An outstanding experience for every patient
Go to home page
For patients and visitors
About Us
Why choose us?
Keeping healthy
GP Portal

Your Patient Information - Privacy Notice 

Salisbury NHS Foundation Trust Privacy Notice (for Patients)

Salisbury NHS Foundation Trust collects information about you when you are referred by your GP for treatment and during your clinical consultation. We also collect information when you voluntarily complete customer surveys, provide feedback and speak to a member of our team.

As a healthcare provider we need to hold information about our patients to help ensure that they receive proper, necessary and effective treatment. We firmly believe that information should be held securely and should only be available on a ‘need to know’ basis. The information includes:

  • your full name, date of birth and address, phone number, email address
  • your next of kin contact details
  • medical test results, symptoms and diagnoses
  • details of contact we have had with you, such as referrals
  • details of the services you have received
  • patient experience feedback and treatment outcome information you provide
  • notes and reports about your health and any treatment you have received or need, including clinic and operational visits and medicines administered

Working in Partnership with Your GP

As a trusted Healthcare partner the Salisbury NHS Foundation Trust (SFT) clinical staff have been granted read only access to a limited view of your GP electronic patient record when supporting your care. This access has been granted by the Wiltshire Clinical Commissioning Group (Wiltshire CCG) for the majority of GP practices who are using the TPP SystmOne electronic patient record system.

In conjunction with your GP practice we will ensure access to your GP electronic record is strictly controlled and monitored. If you wish to prevent the hospital from accessing your GP electronic record please contact your GP practice who can arrange.

The patient leaflet and responses to commonly asked questions for the TPP SystmOne electronic patient record system provides further details as to how your medical information is managed and shared. To access these, ‘click’ on the links below:
TPP SystmOne Frequently Asked Questions
TPP SystmOne Support

Legal Basis for Sharing of Information

As a healthcare provider we access your healthcare information to provide direct care in accordance with Schedule 2 and 3 of the Data Protection Act 1998, and with effect from 25th May 2018 Articles 6 and 9 of the EU General Data Protection Regulations.

The information we hold about you helps us to:

  • provide a good basis for all health decisions made by you and your healthcare professional
  • make sure your care is safe and effective
  • work effectively with others providing you with care.

We may also use your information to:

  • analyse how visitors use our website to improve services;
  • assess the quality of care we give you
  • protect the health of the general public
  • monitor NHS spending
  • manage health services
  • help investigate any concerns or complaints you or your family have about your healthcare
  • report infectious diseases
  • help with accounts and auditing
  • secure clinical funding from your GP and the Clinical Commissioning Group
  • report fraudulent claims for NHS treatment.

PRIVACY NOTICE - Overseas Patients

PRIVACY NOTICE Overseas Patients

The national data opt-out:

NHS Digital is developing a new system to support the national data opt-out which will give you more control over how your identifiable health and care information is used. The system will offers you and the public the opportunity to make an informed choice about whether you wish your personally identifiable data to be used just for your individual care and treatment or also used for research and planning purposes.

What information does the national data opt-out apply to..?



How do you opt out?

By contacting NHS Choices website or telephone contact center: 

Need more information?

Visit the National Data Opt-out web pages:

GDPR Compliance Statement

Our duties

We have a duty to:

  • maintain a full accurate record of the care we give you
  • keep records about you confidential, secure, accurate and accessible
  • follow UK law and dispose of your information confidentially when it is no longer needed
  • give you copies of your healthcare information in an easy to understand format (in a large type if you are partially sighted) and a list of medical abbreviations we use.

How and why is your information shared?

Here at Salisbury NHS Foundation Trust we take your privacy seriously and will only use your personal information when caring for you and to give you any products and services you have asked for.

The Trust will not disclose any information about you other than in exceptional circumstances where we are required to do so by law.

