Your information and how we use it (privacy notice)

We use information about you so that we are able to treat you appropriately and effectively.

We must keep records about you, your health and the care we have provided or plan to provide to you. If we do not have up-to-date and accurate information about you, we may not be able to provide you with appropriate healthcare.

Types of personal information

Information such as your name, data of birth and address is referred to as personal data (information that relates to a specific individual).  Some categories of information are referred to as special categories of personal data, including:

  • Race
  • Ethnic origin
  • Religion
  • Genetics
  • Health
  • Sex life
  • Sexual orientation

How long do we hold your personal information

East Sussex Healthcare NHS Trust has a Health Records Destruction and Retention policy and procedure that states that most records are held for eight years after the last date that treatment was provided. There are some exceptions which include:

  • If a patient is under 25 years of age
  • If Health Records are marked as permanent preservation
  • Patient has had a diagnosis/treatment for cancer (includes chemotherapy codes)
  • Patient has taken part in a clinical trial. Patients to be marked as ‘Permanent Preservation’
  • Patient has had a hip or knee, shoulder or elbow replacement
  • Patient has a diagnosis of CJD or HIV
  • People who have undergone organ transplantation
  • Patient has been treated under the Cardiothoracic Surgery speciality
  • Patient has undergone a CABG, Angioplasty, Cardiac Valve replacement or had a pacemaker fitted
  • Patient has Obstetric history since 1983

Using your information

We use your information to provide you with healthcare and to support the administration of the Trust. We, and occasionally, our partner organisations, may also use your information for the evaluation, monitoring and/or redesign of healthcare services. If you have given us your contact details, we may also send you newsletters and invitations to complete short surveys as part of our work to improve our services.

The Trust is required to record details of adverse incidents. If you have been involved in an adverse incident, some information about you may be reported on our internal database. We will inform you of this where practicably possible.

We have produced a leaflet that you can download:

Legal bases for processing your information

To use information about you the Trust must be compliant with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA18) and establish the legal bases for using information.

The first basis or article that the Trust will rely upon for processing or using personal information is Article 6(1)(e) “… for the performance of a task carried out in the public interest or in the exercise of official authority …”

A second basis is required because information about health is categorised as ‘special information’.  Most of the functions carried out by staff are covered by Article 9(2)(h) “… medical diagnosis, the provision of health or social care or treatment or treatment or the management of health or social care systems …”

As required by the law, the Trust is registered with the Information Commissioner’s Office (ICO) under the organisation name of ‘East Sussex Healthcare Trust’ with registration number ‘Z2917271’.  The register and our entry can be found here:

Some uses or processing of information will be covered by different articles, so if in doubt contact our Information Governance department

Sharing your Information

The Trust does share information with other organisations, for both direct and indirect patient care, for example to ensure that your GP is kept aware of any care provided by the Trust, or to ensure that the Trust is paid the correct amount of money for providing healthcare services.

Accessing your Information

You have the right to access your information. This is referred to as a subject access request (the patient being the ‘subject’). If you wish to either see a copy of your record or receive a copy, then please see the Request for Health Records page.

Security of your Information

We do not sell your information to third parties, and only share it with organisations involved in the delivery of your healthcare or supporting the delivery of your healthcare.

Information is kept on our secure network and our emails are encrypted.

Data Protection Impact Assessments

In line with Data Protection legislation, the Trust carries out Data Protection Impact Assessments (also referred to as Privacy Impact Assessments) before new systems are implemented. These are based upon the Information Commissioner’s DPIA template and allow the Trust to identify potential data protection risks of new systems or projects.

Use of CCTV

The Trust has CCTV on some sites. This is to provide a safe and secure environment for patients, staff, visitors and to safeguard Trust property. CCTV images may be used to assist in the prevention and detection of crime. Images may be shared with the Police for the investigation of crimes.

Further queries or complaints

If you have further questions, then please contact the Trust’s Data Protection Officer by Email:

If you have concerns that you do not wish to raise with the Trust, then please contact the Information Commissioner’s Office (ICO):

Helpline: 0303 123 1113 (between 9.00am and 5.00pm)

Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF