Due to coronavirus (COVID-19), we have reviewed the Trust's policy on sharing data. We have added supplementary privacy notes.


This privacy notice explains how Royal Papworth Hospital NHS Foundation Trust (‘Royal Papworth Hospital’) processes the data that it holds on its patients.

We handle patient data in line with relevant legislation, including but not limited to:

  • The Data Protection Act 2018
  • the General Data Protection Regulations 2018
  • Access to Health Records Act 1990
  • Freedom of Information Act 2000
  • Health and Social Care Act 2015
  • Common Law Duty of Confidentiality
  • Records Management Code of Practice
  • Human Rights Act 1998

Royal Papworth Hospital is a specialist cardiothoracic hospital, dedicated to providing the best possible care to its patients, who are referred from across the country. In order to provide this service and to provide ongoing care after discharge, whether to home, another hospital, or into the care of social services, we need to be able to process and share your data appropriately.

In order to ensure compliance whilst doing this, we are monitored by a variety of bodies including but not limited to:

  • NHS England
  • the Information Commissioner’s office
  • the Department of Health
  • the Care Quality Commission
  • NHS Digital

How we collect your information

Your information can come to us in a number of different ways, including a referral from your GP or other healthcare organisation, or directly from you when collected here at the hospital or via a form we have asked you to complete. On rare occasions the information may come from other individuals, such as a next-of-kin, if you are admitted to us in a condition that leaves you unable to provide the information yourself.

Medications and allergy information can either be received from your GP via the Summary Care Record, or maybe accessed directly by our Pharmacy staff or clinicians, via a system called GP Connect. GP Connect supplies a greater level of historical medications data, which allows clinical staff to be better informed when making decisions regarding your ongoing care. This information will sit within the Trust’s electronic patient record system, form part of your Health Record and will therefore be subject to the same retention schedule.

What information do we collect?

The information we collect and hold about you may include, and is not limited to, any or all of the below:

Your name, address and contact details, or those of the next-of-kin you wish us to use.

Records of any interaction you have had with the hospital with regards to attendances and appointments

Details of any care we have provided, care you have received from other healthcare organisations, and information regarding your health in general such as previously existing conditions and allergies etc

Other information that we have been provided with from third parties who have been involved in your care

This information may be in various formats including paper, electronic, or images such as x-rays or scans

We also collect other information about you such as, your sexuality, race, ethnic origin, religious beliefs, disability status and whether you have any additional support needs such as language assistance. This information is often vital to ensure that care is provided adequately, efficiently and in line with your wishes.

Why do we collect and store your information?

Your information is collected and stored in order to ensure that the healthcare we provide is appropriate and that follow-up care, medication provision, home care support etc. is provided adequately and effectively. We have a clear legal basis (provision of healthcare) for the collection and storage of this data under the GDPR legislation.

The use of this data throughout the hospital is vital to ensure that the right decisions are made about your care, that your treatment is safe and effective, and that ongoing healthcare provision is seamless and can be planned in advance to meet your needs.

This data is also important in helping us to evaluate patient safety and care, ensuring that our services can be planned to meet the service needs of future patients, to allow us to evaluate health care and develop new treatments, and prepare statistics on NHS performance and how we spend public money. This allows evaluation of the NHS and associated government policies as a whole, which in turn supports the health programme for the general public.

Patient data is used by Royal Papworth to test and confirm that its analytics tool processes and reports real-life data from the electronic patient record system correctly. The analytics tool is used to inform the improvement of services offered by Royal Papworth, including the audit and evaluation of healthcare activities, research in support of new treatments, and for the preparation of statistics to report NHS Performance. All testing is conducted in a secure environment, certified to NHS Security Standards (PEN Testing), and is only accessible by members of the Royal Papworth team authorized and responsible for completing the testing activity.

If you are applying to work at Royal Papworth Hospital, then we need to be able to collect, process and store your data in order to fulfil the legal and organisation requirements of the recruitment process, including completing the necessary checks that allow us to offer you a position, Royal Papworth Hospital need to process the data you provide. Our legal basis for this processing is Article 6(1)(a) and Article 9 (2)(b) and your data will be stored within secure systems with access controlled by password protection. We have a legal obligation to retain this information as per the records Management Code of Practice, after which time it will be destroyed accordingly. (the Code of Practice can be found using the link found in the “Storing Your Data” section below). If you are currently an NHS employee this will include the confirmation of previous NHS service details via Inter Authority Transfer (IAT)

Who do we share your data with?

There are occasions when we will need to share your data with others to ensure that the care we provide is the best it can be; however, this is governed by specific regulations to ensure that we do so safely.

For the provision of healthcare

It is unlikely that your care will solely be supplied by the Royal Papworth Hospital. We therefore may need to share your data with other NHS organisations such as your GP, your local hospital or other support organisations who are best placed to look after you once you leave our care.

