individual care then your consent is implied, without you having to explicitly say so. This is because it is reasonable for you to expect that relevant confidential patient information will be shared with those caring for you on a need to know basis. If you wish to withdraw consent for information about you to be used to support your individual treatment, you should let your health and care professional know. This may mean that it isn’t possible to continue providing you with care or treatment but your health and care professional will explain this to you.

Explicit consent: if your confidential patient information is used for purposes beyond your individual care, for example a research project, then it will normally be necessary for staff to obtain your explicit consent. This is a very clear and specific statement of consent. It can be given in writing, verbally or through another form of communication such as sign language. 

As stated in the NHS Constitution for England you have the following rights about how your confidential patient information is used beyond your own individual care:

  • To request that confidential information is not used beyond your individual care
  • Where your wishes cannot be followed by health and care staff, to be told the reasons why, including the legal basis; and
  • For objections to information sharing to be considered by heath and care organisations

Common law duty of confidentiality

The law relating to consent is complex and often leads to confusion.  ‘Common law’ is a form of law based on previous court cases decided by judges. It is not written out in one document like an Act of Parliament.  Common law is also referred to as ‘judge-made’ or case law and is said to be based on precedent. 

The common law duty of confidentiality states that confidential patient information cannot be disclosed without their consent.  As set out above, for individual care you can rely on implied consent.  For purposes beyond individual care, in most cases you need to obtain explicit consent to disclose confidential patient information.

Information can only be disclosed without consent if one of the following applies:

  • you have obtained support from the Confidentiality Advisory Group (CAG) under section 251 of the NHS Act 2006. The CAG aims to protect and promote the interests of patients and the public, while at the same time facilitating appropriate use of confidential patient information for purposes beyond individual care.  CAG support under section 251 enables the common law duty of confidentiality to be lifted for a period of time, subject to review, so that confidential patient information can be used without breaching the duty of confidentiality
  • there is a legal requirement – examples of where information is required by law include court orders, where the Care Quality Commission requires documents as part of its powers of inspection, or where NHS Digital collects information when directed by the Secretary of State for Health and Social Care or NHS England
  • there is an overriding public interest – disclosure decisions in the public interest must be assessed on a case-by-case basis. You must consider whether the disclosure is sufficiently necessary to override an individual’s right to confidentiality and this must be weighed up against the public interest in maintaining a confidential health service

What information do we collect?

The information that we collect about you may include details such as:

  • Name, address, telephone, email, date of birth and next of kin
  • Any contact we have had with you through appointments, attendances and home visits
  • Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions
  • Results of diagnostic testing e.g. x-rays, scans, blood tests, etc
  • Other relevant information from people who care for you and know you well, such as health professionals, relatives and carers.
  • The Trust uses alerts which are specific to you that help clinicians when treating you.

We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate in line with your rights under the Accessible Information Standard).

Why do we collect your information?

We collect personal and confidential information about you to support with the delivery of appropriate healthcare and treatment. In order to provide you with high quality care, we must keep records about you, your health and the care that we provide, or plan to provide to you. It is important for us to have a complete picture as this information enables us to provide the right care to meet your individual needs.

We collect relevant information about staff members in order to fulfil our obligations as an employer and to assist in the administration of your employment. This will include a Personnel file containing such things as sickness records, performance reviews and contracts of employment. We will also collect information to ensure we are able to pay you, manage your pension contributions and other necessary tasks.

How do we keep your information safe and maintain confidentiality?

Under the Data Protection Act 2018, strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a legitimate right to access the information can get access. This might be through the use of technology or other environmental safeguards.

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

Every NHS organisation has a senior person that is responsible for protecting the confidentiality of your health information and enabling appropriate sharing. This person is known as the Caldicott Guardian, and within our Trust this role sits with an appropriately trained senior Consultant.

The Trust has a Senior Information Risk Officer (Director of Integrated Governance). They are the most senior person in the Trust with responsibility for managing risks to the information we process.

How do we use your information and why is this important?

