South Tyneside and Sunderland NHS Foundation Trust is registered as a Data controller, its registration number is ZA513650

This Privacy Notice explains how we use and share your information. We will continually review and update this Privacy Notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.

Why do we hold information about you?

As a patient, relative or carer, we are legally required to hold information relating to the care we provide under the National Health Service Act 2006 and as governed by the General Data Protection Regulation 2016 and Data Protection Act 2018.

The information we hold about you is used to provide you with health and social care, for the management of the services that we provide to you, the management of the NHS, and also for public health reasons. It may also be used to contact you regarding the provision of these services.

We may also capture images of you within our CCTV systems (including Body worn cameras) which may be held for a period of up to 90 days and are held for the purposes of crime prevention and detection. Such images are deleted automatically after 90 days if not further required.

Our basis for the lawful processing of your data is:

As a patient;

Article 6(1)(b) – necessary for the performance of a contract,

Article 6(1)(c) – necessary for compliance with a legal obligation,

Article 6(1)(d) – to protect vital interests,

Article 6(1)(e) – performance of a task carried out in the public interest/exercise of official authority,

Article 9(2)(f) – necessary for the establishment, exercise or defence of legal claims,

Article 9(2)(g) – necessary for reasons of substantial public interest,

Article 9(2)(h) – provision of health or social care or treatment or the management of health or social care systems,

Article 9(2)(i) – necessary for public health purposes or ensuring high standards of quality and safety of health care.

Article 9(2)(j) – necessary for archiving purposes in the public interest.

As a relative, carer, advocate etc;

Article 6(1)(e) – performance of a task carried out in the public interest/exercise of official authority,

What information do you hold about me?

The information held about you will include:

  • Basic details about you, such as your name, date of birth, NHS Number
  • Contact details such as your address, telephone numbers, email address
  • Contact details of your ‘Next of Kin’, a close relative, friend or advocate
  • Contacts we have had with you; scheduled and unscheduled appointments
  • Details about your care; treatment and advice given and referrals made
  • Results of investigations, eg blood tests
  • Relevant information from people who care for you and know you well
  • CCTV images

How do you store my information?

Your information will be stored by the Trust in the form of either;

  • Paper based healthcare records, such as a medical file
  • Core electronic healthcare systems, such as the Trusts core Patient Care System or EMIS Community Healthcare System.
  • Additional electronic based healthcare systems, such as the Radiology and Pathology systems.
  • In other electronic formats.

Who can access my information?

Information about you will be accessed by employees of the Trust who are involved in providing direct care to you or who support the provision of direct care or the management of the Trusts services. This will include:

  • Doctors and nurses who provide you with treatment
  • Other clinical staff such as Pharmacists and Radiologists
  • Clinical Managers
  • Non-clinical Operational Managers who directly manage clinical services
  • Non-clinical Information services staff who provide statutory information to NHS England and the Department of Health and Social Care.
  • Non-clinical support staff such as Chaplin’s and volunteers. These individuals will not have access to your medical records

All staff, whether Clinical or Non-Clinical, have a legal duty to keep information about you confidential. They will only access your information when it is necessary to do so and will only disclose your information when authorized, allowed by law or you have consented.

How long will you keep my information?

NHS Trusts are required to keep your information for the periods of time set out in the ‘Records Management Code of Practice for Health and Social Care 2016’. This code of practice requires the Trust to keep your information for the following lengths of time:

Adult healthcare records – for 8 years after your last contact with the service.

Maternity records – for 25 years after your last contact with the service

Children’s healthcare records (including midwifery, health visiting, and school nursing -  until the child reaches the age of 25 or 26 if they were 17 when treatment was concluded.

Mental healthcare records – for 20 years after your last contact with the service or 8 years after you have died.

Some information may be kept for longer than the above periods. Further information on the retention periods for healthcare records can be found here: 

Who will you share my information with?

Your information will be shared internally between teams, eg shared with the Safeguarding Team if necessary and also externally, eg Police, Social Services, Education, your GP, etc.   This is to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of individuals concerned.

Your information will be shared, for the purposes of providing direct care, with other NHS and Non-NHS Provider organisations. These will include organisations such as other Acute Hospitals, Mental Health Hospitals, Community Healthcare providers, General Practitioners and Ambulance Services. For Safety reasons the information shared will always identify you however the Trust will endeavor to always ensure that you or your Next of Kin are aware of the information being shared and why.

Additionally, we may need to share your NHS number with the NHS North East and North Cumbria Integrated Care Board (ICB)  including the North of England Commissioning Support Unit, who process requests on behalf of the ICB that we work with, for the purpose of having funding approved for certain procedures.  No other patient identifier is included other than your NHS number during this process.  This information is processed under Article 6(e): performance of a public task/ official functions and; Article 9(h) provision of health or social care or treatment.  Without sharing this information we may be unable to offer you certain procedures or treatment that you have been referred to us for.

Your confidential healthcare Information will only be shared where there is a legal basis for doing so.

When there is a Court Order

Where there is a legal requirement to provide the information

Where you have given explicit consent to share the information

Where information is being shared for a direct care purpose and you have been informed of the sharing

Where permission to share your information without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the 2006 NHS Act.

If you want to know who we have shared your information with you will need to make a Subject Access Request (SAR).

