Your information

Surrey and Sussex Healthcare NHS Trust takes your confidentiality and privacy rights seriously.  The Trust is the Data Controller of personal data that is collected by the Trust to help us provide and manage healthcare to our patients and relating to the employment of our staff.

This Privacy Notice explains how we collect, process, transfer and store your personal information and forms part of our accountability and transparency requirements to you under the General Data Protection Regulation/Data Protection Act 2018.

The Trust aims to provide you with the highest quality care. To do this, we must keep accurate records about you, your health and the care that we have provided or plan to provide with you.

Sometimes your care may be provided by members of a care team, which might include people from other organisations such as health; social care; education; or other care organisations, to enable continuation/support for your care. Our staff are trained to handle your information correctly and protect your privacy.

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes, and is not sold on to any other third parties. Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care. 

Under the Data Protection Act, the Trust must provide a legal basis for the processing of your information without consent. As the Trust is part of the NHS (which has a public duty to care for its patients), predominantly we will process your information under the following legal basis’:

  • Article 6(e) Necessary for the performance of a task carried out in public interest or in exercise of official authority and;
  • Article 9(h) Necessary for the provision of health and/or social care, including preventative or occupational medicine.

Should the Trust need to use your personal information for any reason beyond those stated above, we will discuss this with you. You have the right to ask us to not use your information in this way, however there might be times when we are required to share your information; if this is the case, we will discuss this with you.

Communicating about your care within the Trust does not require your consent to process your personal data to deliver your healthcare and treatment. However, you do have the right to object to the processing of your information for purposes other than direct care e.g., performance management of services, external clinical audits. For further information, click on the following link.

Your clinical care team and other health and care professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These help ensure that you receive the best possible care from us.

The records will include demographic information:

Name, address, date of birth: We collect your name, address and date of birth to enable us to send you letters about your care such as appointment letters. Additionally, your name, address and date of birth are used to identify you and distinguish you from other patients. A change of name or incorrect date of birth can result in misidentification, so please inform us of any changes to your details.

Telephone numbers: We will collect contact telephone numbers for you which will be used to contact you about your care.

We will use any mobile telephone number that you provide us to send a text message reminder of a forthcoming appointment. Most of our patients appreciate these reminders and we know that it reduces the number of missed appointments, but if you do not wish for your mobile number to be used in this way, reply with STOP to the reminder message and this will automatically opt you out of all future messages.

GP information: Letters will be sent to your GP and a copy placed on your electronic record. It is very important that we have your correct GP surgery details to ensure that information about your care is provided to your GP in a timely manner.

Next of kin / emergency contact: We collect details of your next of kin as a person you would like to be contacted in an emergency. The person you name as a next of kin has no legal right to any confidential information held by us about you, or to make any decisions about your care.

An individual who wishes to make a decision about your care must obtain the appropriate legal Power of Attorney.

Ethnicity: We are legally required to collect your ethnicity to ensure that we provide a fair and open service where all patients receive equal treatment. An individual’s ethnicity can also have a bearing on the type of illnesses an individual is susceptible to.

Language preferences: This information is collected to enable us to provide care which meets your needs for example providing interpreters if required.

Religion: We offer all patients a Chaplaincy service. Your religion is passed onto the Chaplains who run this service, who will visit you whilst you are in hospital if this is something that you would like to happen, and to ensure the pastoral and spiritual needs for patients, their families and staff members are adequately supported.

The Trust holds manual and electronic information relating to your health and treatment detailing any inpatient, outpatient, and Emergency Department visits.

Information may include:

  • Clinic visits
  • Stays in hospital
  • Appointment letters
  • Hospital notes
  • X-rays
  • Test Results/Reports

To ensure that the treatment and care provided to you by the Trust is appropriate and consistent, a record/details about the treatment and care you have received is kept on your hospital record. This ensures that a full and comprehensive record is available to all clinical staff who are involved with the provision of your care and treatment. Results of x-rays and laboratory tests

As part of your care, you may have provided samples e.g. urine or blood etc. which will be processed by the Trust’s laboratory, or, if a specialised test, with a partner laboratory. The results of these tests and a record of the drugs you have been prescribed are stored by the Trust.

