Privacy notice

Barnsley Hospital NHS Foundation Trust ('the Trust') is committed to protecting your privacy and ensuring your personal information is handled in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Notice explains what personal information we collect, how we use it, and your rights in relation to that information.

Who We Are

We are the data controller responsible for the personal information we hold about you. We are a provider of acute hospital services based in Barnsley, South Yorkshire.

What Information We Collect

We collect various types of personal data including:

• Name, address, contact details, NHS number, and date of birth
• Medical history, diagnoses, treatment plans, test results, appointment details
• Information from your GP and other health/social care professionals
• Emergency contact details and next of kin
• Relevant information provided by relatives or carers

How We Use Your Information

Your personal data is used to:

• Provide you with safe and effective care
• Ensure accurate and up-to-date records are available to care providers
• Coordinate your care with other NHS or social care organisations
• Improve service quality, support audit, clinical research and education
• Respond to complaints and manage incidents
• Support system management, public health, and legal obligations

Other Uses of Your Information

In addition to direct care, we also use your information for indirect care purposes, which may include:

• Reviewing and auditing the care we provide to ensure it meets national standards
• Responding to complaints, legal claims or incidents
• Supporting health research and development (only with your consent where applicable)
• Producing anonymised statistics to improve future services
• Ensuring the Trust is paid accurately for services it delivers
• Training and educating healthcare professionals

These uses are governed by strict NHS confidentiality rules and legal safeguards. Where identifiable information is required, this is done in line with a clear legal basis or your explicit consent.

Lawful Basis for Processing

We process your personal data under Article 6(1)(e) public task, and special category data (health data) under Article 9(2)(h) provision of health or social care. In urgent circumstances, we may also rely on:

• Article 6(1)(d) vital interests
• Article 9(2)(c) vital interests of someone physically or legally incapable of giving consent

How We Protect Your Information

We use robust technical and organisational measures to secure your information. This includes:
Secure systems, encryption, and access controls
Regular audits and staff training
Oversight by our Senior Information Risk Owner (SIRO) and Caldicott Guardian

Use of Surveillance and Call Recording

The Trust operates CCTV and body-worn video on and around its premises to:

• Ensure the safety of patients, staff and visitors
• Deter and detect crime
• Support the investigation of incidents or complaints
• Assist in traffic and facilities management

All surveillance data is retained securely for limited periods, and access is restricted. Disclosure only occurs where legally required.

Telephone calls to the Trust may be recorded to:

• Ensure quality and training
• Monitor service delivery
• Support investigations into concerns
• Protect staff and service users

Sharing Your Information

We share relevant data with:

• NHS partners, GPs, ambulance services, and mental health teams
• Social care and local authorities involved in your care
• NHS Digital, NHS England, and regulators (where required)
• Third-party service providers under strict agreements

Transfers Outside the UK and EEA

The Trust ensures that personal confidential data will not be disclosed or transferred outside the UK and EEA unless appropriate safeguards are in place, or a legal exemption applies.

National Data Opt-Out

The Trust complies with the National Data Opt-Out policy. This means you can choose whether your confidential patient information is used for purposes beyond your individual care, such as planning health services or research and development.

Please note that the National Data Opt-Out does not apply to information used for public health purposes, such as monitoring and controlling the spread of diseases, delivering vaccination programmes, or managing risks of infection.

If you are happy for your information to be used for planning and research, you do not need to do anything. If you choose to opt out, your confidential patient information will still be used to support your individual care.

You can register your choice at: www.nhs.uk/your-nhs-data-matters.

How Long We Keep Your Information

We follow the NHS Records Management Code of Practice. Records are kept for appropriate durations depending on the record type and are securely destroyed when no longer required.

Data Retention Exception

In limited cases, some legacy systems may not support automatic deletion of records once their retention period is reached. Where this occurs, the Trust retains data only under strict controls and in line with guidance from the Information Commissioner’s Office (ICO) and the NHS Records Management Code of Practice, until a resolution is in place.

Accessing Your Health Information via the NHS App

Patients can access parts of their health record, appointment information and letters via the NHS App. This service is optional, and access is only granted where you provide consent through the app.

For more information, visit: www.nhs.uk/nhs-app

Your Rights

Under UK GDPR, you have the:

• Right to be informed: We must be completely transparent with you by providing information ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’. Our privacy notice is one of the ways we try and let you know how data is handled.
• Right to access your information : The right to request a copy of your personal data which the Trust holds about you: (Make a Subject Access Request)
• Right to request rectification: You have the right without undue delay to request the rectification or updating of inaccurate personal data.
• Right to erasure: to request deletion of your data in certain circumstances
• Right to restrict processing: to limit how we use your data under specific conditions
• Right to data portability: to request your data in a reusable format in limited cases
• Right to object: to certain types of processing such as direct marketing or where processing is based on public interest
• Rights related to automated decision-making and profiling: to ensure decisions affecting you are made fairly and with appropriate safeguards