You can also get further information on:

  • agreements we have with other organisations for sharing information
  • circumstances where we can pass on personal data without consent for example to prevent and detect crime and to produce anonymised and pseudonymised statistical information to improve NHS services
  • our instructions to staff on how to collect, use and delete personal data
  • how we check that the information we hold is accurate and up to date.

If you are a patient seeking routine treatment and you live outside of the NHS England boarders, the Trust is required to contact your local GP practice and Local Health Board (LHB) or the National Specialised Services team responsible for your area to obtain authorisation prior to commencing your treatment. If you are planning to move outside the NHS England borders please can you confirm your new address and GP Practice with the Trust as soon as possible to ensure a continuation of care. On occasion it may be necessary for the Trust to contact you directly about your provision of care as we will be working on your behalf to ensure that the continuity of care is not adversely affected.


Who do we share your information with

The Trust uses approved specialist companies which are accredited to provide any diagnostic tests or services you might need; for example, genetic testing and specialist tests.

We work closely with many organisations in order to provide you with the best possible care. This means that with your consent, and when it is beneficial to your health or in your vital interests, your information will be shared with organisations including:

  • your GP practice
  • other hospitals and community organisations providing care services
  • Clinical commissioning groups responsible for the management of your local NHS budget
  • specialist companies providing diagnostic and testing services you might need; for example, blood test, X-ray, and ultrasound scans.

Health professionals should share information in the best interests of their patients. This means that where necessary we will also share your health information with other health care providers/professionals involved in your care.

Do I have a choice about who accesses my medical record?

The Trust uses a secure electronic patient record system which enables GPs to refer you here. You can decide whether we can give limited access to the information held within your GP record.

Our system is also used by other GP practices, child health services, community services, hospitals, out-of-hours services, palliative care services and many more. This means your information can be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including medication and allergies. We will seek your consent before sharing your medical information.

Sharing out: This controls whether your information stored by us can be shared with your GP

Sharing In: This controls whether information in your medical record held by your GP can be viewed by staff on a need to know basis

Security and performance

Salisbury NHS Foundation Trust is registered with the Information Commissioner’s Office which is the regulator for data protection and privacy and electronic communications. Our registration number is: Z6613850

We are committed to keeping your personal information secure. We have put in place physical, electronic and operational procedures to safeguard and secure the information we collect. All our employees and partner organisations are legally bound to respect your privacy and the confidentiality of your information. Access to your information is strictly controlled and only accessible to employees on a need to know basis.

All internet activity is monitored to quickly identify any abnormalities so that immediate action can be taken to address any potential problem as quickly as possible. NHS Digital can identify the affected device in real time so that alerts can be provided nationally and locally in order to minimise the threat to the NHS, staff and patients.

A full copy of our data protection registration details can be accessed via the link : Register of Data Controllers

Salisbury NHS Foundation Trust is registered with the Department of Health (DOH) and our security and confidentiality compliance is assessed by the completion of the Information Governance (IG) Toolkit. This is an online system which allows organisations’ information security, data protection, and confidentiality processes and procedures to be assessed against national standards required by NHS Digital and the Care Quality Commission. This has been enhanced and updated, and is now the ‘Data Security Protection Toolkit’ (DSPT) and will apply for the financial year 2018/19 onwards.

During the financial year 2017-18 the Trust achieved a “satisfactory” rating with a compliance score of 77%.

To access more detailed information about the Trust’s IG Toolkit compliance please click the link below:

Information Governance Toolkit

Your rights

If we hold information about you as a patient you have the right to:

1. Be informed:

Individuals, which include patients and staff, have the right to be informed about the collection and use of their personal data.

2. Right of access

You have the right to find out what information we hold about you as a member of staff or as a patient. This is called a right of access. You exercise this right by asking us for a copy of the information we hold about you.

We are required to supply this information to you within 30 calendar days from the date the Trust received the request.

3. The right to get your data corrected

You have the right to have any inaccurate personal information about you corrected within 30 calendar days month.

You can make this request verbally and in writing.