We use your information to ensure that:

  • The right decisions are made about your care
  • Your treatment is safe and effective; and
  • We can work well with other organisations that may be involved in your care

This is important because having accurate and up-to-date information will assist us in providing you with the best possible care. It also ensures that all information is readily available if you see another health professional or specialist within our trust or another part of the NHS.

There is also the potential for your information to help improve health care and other services across our trust and the wider NHS. Therefore, your information may also be used to help with:

  • Ensuring that our services can be planned to meet the future needs of patients
  • Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care
  • Evaluating and improving patient safety
  • Training other healthcare professionals
  • Conducting clinical research and audits, and understanding more about health risks and causes in order to develop new treatments
  • Preparing statistics on NHS performance and monitoring how we spend public money
  • Supporting the health of the public
  • Evaluating Government and NHS policies

For Children and Young Adults

Confidentiality is REALLY important as your medical records are a secret. We do not want anybody to see them if they do not need to.

Top secret

There are laws that keep your information safe, things like your address, date of birth, telephone number and records about your health and the treatment and care you have received in our hospital.

The hospital and other people collect and use information for all kinds of reasons, and the law tells us exactly what we are allowed to do with your records.  We are allowed to record information about you to help us know what is wrong with you so we can do all we can to make you better.

We keep information about the times you have been unwell, what medicines you are taking and any other information to help us provide safe care.

We have people who really care about you and understand how important it is for only the right people to see your information and that it is only shared with those people who care for you.

Records that are made about you can include:

  • Your name, where you live, when you were born and who looks after you.
  • Any hospital visits that you may have had.
  • Notes about any broken bones, special scans or x-rays you have had and reports on how you are feeling and what treatment you have needed to make you better
  • Important information from people who care for you and know you well such as other doctors and nurses and members of your family.

You have a right as a young person to:

  • Be told how we use your information.
  • Ask to see to information we hold.
  • Ask us to change information you think is wrong.
  • Ask us to remove information when it is no longer needed.
  • Ask us to only use your information for your direct care.
  • Tell us when you don’t want us to process your information.

Why do we collect your information?

The doctors and nurses caring for you keep records about how you are feeling and how they have looked after you. This helps make sure you are looked after in the best way possible.

If you are not happy or do not understand what is happening, you can ask someone to listen to your concerns and they will have the information they need to talk with you.

Who do we share your information with?

  • The doctors, nurse and other care givers need to share information about you so they can work together to know what is wrong with you, this can help them provide the best care they can.
  • We can share this information with those that care for you at home, your local Doctor and at times other care givers who may treat to you in other hospitals.
  • We will not share your information with people who do not need to know about you.

How else we use your information.

  • We may use your information to help us manage our hospitals.
  • We may use your information to help us understand what services we need to provide our patients.
  • We may use it to help us understand illnesses in order to create new medicines to treat other people with your condition.
  • We use it to help train new Doctors and nurses learn how to care for patients.

You can choose not to allow your information to be used to help improve the NHS. Please speak to your doctor or nurse and they will explain what you need to do.

Access to your own records.

You could ask the person giving you care to show you what they have written and for an explanation.

If you want to access your all of your own records, you will need to fill out a form. You can get the form by sending an email to rch-tr.disclosure@nhs.net.

Even though you may be a child, you can still ask for your records without those who care for you knowing. You can also object to your care giver having access to your records if you are over 11 and we feel that you understand what it is you are asking for.

If you have any questions to ask about how we look after your information, please send us an email to rch-tr.infogov@nhs.net and we will get back to you.

Do we share your information with anyone else?

To help provide you with the best possible care, sometimes we will need to share your information with others. However, any sharing of information will always be governed by specific rules and laws. We may share your information with a range of health and social care organisations (which include private healthcare providers) and regulatory bodies. You may be contacted by any one of these organisations for a specific reason, and they will have a duty of telling you why they have contacted you.

Sharing with other organisations

We work with a number of other NHS organisations, private healthcare providers, independent treatment centres and clinics to provide you with the best possible care. To support this, your information may be securely shared.

Where the sharing involves a non-NHS organisation, a specific information sharing agreement is put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.