The Trust is part of Berkshire Surrey Pathology Services (BSPS) which is a joint venture of Pathology Services between Ashford and St Peters, Frimley Health, Royal Berkshire, Royal Surrey NHS and Surrey and Sussex Healthcare NHS Trusts.

To view their Privacy Notice, please click here

Where you have had an x-ray, scan or other radiology examination as part of your treatment, the Trust will keep an electronic copy of the images and report and may share this with other NHS/Health care Organisations who are involved with your care or to whom you have been transferred/discharged/or providing out of hours services. We will only share images done under our care. We may also send radiology referrals to an external health care provider working on behalf of the Trust to ensure you have your imaging performed as quickly as possible. Relevant information from other health and social care professionals

When you visit your GP or another NHS Trust and they refer you to Surrey & Sussex Healthcare NHS Trust for treatment, they will write to the hospital detailing your current medical conditions and the treatment required. We may also obtain information to assist in giving you the best, most appropriate care from other people who care for you and know you well, for example health and social care professionals and relatives.

To help us to monitor our performance, to evaluate, and develop the services that we provide, it is necessary to review and share minimal information.

Auditors: External auditors will audit the treatment of patients to provide assurance to the Trust and its Commissioners on the care and treatment provided to patients. In some instances, the auditors may review a patient’s medical records.

Internal Clinical Audits: The Trust is mandated by the Department of Health & Social Care to undertake clinical audits on care delivered to patients. These will be undertaken by clinical staff either employed directly by us, or by external auditing companies.

Complaints/Concerns: The Trust will investigate any complaints or concerns that have been raised. Staff within the Trust’s Complaints Department or Legal Team will access your medical records and may share this information with other staff as well as external third parties where applicable, e.g., Trust Solicitors or NHS Resolution; your consent will be obtained beforehand.

Manage the services provided by the Trust/delivering the right services to the right patients - Every NHS Trust is performance managed. Statistical information about patient care is collated by the Trust, e.g.

• Length of time patients are treated in the Emergency Department.

• Length of stay in hospital.

• How long patients have waited for an outpatient appointment.

The Trust will use and share coded patient information to undertake statistical analyses on the management and performance of NHS services locally and nationally.

We use statistical information about patients to improve the services we provide, such as reviewing the length of time a patient has stayed in hospital or the number of hospital infections. The information is coded so that individual patients cannot be easily identified.

NHS England has commissioned the National Clinical Audit and Patient Outcomes Programme (NCAPOP), which has been set up to improve the ‘health outcomes’ of patients through monitoring the care delivered to patients. The Trust participates in this programme which will entail sending surveys and questionnaires to patients about the care and treatment provided by the Trust, which is then shared with NHS England.

To achieve these standards the Trust will work with other NHS organisations to share information relating to patients to provide them with the best possible care e.g., frequent Emergency Department attenders.

To help ensure the Trust is meeting the needs and satisfaction of the patients it provides care and treatment to, we commission companies to run questionnaires or surveys on the Trust’s behalf; only the minimum information will be securely shared with these companies, who are bound by strict confidentiality clauses.

National End of Life Care Audits/Survey: A patient’s Next of Kin may be contacted to ask if they would like to participate in the audit or survey. Participation with these audits, helps the Trust and the NHS to improve end of life care for patients.

NHS Spending: The Trust receives payment for the services provided to patients. depending on the service, either Integrated Care Boards (ICBs) or NHS England are responsible for paying us for these services, known as the commissioner of the service. To be paid for the services delivered, information on patient’s treatment needs to be passed onto the relevant commissioner. The information received by commissioners is pseudonymised so that individual patients cannot be identified. In some cases, the names of the patients will need to be included; for instance, when requesting funding for high-cost drugs, or for Individual funding requests to the relevant commissioner of the service.

Patient Safety: The Trust takes any concerns about patient safety seriously. If an incident occurs which was not expected, this will be investigated. The investigation will be carried out alongside staff that were involved in your care with support from the Risk Management Department.

Research & Development: Undertaking research is an important element of providing healthcare. Clinical staff are actively encouraged to participate in research trials. The Research & Development Department manages all Trust research projects. Your participation in a research project will only take place with your explicit consent.