We may pass your information to an approved contractor for the purpose of contacting you in relation to the National Patient Survey Programme. You have the right to ask the Trust not to share your information for this purpose. If you wish to exercise this right, please contact the Data Protection Officer.


We will also share your anonymised information for the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations, such as the local NHS North East and North Cumbria Integrated Care Board (ICB) and NHS Digital (part of NHS England).

Sometimes we will also share your information in an anonymous format with organisations, such as universities, community safety units and research institutions.  If your information is anonymous it means you cannot be identified. 

In such cases, the shared data is made anonymous, wherever possible, by removing all patient-identifying details, unless the law requires the patient's identity to be included. In these circumstances we do not need your permission to share your anonymous information. 

At any time you have the right to refuse/withdraw consent (opt out), in full or in part, to information sharing. The possible consequences and risks (ie, lack of joined up care, delay in treatment if information has to be sourced from elsewhere, medication complications; all leading to the possibility of difficulties in providing the best level of care) will be fully explained to you to allow you to make an informed decision.

If you do not want your personal information to be shared and used for purposes other than your care and treatment, then you should discuss your objections with the healthcare professional who is providing your care. This will not affect the care and treatment you receive. 

Your records and research

We are a research active NHS Trust and there is the possibility that your records may be looked at by a Clinical Studies Officer at some point, who is not involved in your direct care. This is so that we can see if you are eligible to be invited to participate in approved research projects being run in the Trust that may be relevant to you. 


Person-identifiable information may be used for essential NHS purposes, such as monitoring, research and auditing.  This will only be done with your consent, unless the law requires information to be passed on to improve public health. The Information Commissioners Anonymisation Code of Practice will be used and further guidance is available in this Code of Practice.


How the NHS and care services use your information

South Tyneside and  Sunderland NHS Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public. 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment and to ensure that the standards of service provided are of the highest quality. Your data may be used to contact you about your experiences of using such services via surveys and questionnaires.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  •  research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is currently’ compliant with the national data opt-out policy.

How can I access my information?

You can request access to the information that the Trust holds about you free of charge and you should do this by approaching a member of staff in the first instance.  They will provide you with guidance on the Trust’s processes. Your request, once agreed with you, will be completed within 30 calendar days. However, if your records are extensive we may take longer to process your request but will inform you from the outset. 

To submit a formal request, please contact:

For residents of Sunderland

Enquiries Office

Medical Records Department

South Tyneside and Sunderland NHS Foundation Trust

Sunderland Royal Hospital

Kayll Road



Or email:

For residents of South Tyneside or Gateshead

Access to Records Team

Medical Records Department

Ingham Wing

South Tyneside and Sunderland NHS Foundation Trust

Harton Lane

South Shields

NE34 0PL

Or email:

Information that you are entitled to

As well as receiving a copy of the information that the Trust holds and processes, you are also entitled to the following:

  • To be told whether any personal data is being processed.
  • Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people.
  • Given a copy of the personal data together with its source (where this is available).

How do you make sure it is safe and secure?

We will use your information in a way that follows data protection laws and Trust policies and procedures. 

Everyone working for the NHS is subject to the Common Law Duty of Confidence.  Information provided in confidence will only be used for the purposes advised and consented to, unless it is required or permitted by the law. 

All Trust staff are required to undertake mandatory Information Governance training, which covers how personal information should be processed. 

We do not transfer personal information to a country outside of the European Union (EU) and this is checked on a yearly basis.  If it is found that we intend to share information outside of the EU, appropriate and suitable safeguards will be put in place, which you will be told about. 


How do you protect my privacy / confidentiality?

We protect your information by following data protection laws:

  • General Data Protection Regulation (GDPR) 2016
  • Data Protection Act (DPA) 2018

The GDPR 2016 and DPA 2018 are the laws that primarily determine how we can use your personal data.  However, there are other laws that are followed if we need to process your information:

  • The Human Rights Act 1998
  • Freedom of Information Act 2000
  • Computer Misuse Act 1998
  • Audit Commission Act 1998
  • Regulation of Investigatory Powers Act 2000

What rights do I have?

You have a number of rights in relation to the information we hold about you. Further information is contained in the leaflet Data Protection Individual Rights here as not all of these rights will apply to the information we hold about you.

These rights are:

1. The right to be informed

2. The right of access

3. The right of rectification

4. The right to erasure

5. the right to restrict processing

6. The right to data portability

7. The right to object

8. rights in relation to automated decision making


Further information

Data Protection Officer

The Trust’s Data Protection Officer (DPO) is responsible for ensuring that the Trust complies with the GDPR. The DPO is the person to contact if you would like to know more about how we use your information, require information in any accessible format or language or if (for any reason) you do not wish to have your information used in any of the ways described.  Their contact details are:

James Carroll

Data Protection Officer

South Tyneside and Sunderland NHS Foundation Trust

Room 265 Trust Headquarters

Sunderland Royal Hospital

Kayall Road



Or email: 


Caldicott Guardian

The Caldicott Guardian is the person who makes the final decision on how, what, when and why personal information will be processed in/by the Trust. 

South Tyneside and Sunderland NHS Foundation Trust Caldicott Guardian is Mr Lawrence Gnanaraj, Associate Medical Director.

For independent advice about data protection, privacy and information-sharing issues you can contact the Information Commissioner:

The Information Commissioner

Wycliffe House

Water Lane




Phone: 08456 30 60 60 or 01625 54 57 45