We may also need to share your information with support organisations outside of the NHS, such as your local authority, social services, private healthcare companies and other support organisations in either the private or voluntary sectors.

If we are sharing your information outside of the NHS environment we will gain consent where possible and appropriate, and will ensure that those organisations have the correct security in place to keep your data safe.

Sharing with other organisations

There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the Health & Safety Executive if you are involved in a reportable accident whilst on site, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others, debt collecting agencies if you are a paying patient and have failed to settle your bill and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).

The Department of Health (or NHS departments that report to the Department of Health, or are acting on behalf of) also requires us to send information which is held securely by them. This information is used to analyse the efficiency and financial stability of the NHS across the country. Similarly, we may be subject to independent audit which would require us to provide information on a random selection of patients to ensure the efficacy of our treatment and financial accounting. This data is supplied in anonymous format where possible but in some circumstances it must be in identifiable format, such as when the effectiveness of the patient journey throughout the NHS is being scrutinised.

As of October 2021, additional data will be shared with Public Health England’s, National Congenital Anomaly and Rare Disease Registration Service (NCARDRS). Data supplied for rare disease patients will support future NHS E and I commissioning decisions for these and future drugs as well as current work being undertaken to understand the impact of COVID-19 on rare disease patients. Further information is available as a downloadable pdf.

Other uses for your data

Royal Papworth Hospital is a specialist environment noted for the development of innovative new technologies and treatments in the field of cardiothoracic medicine, and as such we encounter many rare and interesting health conditions within our patient demographic. In order to ensure that our patient care remains world-class and that the methods we use are disseminated throughout the NHS, we engage proactively in training medical staff. The information contained within your health record may be used to inform such teaching, including images videos or scans, however these will always be anonymous unless we have gained your explicit consent.

The Trust also has an active research and development department and there may be studies which you are eligible to participate in. You will never be entered into any study or research without your full knowledge and explicit consent.

Both internal and external audits are undertaken to ensure the care we provide meets the standards and guidelines we are tasked to comply with and this may require us to provide patient data; this data will be anonymised wherever possible and will only be provided in identifiable format when no other option is possible.

If you are interacting and providing information to Royal Papworth Charity, including through Our Community Hub where they serve as the administrators, please read their privacy statement available on the Royal Papworth Charity website.

Opting out

You have the right to opt out of your data being shared to other authorised professionals or to withdraw your consent; however this may lead to ongoing care being misinformed or some treatment options not being available to you. You may also opt out of your data being used for the mandatory audits as described in the section below.

National data opt out

Royal Papworth Hospital is dedicated to providing the very best of care to our patients and is therefore committed to continuous service improvement.

When using our service, whether as in inpatient or outpatient, important information about you is collected in a patient record to ensure that the care we provide is well informed and accurate. More details about the national data opt out »

Storing your data

We will ensure that your data is stored safely and in line with guidelines. We are legally obliged to retain health records for retention periods specified in the Records Management Code of Practice, which can be found here. The retention periods listed within this document are the minimum time frames we must adhere to; some records are kept for longer where there is a robust and documented reason to do so.

Subject Access Requests

You have the right to request access to any information that we hold about you. This is called a Subject Access Request and can be carried out by contacting the Health Records Department who will provide you with the appropriate form to complete. Once we have received your written request and proof of identification, the Trust is legally obliged to provide the information you have requested free of charge within one calendar month.

Using our website

If you provide us with information via our website, for example when submitting an FOI request, completing the CPD sign-up form or giving us feedback, we will only use this information for the purpose for which it was provided, such as to provide you with a response or register you for training.

Our website uses cookies which may also collect information about you. 

Foundation Trust Members

Becoming a Foundation Trust Member means that we will need to hold your name and contact details in order to communicate with you. We may need to share your data securely with our partners in order to for you to receive information about the hospital, e.g. about our annual elections.

We are only legally allowed to process your data if you consent for us to do so. However, if you do not give your consent for us to hold your data we will not be able to communicate with you. If you provide your email address, we will send you occasional information about the hospital.

Once you become a Foundation Trust Member you will remain so until you ask to leave. If at any point you would like to opt out of being a Foundation Trust Member, please let us know and we will remove your data from our systems.

Queries or complaints

Queries or complaints If you have any questions queries or complaints about the ways in which we collect, store or use your data please contact The Information Governance Manager (who is also the Data Protection Officer for the Trust) using the contact details below, or contact the PALS team using the link provided.

Information Governance Manager / Data Protection Officer
Cath Willcox
01223 639989

If after contacting one of the above you do not feel your issue has been adequately addressed you can contact the Information Commissioner’s office, however they will not normally address a complaint until you have complained directly to the organisation concerned and allowed them to respond:

Information Commissioner’s Office
Post: Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF

Web: ico.org.uk/concerns/
Phone: 0303 123 1113