Your personal information

The information we hold and how we use it

When you use our services, we use information about you and your health so that we are able to give you the best possible care.

Using your information

We use your information to provide you with healthcare and to support the administration of the trust. We may also need to process your information in order to:

  • Inform other staff (if appropriate) involved in your healthcare, eg, your GP or social services
  • Make sure your care is of a high standard
  • Ensure that the information we hold about you is valid and up to date
  • Prevent, detect and prosecute fraud and other crime
  • Provide translation and interpreter services to you
  • Evaluate and plan services
  • Help train staff and support research
  • Receive payment for your care

We only use the minimum amount of information needed for each purpose and your information is only accessed by staff authorised to see it.

You can also see how the overseas visitors team may use your information on the Overseas Patients page.

We comply with the National Data Opt-Out Policy. For example, we remove data that identifies individuals such as name and address when we are planning what services we will provide. The best place to find out more about out the opt-out is to follow this link to the national website:

We are required to record details of adverse incidents. If you have been involved in an adverse incident, some information about you may be reported on our internal database. We will inform you of this where practicably possible.

We have produced a leaflet that you can download:

How long do we hold your personal information

We have a health records destruction and retention policy and procedure that states that most records are held for eight years after the last date that treatment was provided. There are some exceptions which include:

  • If a patient is under 25 years of age
  • If health records are marked as permanent preservation
  • Patient has had a diagnosis/treatment for cancer (includes chemotherapy codes)
  • Patient has taken part in a clinical trial. Patients to be marked as ‘Permanent Preservation’
  • Patient has had a hip or knee, shoulder or elbow replacement
  • Patient has a diagnosis of CJD or HIV
  • People who have undergone organ transplantation
  • Patient has been treated under the Cardiothoracic Surgery speciality
  • Patient has undergone a CABG, Angioplasty, Cardiac Valve replacement or had a pacemaker fitted
  • Patient has obstetric history since 1983

Legal bases for processing your information

To use information about you, we must be compliant with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA18) and establish the legal bases for using information.

The first basis or article that we will rely upon for processing or using personal information is Article 6(1)(e) “… for the performance of a task carried out in the public interest or in the exercise of official authority …”

A second basis is required because information about health is categorised as ‘special information’.  Most of the functions carried out by our staff are covered by Article 9(2)(h) “… medical diagnosis, the provision of health or social care or treatment or treatment or the management of health or social care systems …”

As required by the law, we are registered with the Information Commissioner’s Office (ICO) under the organisation name of ‘East Sussex Healthcare Trust’ with registration number ‘Z2917271’.  The register and our entry can be found here:

Some uses or processing of information will be covered by different articles, so if in doubt contact our Information Governance department

Sharing your Information

We do share information with other organisations, for both direct and indirect patient care, for example to ensure that your GP is kept aware of any care provided by us, or to ensure that we are paid the correct amount of money for providing healthcare services.

We may also share your information with:

  • NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services
  • Social care and other external council departments where they are aware of your situation
  • Organisations with statutory investigative powers such as the Care Quality Commission, the General Medical Council, the Audit Commission or the Health Service Ombudsman
  • Department of Health and Social Care, Home Office and registered charities
  • Solicitors, the police, the courts (including a Coroner’s court), debt recovery agencies, clinical commissioning groups and to tribunals and enquiries
  • Government agencies or public bodies within your home country if not in the UK
  • Companies that provide translation services and with whom we have a contract

We do not sell your information to third parties, and only share it with organisations involved in the delivery of your healthcare or supporting the delivery of your healthcare.

Information is kept on our secure network and our emails are encrypted.

Accessing your Information

You have the right to access your information. This is referred to as a subject access request (the patient being the ‘subject’). If you wish to either see a copy of your record or receive a copy, then please see the Request for Health Records page.

Data Protection Impact Assessments

In line with Data Protection legislation, we carry out Data Protection Impact Assessments (also referred to as Privacy Impact Assessments) before new systems are implemented. These are based upon the Information Commissioner’s DPIA template and allow us to identify potential data protection risks of new systems or projects.

Use of CCTV

We use CCTV on our sites. This is to provide a safe and secure environment for patients, staff, visitors and to safeguard our property. CCTV images may be used to assist in the prevention and detection of crime. Images may be shared with the Police for the investigation of crimes.

Further queries or complaints

If you have further questions, then please contact our Data Protection Officer by Email:

If you have concerns that you do not wish to raise with us, then please contact the Information Commissioner’s Office (ICO):

Helpline: 0303 123 1113 (between 9.00am and 5.00pm)

Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF