Privacy Notice


Weston Area Health NHS Trust (“we”) recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties. By issuing this privacy information, we demonstrate our commitment to openness and accountability.


General Data Protection Regulation

The new Regulations are designed to harmonise data privacy laws across Europe, to protect and empower data subjects providing more choice about what is done with your data, and to make Organisations more accountable.

Under this new Regulation you have the following rights.


  1. Right of access to your data free of charge within 30 days.
  2. Right to rectification. When personal data are inaccurate, the right to request the data is rectified. Although this may not always be possible. We can however note your concerns or objections.
  3. Right to erasure or right to be forgotten, although we would not delete health or personnel records as there are legal reasons to keep them.
  4. Right to restriction of processing. Simply said, the right of the data subject to limit the processing of his/her personal data.
  5. Right to be informed. The right to be told what we do with your data, the legal basis for processing it and what future uses we may wish to use it for.
  6. Right to object to how we have processed your data – so that we explain this to you.
  7. Right to data portability – having your information in a format that is useful to you.
  8. Rights in relation to automated decision making and profiling.


If you need more information about this please see the Information Commissioners Web Site or contact us and we will be glad to help.


What information do we collect about you?

The information that we collect about you may include details such as:


  • Name, address, telephone, email, date of birth and next of kin
  • Any contact we have had with you through appointments, attendances and home visits
  • Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions
  • Results of diagnostic testing e.g. x-rays, scans, blood tests, etc
  • Other relevant information from people who care for you and know you well, such as health professionals, relatives and carers.
  • We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate in line with your rights under the Accessible Information Standard).


How we collect information about you

Our information could be collected in a number of different ways. This might be from a referral made by your GP or another healthcare professional you have seen, or perhaps directly from you – in person, over the telephone or on a form you have completed.


How is your information used?

We use your information to ensure that:


  • The right decisions are made about your care
  • Your treatment is safe and effective and
  • We can work well with other organisations that may be involved in your care


This is important because having accurate and up-to-date information will assist us in providing you with the best possible care. It also ensures that all information is readily available if you see another health professional or specialist within our trust or another part of the NHS.

There is also the potential for your information to help improve health care and other services across our trust and the wider NHS. Therefore, your information may also be used to help with:


  • Ensuring that our services can be planned to meet the future needs of patients
  • Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care
  • Evaluating and improving patient safety
  • Training other healthcare professionals
  • Conducting clinical research and audits, and understanding more about health risks and causes to develop new treatments
  • Preparing statistics on NHS performance and monitoring how we spend public money
  • Supporting the health of the general public
  • Evaluating Government and NHS policies



Making sure our data collection about you is lawful

Our legal reasons for processing your health information are set out within the Articles of the General Data Protection Regulation and are listed below.

6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

6(1)(c) ‘…necessary for compliance with a legal obligation to which the controller is subject or:

6(1)(d) ‘…necessary in order to protect the vital interests of the data subject or of another natural person’

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment and social protection law (Safeguarding)

9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

9(2)(j) ‘…scientific or historical research purposes or statistical purposes …’

This covers the provision of direct healthcare and administrative purposes such as:

  • waiting list management
  • performance against national targets
  • activity monitoring
  • local clinical audit
  • production of datasets to submit for commissioning purposes

There may also be times when information is collected from your relatives or next of kin – for example, if you are taken to one of our departments but you are unconscious or unable communicate.


How we keep your data safe and who has access?

We ensure that there are appropriate technical controls in place to protect your personal details. Your information is only accessible by appropriately trained staff, volunteers and contractors.

We will never sell or swap your personal details with other organisations for their marketing purposes. We may be required to disclose personal information if required to do so by law, for example for fraud prevention.

In the unlikely event that we need to share your data with a Third Party not required to comply with the General Data Protection Regulations we will seek binding corporate rules that enforce strict rules that provide the same level of protection to your personal data.


Do we share your information with anyone else?