In certain circumstances the Trust can refuse the request for rectification.

4. Your right to get your personal information deleted

You have the right to ask the Trust to delete any personal information we hold about you in certain circumstances. This is known as the ‘right to be forgotten’.

This right is not absolute and can only apply in certain circumstances.

You don’t have to ask a specific person within the hospital. We do recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your concerns, providing evidence and stating your desired solution.

5. Right to limit how we use your information

You can limit the way the hospital uses your personal data if you are concerned about the accuracy of the data or how it is being used.
In certain circumstances you can make a request for the hospital to limit the use of your personal information. This could include:

  • Temporarily removing information from a system
  • Making it unavailable to users, or
  • Temporarily removing it from a website, if it has been published.

The Trust may refuse a request to limit the use of your information if we believe that your request is unfounded or excessive. We won’t do this without letting you know and if your request is ‘manifestly unfounded’. We may ask for a reasonable fee to cover administration costs.

6. Right to data portability

You have a right to get your personal information from the hospital in an accessible format, paper, electronic or CSV file.

You can also ask the hospital to transfer your electronic information to another healthcare provider if it is technically feasible.

How long will I need to wait for my data to be transferred?

The hospital has one month to respond to your request. We may need extra time to consider your request and this may take up to two months but we will let you know.

7. Right to object

You have the right to object to the use of your information in some circumstances.

Your request can be verbal or in writing. We recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your request./

8. Rights relating to decisions made about you by a computerised system.

Automated decisions

This is called automated decision making and profiling for example, completing an online aptitude test using a pre-programmed algorithm and or criteria when applying for a job vacancy with the hospital.

You can ask for information to understand the reasons behind the automated decisions. The request can be made verbally or in writing. We recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your request.


Profiling means information about you is used to analyse or predict things like:

  • Your performance at work
  • Your personal financial status
  • Your health, personal preferences and interests.

You can object to the collection of profiling information if it includes direct marketing.

It will take the hospital a month to respond to your request, but in certain circumstances, we may need more time which can take up to an extra two months. We will let you know within the 30 days if it might take longer.

Raising a concern

You have a right to be confident that the hospital handles your personal information responsibly and securely.

If you would like to speak to someone, about any concerns you may have please call the Information Governance Office 01722 336262 or the Trust’s Data Protection Officer on 01722 425119.

You can also seek advice from or make a complaint to the Information Commissioner’s Office (ICO) who is the UK data protection regulator.

Keeping information

We follow UK law and will only keep your personal information for as long as necessary.

Updating this privacy notice

We will review and update this notice regularly in line with guidance issued by the privacy regulator, the Department of Health and NHS Digital.

    Accessing information

    If you would like to receive a copy of your medical records, report a concern or inaccuracy within your record or would like to restrict who your medical data is shared with, please speak to your clinician or contact any of the people listed below. They will be happy to help:


    Ms Heidi Doubtfire-Lynn

    Data Protection Officer
    Informatics Department

    Corporate Development Directorate
    Salisbury District Hospital
    Odstock Road
    Near Salisbury
    SP2 8BJ
    Tel: 01722 425119
    Ms Sandy Higdon

    Medical Records Manager

    Corporate Development Directorate
    Salisbury District Hospital
    Odstock Road
    Near Salisbury
    SP2 8BJ
    Tel: 01722 336262
    Dr Christine Blanshard

    Caldicott Guardian

    Medical Director
    Tel: 01722 336262
    Ms Esther Provins

    Senior Information Risk Owner

    Director of Transformation; Senior Information Risk Owner
    Tel: 01722 336262

    If you would like advice or report a concern directly to the data protection and privacy and electronic regulator, you can use the contact details below:

    Information Commissioner's Office

    Wycliffe House
    Water Lane
    SK9 5AF

    Helpline: 0303 123 1113

    Page Last Updated: 11/10/2019 11:44 
    Printed from Salisbury NHS Foundation Website