• Privacy Notice - Header

    Privacy Notice

    This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you.  It applies to the personal information processed by or on behalf of Norfolk Community Health and Care NHS Trust (NCH&C) and is required for compliance to UK General Data Protection Regulation (UK GDPR).

What information do we collect about you?

We only collect information about you for lawful purposes in order for us;

  • to provide the most effective and highest quality clinical care and
  • to assist in the running of this NHS Trust.

This includes management of patient records, communications concerning your clinical and other care, ensuring the quality of your care and the best outcomes by clinical audit and participating in research as well as the management and clinical planning of services both now and for the future.

In some areas of our Trust we ask for consent from you to process your information, for example, in participating in patient experience surveys, asking to use photographs for media or staff training. 

The Trust has a duty to you to protect your information and all our staff are bound in their contracts of employment, and additionally, in the case of healthcare professionals, by accountability to their professional bodies.

How do we maintain the confidentiality and security of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • The UK GDPR and the Data Protection Act 2018
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • NHS Codes of Confidentiality, Information Security and Records Management

Information held about you, whether on paper or computerised, is protected from unauthorised access. 

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

How is information used?

We use the information given to us by people who use our services to provide them with safe and effective care. This includes: 

  • processing for the provision of healthcare (direct care) or the management of healthcare systems (invoice validation, commissioner reporting, quality audits – essentially, mandated activity for legal obligations);
  • processing for ensuring high standards of quality and safety of healthcare – which includes research, audit, service improvement and addressing public health/inequalities.
  • processing for archiving purposes, statistical analysis and research in public interest or public duty
  • processing for ‘vital interests’ (safety, safeguarding, public safety)
  • under the direction of a Court or to assist in serious crime or fraud
    • Under the Health and Social Care Act 2008, the Care Quality Commission (CQC) has the right to access and use information where it is considered necessary to carry out its powers as a regulator. For more information see www.cqc.org.uk

If you have any questions or concerns about how information is used or where this information is published, or feel you will be put at risk by the disclosure of any of this information, please contact the Head of Information Governance or the Caldicott Guardian on 01603 785876 or IG@nchc.nhs.uk whose role it is to oversee all issues related to the use of patient information within the Trust. 

Who do we share your information with?

We will share information with the following main partner organisations:

  • Other NHS Trusts, hospitals that are involved in your care;
  • Integrated Care Services (ICS) and other NHS bodies;
  • General Practitioners (GPs); and
  • Ambulance Trusts.

You may be receiving care from other service providers as well as the NHS, for example Social Care Services.  Therefore we may need to share some information about you with them so we can all work together for your benefit – but only if they have a genuine need for it as part of your care or we have your permission. Therefore, we may also share your information with:

  • Social Care Services;
  • Education Services;
  • Local Authorities; and
  • Voluntary and private sector providers working with the NHS.

How long do we hold your information for?

NCH&C hold records in accordance with the Records Management Code of Practice for Health and Social Care 2021. Appendix II of the Code contains the detailed retention schedules and sets out the minimum time that records should be retained.

Data subject rights

The UK GDPR gives you the general right to apply to see or to be given a copy of personal data held about you. For further information please contact the Trust’s Information Governance Officers, on 01603 785876 or email IG@nchc.nhs.uk 

You also have the right to request rectification or erasure of personal data, to restrict or object to the processing and to the right of data portability. If consent is relied on, you have the right to withdraw consent to processing at any time. If you wish to do any of these things, please contact the Information Governance team on 01603 785876 or email IG@nchc.nhs.uk 

National Data Opt Out

Information about you can also be used and provided to other organisations for purposes beyond your individual care, for research and planning to help provide better health and care for you, your family and future generations. This may only take place when there is a clear legal basis to use this information.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.


The CCTV systems in use across our sites and any images produced by it are controlled by Norfolk Community Health & Care NHS Trust (NCH&C) who is responsible for how the systems are used under the UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018.

We (NCH&C) have considered the need for using CCTV and have decided it is necessary for the prevention and detection of crime and for protecting the safety of individuals, or the security of premises. We will not use the system for any incompatible purposes and we conduct regular reviews of our use of CCTV to ensure that it is still necessary and proportionate.

Any images held on the systems are securely stored for a defined period of time and access to these images is restricted to authorised individuals only.

From time to time, the police may request access to footage and/or copies under the Police and Criminal Evidence Act.  Such requests will only be made where:

  • A review of recordings is required to trace incidents which may have already been reported to the police
  • Immediate action is required in relation to live/current incidents being pursued
  • A major incident has occurred

Any person or organisation requesting access to digital imagery recordings must do so via the Access to Records Team (accesstorecords@nchc.nhs.uk).

What should you do if your personal information changes?

Please contact the organisation as soon as any of your details change, this is especially important for changes or address or contact details (such as your mobile phone number).

We may from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

Data Protection Officer (DPO)

NCH&C is a public authority and therefore is legally required to appoint a DPO. The DPO assists with monitoring internal compliance, informing and advising on data protection obligations, providing advice regarding Data Protection Impact Assessments (DPIAs) and acting as a contact point for data subjects and the supervisory authority. Their contact details are:

Matthew Poole
Data Protection Officer
Norfolk Community Health and Care
Norwich Community Hospital
Bowthorpe Road
Norwich,NR2 3TU
Telephone: 01603 272619, email IG@nchc.nhs.uk 


In the event that you believe NCH&C NHS Trust has not complied with the Act, either in responding to a request or in our general processing of your personal information, you should contact the Trust’s Head of Information Governance, NCH&C, Norwich Community Hospital, Bowthorpe Road, Norwich, NR2 3TU.

If you remain unsatisfied you can then contact the Trust’s Senior Information Risk Owner (SIRO), NCH&C, Norwich Community Hospital, Bowthorpe Road, Norwich,NR2 3TU. You also have the right to complain to, appeal to or raise your concerns with the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire,SK9 5AF Enquiry Line: 01625 545700 or by email.

Further Information about Public Notice

This notice does not give a full explanation of the Law. If it doesn’t answer your questions or you would like more detailed information please contact the Trust’s Head of Information Governance, NCH&C, Norwich Community Hospital, Bowthorpe Road, Norwich, NR2 3TU