skip to main content

Data Protection & Confidentiality

Data Protection

The Data Protection Act came into force in March 2000.  This Act places a responsibility on the Trust as a data controller to ensure that your information is collected and managed in a secure and confidential way (data protection registration number Z4648205). The Act also provides you with a right of access to personal information that the Trust holds about you (this applies equally to service users, members of staff and any other individual that the Trust may hold information about in its legal capacity).

As a Trust we take the security of your information very seriously.

To ensure we act to the highest standards we currently hold the following national accreditations;

     ISO27001                                              Cyber Essentials Plus              DSPT toolkit - Standards exceeded

ISO27001 logo -which has bsi and a heart shaped logo and ISO/ IEC 27001 Information Security Management Certified in black writing on a white background.          Cyber Essentials logo - which is a blue arch shape with a blue and green tick shape and the words Cyber Essentials certified in white writing on.                Standards exceeded logo - which is a black circle outline with a green tick through it, and the words Standards exceeded in black writing alongside it.


Click here to see full details of the Data Protection Act 2018 on the government web site.

The Trust annually also issues a statement linked to its Information Governance compliance.

The Trust may process information in relation to (and this is not an exhaustive list):

• Staff Administration
• Accounts and Records (including debt collection, collection of fees linked to overseas visitors, cross border i.e. patients whose treatment who are funded by Scottish, Welsh and Northern Ireland health bodies)
• Health Administration and Services (defined by statute and contract)
• Research
• Crime prevention and prosecution of offenders
• Public Health
• Data Matching
• Advertising, marketing and public relations
• Administration of Membership Records
• Education
• Fundraising
• Pastoral Care
• Property Management
• Processing For Not For Profit Organisations

We also process sensitive classes of information that may include:

  • Racial and ethnic origin
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences
  • Trade union membership
  • Religious or similar beliefs
  • Employment tribunal applications, complaints, accidents, and incident details
  • Ordinary country of residence and nationality

It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the data protection act.

We may at times request additional proof of identity.

How will we use information about you?

Your information is used to run and improve the Trust and the services that it provides. It may be used to:

  • Check and report on how effective the Trust and the services it commissions has been
  • Ensure that money is used properly to pay for the services it provides
  • Investigate complaints, legal claims or important incidents
  • Make sure that the Trust gives value for money
  • Make sure services are planned to meet patients’ needs in the future
  • Review the care given to make sure it is of the highest possible standard
  • To manage specialised services that the Trust commissions (or where the Trust has been commissioned to provide those services)
  • To improve the efficiency of healthcare services, by sharing information with other organisations (sometimes non-NHS) for a specific, justified purpose
  • Support the Trust when seeking reimbursement for treatment that has been provided (but the amount of information used will only be the minimum necessary)
  • Fulfil contractual obligations as set out in the NHS Standard Contract

Privacy Notice – further information

When you are referred to the Trust and then attend any of our hospitals or clinics, information is recorded about who you are, about your condition and about the medical care you receive. This information is kept in your Health Care File and we also hold information on computer systems (and increasingly more information will be held on these systems and less information will be held in paper based records). The information is used to ensure you receive proper care and treatment from us but also to support how the Trust is managed and funded. We will share this information with other staff you would expect to be involved as part of your overall care, including your GP and staff who provide care and treatment in a Community setting (such as District Nurses), where it is appropriate for us to do so. [1] 

Where possible the Trust will always use the minimum necessary information about you to undertake its roles and functions.

The Data Protection Act (1998) helps define the information we hold about you and only those with a legitimate relationship to you or have the appropriate authority will have access to this information.

We take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.  We have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a ‘Caldicott Guardian’ who is responsible for the management of patient information and patient confidentiality.

All staff are required to undertake annual information governance training.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.[2]

Everyone working for the NHS is subject to the common law duty of confidentiality.  Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

We may use your information for a number of reasons not directly associated with your care i.e. secondary usage. For instance, we may pass information about you to other parts of the NHS or other organisations that provide health care services so that the Trust can receive payment for services that it has provided or so that the Trust can pay for services it has commissioned on your behalf. Wherever possible (and in line with national guidance) your name and address will be removed.  This will include Clinical Commissioning Groups in England,other commissioning organisations in Northern Ireland, Scotland and Wales and the UK Border Agency in relation to overseas visitors.  The Trust will only ever share the minimum necessary information.

The following are examples how your information may be used:

  • To meet a legal obligation e.g. we are required by law to inform the Registrar’s Office about births or deaths.
  • To help protect the health of the general public, e.g. by notification of certain infectious diseases to the Director of Public Health.
  • To carry out clinical audit, which means we compare care and patterns of care within the Trust. For this purpose registers are kept for patients with particular conditions such as cancer, diabetes, stroke etc.

  • To meet the guidance on implementing the Department of Health overseas visitor hospital charging regulations (2015)
  • To help train and educate clinical staff.

You have the right to know about the information we hold on you and view or receive a copy of it if you wish (this applies equally to staff and service users). 

You should ask the doctor, nurse or person looking after you if you want to discuss what is in your Health Care records. Alternatively, you can contact us using the details below to request access to your health record (an application form may be provided if you have not provided sufficient information with your request to prove your identity etc.):

Health Records Manager
James Paget University Hospitals NHS Foundation Trust
Lowestoft Road
NR31 6LA

Or email us:

You can also get more information and copies of the application forms via the Health Records section of our website. 

For all other Data Protection Act enquiries, please write to the Trust Information Governance Section, James Paget University Hospitals NHS Foundation Trust, Lowestoft Road, Gorleston, Great Yarmouth, Norfolk NR31 6LA.

PLEASE NOTE: the Trust may allow appropriate clinical staff to undertake private work from Trust premises.  Where this occurs different arrangements are in place linked to accessing your record etc. and in the first instance you should contact the clinician that treated you (and who were paid by you or an insurance company) to find out what they require.


[1] Please note that similar arrangements are in place where you receive and pay for treatment privately from Trust premises

[2] Please note that across the NHS there is a series of s251 exemptions in place.  These allow organisations to use PCD for defined purposes without necessarily seeking consent.  For a full list see here