Sharing your information with NHS/External Organisations: We will share your information with other organisations, to assist with giving you the best care possible.

When we share your information with these organisations, they are subject to strict information sharing protocols. Anyone who receives information from the Trust has a legal duty to keep your information confidential and secure. Only information that is required and appropriate to support your care and treatment will be provided.

Where we share your information with other organisations that do not form part of your care, your permission will be required before sending the information onto them; unless we have a legal obligation to provide the information, or that it is considered that the interest of the public is of greater importance.

Surveys: We run surveys such as the Friends and Family Test (FFT) to improve the quality of care and treatment provided to patients. The Trust will contact patients after they have been discharged from hospital.

If you do not wish for your mobile number to be used in this way, reply with STOP to the reminder message and this will automatically opt you out of the FFT. Find out more about the Friends and Family Test on our patient feedback page

All staff working for the NHS are bound by strict confidentiality agreements. This means that only staff involved with your care are entitled to access information relating to you, which is detailed within the confidentiality agreements signed by staff as soon as they start working within the Trust. The Trust ensures that all staff complete annual data security awareness training, which includes the Data Protection legislation and the Common Law Duty of Confidentiality, which will ensure that staff know and understand that they have an obligation to always keep your information secure and confidential.

All clinical staff are bound by strict professional codes of conduct which incorporate confidentiality clauses. Further information can be found on the British Medical Association (BMA), General Medical Council (GMC) and Nursing and Midwifery Council (NMC) websites.

We audit staff’s access to patient information to ensure that staff continue to abide by the Common Law Duty of Confidentiality. The Trust’s Digital Services Department has deployed technical security measures to keep your information secure when being stored or transferred electronically, this includes ensuring all security software and encryption is up to date, helping to prevent the risk of a cyber-attack.

If any of your personal information is to be processed overseas e.g., outside of the UK, full risk assessment would be undertaken to ensure the security of your information.

Surrey and Sussex Health takes your confidentiality and privacy rights seriously. Your information is used by clinical support workers and administrative staff; this could also include professionals based in another location. Where appropriate, information about your care will be securely shared with other organisations to enable continuation/support for your care:

  • Your GP
  • Other NHS hospitals
  • Community Services
  • Hospices
  • Social Services

The Trust aims to provide you with the highest quality of health care. To do this your medical record must be accurate relating to your health and the care that has been provided or planned to be provided to you with. 

Our staff are trained to manage your information appropriately and accurately and to protect your privacy. We aim to maintain high standards, adopt best practices for our record keeping and regularly check and report on how we are doing. 

Our guiding principle is that we hold your records in the strictest of confidence. 

Below are some examples of where your information is used and by whom:

CCTV: cameras are installed around the Trust to assist in the prevention, investigation and detection of crime and anti-social activity in line with the Information Commissioner’s CCTV code of practice.

CCTV recording and equipment are securely stored in a restricted area and are password protected. All images are deleted after a set period, unless the images are required as part of an investigation.

The Trust also uses Automatic Number Plate Recognition (ANPR) cameras and hand-held cameras in Trust operated car parks to provide car parking services, enforcement of parking terms and conditions, for the prevention of crime and traffic analytics. 

Body Worn Cameras: Body Worn Cameras are used within the Trust by security personnel to assist with deterring acts of aggression of verbal and or/physical abuse towards staff. 

The cameras are worn in a prominent position and are used in an open and honest manner. Images captured by body worn cameras will be deleted directly from the camera unless required for evidence purposes. If this is the case, footage may be handed over to the Police if it is required to form part of a formal investigation.

MySASH patient portal: To make it quicker and easier for patients to keep track of appointments, clinical letters and pre-assessments, the trust has partnered with Induction Zesty an accessible application available through the NHS app that enables you to:

  • View your appointments 
  • Access your appointment letters
  • View your discharge summary
  • Receive notifications
  • Complete questionnaire e.g. pre-assessment

For further information about the portal and details on registration please click here.

If you are accessing services using your NHS login please read the privacy notice here.

Use of Artificial Intelligence Technology 

The Trust participates in the use of Artificial Intelligence (AI) which is the use of digital technology to create systems that are capable of performing tasks commonly thought to require human intelligence. 