The Cornwall and the Isles of Scilly Health and Social Care Partners are working to maximise the benefits patients receive from the health and social care providers in Cornwall, to achieve this we may at time engage external private organisations to help us meet this challenge.

E.g. we have engaged Newton Europe to help us deliver the Embrace Care programme

The Embrace Care programme is focussed on delivering better health and care outcomes for over 65s at risk of hospital admission, or who have been admitted to hospital. It allows the system to deliver an integrated and local-focussed community offer while supporting better outcomes for the older people of Cornwall and the Isles of Scilly.
Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.

Mandatory information sharing

Sometimes we are required by law to disclose or report certain information which may include details which identify you. However, this is only done after formal authority by the Courts or by a qualified health professional. This may include reporting a serious crime or identification of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information is released.

The appointed Data Protection Officer for the Royal Cornwall Hospitals Trust is:
Mr Mark Scallan. PC.dp. PC.foi
There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure we are legally compliant.

There are other statutory bodies where we are required to provide your information, these include:

  • Parliamentary Health Service Ombudsman
  • Care Quality Commission
  • General Medical Council
  • Police (in certain situations only such as Terrorism or serious crime)

How long do we retain your records?

Health and Social Care 2016, which sets out the appropriate length of time each type of NHS record is retained. We do not keep your records for longer than necessary.
All records are appropriately reviewed once their retention period has been met, and the Trust will decide whether the record still requires retention or should be confidentially destroyed. All decisions and destructions will be documented.

Please refer to our policy to manage information and records for further information.

Clinical training, research and audit

Some health records are needed to teach student clinicians about rare cases and diseases. Without such materials, new doctors and nurses would not be properly prepared to treat you and others. It is also possible that individuals, such as student nurses, medical students and healthcare cadets, are receiving training in the service that is caring for you. If staff would like a student to be present, they will always ask for your permission and you have the right to refuse without this effecting the care or treatment that you are receiving.

We also undertake clinical research and audits within the trust, and your permission may be required for some of this work. If you agree to be involved, a full explanation will be given and your consent will be obtained before proceeding. Your consent may not be required if the information being used has been anonymised. This means that it cannot be used to identify an individual person.

National Audit Programmes

The RCHT provides information about you to national programmes to support audit. In most cases your information is anonymised, so no identifiable information will be shared about you. If we were required to supply your identifiable data we would comply with your wish to opt out as recorded by you via Make your choice about sharing data from your health records – NHS (www.nhs.uk)

There are a number of national programmes where the Government has granted a Section 251 provision which means the Opt-Out does not apply and the requirements of the Common Law Duty of Confidentiality are set aside without us being in breach of your rights. You can however request that we do not share your information.

The National Programmes where the Opt-Out does not apply are:

  • National Cardiac Audit Programme
  • Intensive Care National Audit and Research Centre (ICNARC)
  • National Early Inflammatory Arthritis Audit (NEIAA)
  • National Hip Fracture Database
  • Maternal mortality surveillance and confidential enquiry – MBRRACE
  • National Perinatal Mortality Review Tool – MBRRACE
  • National Joint Registry
  • National Emergency Laparotomy Audit (NELA)
  • Paediatric Intensive Care Audit Network Database (PICANet)
  • LeDeR – learning from lives and deaths of people with a learning disability and autistic people – NHS England
  • National Neonatal Audit Programme (NNAP)
  • National Maternity and Perinatal Audit (NMPA)
  • Out of Hospital Cardiac Arrest Outcomes (OHCAO) Registry
  • National Vascular Registry (NVR)
  • National Bariatric Surgery Registry
  • National Haemophilia database – UKHCDO
  • UK National Flap Registry
  • Bardet-Biedl Syndrome Registry
  • National Surveys
  • Under 16 Cancer patient experience survey
  • National Confidential Inquiry into Suicide and Safety in Mental Health (NCISH)
  • UK Renal Registry
  • NHSBT Potential Donor Audit
  • Invoice Validation for Controlled Environment for Finance
  • Assuring Transformation
  • National Drug & Alcohol Treatment Monitoring System (NDTMS)
  • Biliary Atresia Registry
  • Sentinel Stroke National Audit Programme
  • The Manchester Self Harm Project (MASH)

Do you have the right to withhold or withdraw your consent for information sharing?