We work with a number of other NHS organisations and independent treatment centres and clinics to provide you with the best possible care. To support this, your information may be securely shared.


Where the sharing involves a non-NHS organisation, a specific information sharing agreement is put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.


Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.


Mandatory Information Sharing

Sometimes we are required by law to disclose or report certain information which may include details which identify you. This may include reporting a serious crime or identification of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information is released.

There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure we are legally compliant.

There are other statutory bodies where we are required to provide your information, these include:

  • Parliamentary Health Service Ombudsman
  • Care Quality Commission
  • General Medical Council
  • Police (in certain situations only such as Terrorism or serious crime)


Clinical training, research and audit

Some health records are needed to teach student clinicians about rare cases and diseases. Without such materials, new doctors and nurses would not be properly prepared to treat you and others. It is also possible that individuals, such as student nurses and medical students are receiving training in the service that is caring for you. If staff would like a student to be present, they will always ask for your permission and you have the right to refuse without this effecting the care or treatment that you are receiving.

We also undertake clinical research and audits within the trust, and your permission may be required for some of this work. If you agree to be involved, a full explanation will be given and your consent will be obtained before proceeding. Your consent may not be required if the information being used has been fully anonymised. This means that it cannot be used to identify an individual person.


Do you have the right to withhold or withdraw your consent for information sharing?

You also have the right to ‘opt out’ of having your information used in any mandatory audits which the Trust is subjected to. If this is the case, you should write to our Information Governance team with your name, address, date of birth and hospital number or NHS number.


How can you get access to the information that we hold about you?

Under the terms of the Data Protection Act 2018 and the General Data Protection Regulations you have the right to request access to the information that we hold about you.


Request for access to medical records forms

You can request information or an application form, by one of the following means:

  • Email:
  • By post: Legal Services Department, Weston Area Health NHS Trust, Grange Road, Uphill, Weston-Super-Mare. BS23 4TQ
  • Telephone: 01934 881121


Can we charge a fee?

In most cases we will not charge a fee to comply with a subject access request. However, where the request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request. We may also charge a reasonable fee if an individual requests further copies of their data following a request. The fee will be based on the administrative costs of providing further copies.


How long do we have to comply?

We must act on this ‘subject access request’ without undue delay and at the latest within one month of receipt. The time will be calculated from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, we have until the next working day to respond. For practical purposes the Trust will aim to provide the information within 28-day days to ensure compliance is always within a calendar month.


Please be advised that the request will not be processed until the Weston Area Health NHS Trust (WAHT) is satisfied of the identity of the person making the request. The Trust Policy is that we must have at least two types of identity validation prior to providing access to, or disclosing of personal identifiable information. If you are making a request on behalf of another person: we would require ID from both parties. Therefore, could you please provide two of the following (one of which must be photographic identification)

  • Copy of valid passport
  • Copy of current driving licence
  • Copy of paid utility bill
  • Any documentation will be considered on an individual basis but may not be accepted.

Unfortunately we will not be able to process your request until we are in possession of this information.

How long do we retain your records?

Health and Social Care 2016, which sets out the appropriate length of time each type of NHS record is retained. We do not keep your records for longer than necessary.

All records are appropriately reviewed once their retention period has been met, and the Trust will decide whether the record still requires retention or should be confidentially destroyed. All decisions and destructions will be documented.


How can you contact us with queries or concerns about this privacy notice?

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, please contact our Information Governance team:


Post: Information Governance Department, Brent Knoll Offices, Weston General Hospital, Grange Road, Weston super Mare BS23 4TQ

Tel: 01934 636363

The appointed Data Protection Officer for Weston Area Health NHS Trust is:

Gillian Hoskins –

The Trust Board representative for data protection is;

The Director of Finance – Jeremy Spearing – 01934 647001

How can you make a complaint?

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We would recommend contacting our Information Governance team initially to talk through any concerns that you have.

It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS). You can contact them on 01934 636363

You also have the right to complain to the Information Commissioner’s Office at;