You have the right to refuse (or withdraw) consent to information sharing at any time. This is also referred to as ‘opting out’. If you choose to prevent your information from being disclosed to other authorised professionals involved in your care, it might mean the care that can be provided is limited and, in certain circumstances, it may not be possible to offer certain treatment options. Should this situation occur, the possible consequences of withholding your consent will be fully explained to you at the time.

You also have the right to ‘opt out’ of having your information used in any mandatory audits which the Trust is subjected to. If this is the case, you should write to our Information Governance team with your name, address, date of birth and hospital number or NHS number.

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

To find out more or to make your choice visit www.nhs.uk/your-nhs-data-matters or call 0300 303 5678.

The Trust use of Artificial Intelligence

The RCHT benefits from the use of Artificial Intelligence (AI) solutions in assisting clinicians in delivering high-quality care. These AI solutions help the clinician interpret scans, help to determine levels of radiotherapy or drug therapies to name but a few of its uses, it does not independently determine how the patient will be cared for, this is a solely decided by the clinician.

The Trust does not use AI in any of its care pathways to independently decide your care, if that were to change we would ensure our patients were informed of this beforehand as they would have the right to object to this under UK GDPR.

How can you get access to the information that we hold about you?

Under the terms of the Data Protection Act 2018 and the General Data Protection Regulations 2018, you have the right to request access to the information that we hold about you.

Request for access to personal data under the Data Protection Act 2018 GDPR

Request for access to personal data under the Access to Health Records Act 1990 AHRA

Can we charge a fee?

In most cases we will not charge a fee to comply with a subject access request.

However, where the request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request.

We may also charge a reasonable fee if an individual requests further copies of their data following a request. The fee will be based on the administrative costs of providing further copies.

How long do we have to comply?

We must act on the subject access request without undue delay which will usually be within one month of receipt. Where the request is considered complex or excessive we can apply an extension of a further 60 days, if this is the case we will inform you of this.

The time will be calculated from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.

If the corresponding date falls on a weekend or a public holiday, we have until the next working day to respond.

For practical purposes the Trust will aim to provide the information within 28-day days to ensure compliance is always within a calendar month.

Please be advised that the request will not be processed until the Royal Cornwall Hospitals NHS Trust (RCHT) is satisfied of the identity of the person making the request, and received the following:

The Trust Policy is that we must have at least two types of identity validation prior to providing access to, or disclosing of personal identifiable information.

If you are making a request on behalf of another person: we would require ID from both parties.

Therefore, could you please provide two of the following (one of which must be photographic identification)

  • Copy of valid passport
  • Copy of current driving licence
  • Copy of paid utility bill

Any documentation will be considered on an individual basis but may not be accepted.
Unfortunately we will not be able to process your request until we are in possession of this information.

If you want to see the health records of someone who has died, this is facilitated under the Access to Health Records Act (1990). The Access to Health Records Act 1990 and the Common Law protects the confidentiality of patients even after they have died. For this reason deceased patient’s records can only be disclosed in limited circumstances.

Request for Access to Health Records AHRA

You can request information or an application form, by one of the following means:

How you can contact us with queries or concerns about data protection?

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, please contact our Information Governance team:

The appointed Data Protection Officer for the Royal Cornwall Hospitals Trust is:
Mr Mark Scallan. PC.dp. PC.foi
Telephone: 01872 254505 or 01872 254507

How can you make a complaint?

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We would recommend contacting our Information Governance team initially to talk through any concerns that you have.

It may also be possible to resolve your concerns through a discussion with our Patient and Family Experience Team before (or without the need to start) a more formal process:

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:

Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.

Changes to this privacy notice

We will occasionally update this Privacy and Fair Collection webpage to reflect company and customer feedback. We therefore encourage you to periodically review this webpage in case of any changes.

View our data flows

Please click here to view a list of our data flows.

View our impact assessments

Please click here to view a list of our impact assessments.

Page last reviewed: 11 July 2024

Text Size

Change font

Contrast