AI can help a Health and Care professional to reach a decision about your care, e.g., diagnosing a condition you have or to help you in choosing treatment options. Decisions will not be made solely by the AI system; Health and Care professionals will always review and provide you with advice, allowing you to make the final decision on the care and treatment you receive. 

Examples of where AI technology is used within the Trust: - 

  • Analysing MRI scans, for cardiac investigations aiming to provide comprehensive support to the cardiology team by assisting in carrying out detailed assessments on patient treatment.
  • Analysing stroke patients imaging, helping to reduce the time taken for diagnosis, thus facilitating a more prompt initiation of treatment. This approach enhances the efficiency of patient care by streamlining the diagnostic process and enabling timely interventions to improve patient outcomes.

Risk Stratification

Risk Stratification Risk stratification is a process for identifying and supporting patients who are most likely to need hospital or other healthcare services in the future. 

Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for risk stratification purposes. Risk stratification uses de-identified personal data from health care services to determine which individuals are at risk of experiencing certain outcomes, such as unplanned hospital admissions.

Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enables the Trust to focus on preventing ill health and not just the treatment of sickness. Unidentifiable and anonymised information about patients is collected from a number of NHS organisations and then analysed to create a risk score, which is provided to your treating clinician. Data is securely managed throughout the entire process to ensure that identities are kept confidential.

Surrey Heartlands health and care partnership

We are part of Surrey Heartlands a partnership of health and care organisations working together with staff, patients, their carers, families and members of the public to transform local services and support people to live healthier lives.

East Surrey place-based partnership

East Surrey place is one of four places within Surrey Heartlands as part of the Surrey Heartlands Integrated Care System.

A place-based partnership is a collaborative arrangement made by the organisations responsible for arranging and delivering health and care services in a locality, by offering joined up services that meet and respond to local people’s needs and supporting them to take responsibility for their health and wellbeing.

Please see the East Surrey place-based privacy notice for further detail on how they use information about you.

Sussex Health and care partnership

We are also part of Sussex Health and Care Integrated Care System (ICS) made up of health and care organisations across Sussex.

Summary Care Record (SCR)

The Summary Care Record also known as SCR is an NHS system that holds electronic patient data which is held on a central secure database covering the whole of England. The purpose of the system is to ensure that essential patient data is readily available to health care professionals anywhere the patient seeks treatment this system is primarily updated by the patient’s GP. The Trust does not feed information into this system, however staff within the Trust providing treatment may need to access SCR to view your record. 

The SCR is also accessed by the Trust’s Pharmacy staff when issuing prescriptions. The Trust will use the services of external companies to deliver patient’s prescriptions directly to them.Surrey Care Record

The Surrey Care Record is a local, digital shared care record for health and care professionals across Surrey Heartlands. It allows the secure sharing of your health and care data between authorised health and care professionals for the purposes of delivering safer, quicker, more personalised and more coordinated local health and care services.

Only authorised care professionals with a legitimate relationship to the care you receive will be able to access the parts of your shared care record that enable them to deliver your care. Only approved staff can log onto the Surrey Care Record and all access is logged. Please see the Surrey Care Record Privacy Notice for further detail about how personal data included in the shared care record is used and protected.

We will share your information with other organisations, to assist in the provision of the best care possible. When we need to share your information with these organisations, they are subject to strict information sharing protocols. Anyone who receives information from the Trust has a legal duty to keep your information confidential and secure. Only relevant information that is required to support your care and treatment will be provided. 

If we need to share your information with other organisations that do not form part of your care, we will obtain your consent beforehand, unless we have a legal obligation to provide the information, or it is essential due to the interests of the public being deemed of greater importance. There are occasions when we have a legal duty to Pass information to external organisations which operate to oversee and address issues relating to management of the NHS, these include:

Central Registrar of Births and Deaths: Each time a baby is born or when there is a death in our hospitals.

Care Quality Commission (CQC): Who have the powers of inspection and entry into the hospitals and the right to review documentation.

General Medical Council (GMC)/Nursing and Midwifery Council (NMC): Investigations by regulators of professionals.

Human Tissue Act: For the purposes of removal, storage, use or disposal of human tissue

NHS Counter Fraud Authority: Conducts regular data sharing and analytics pilots to evaluate and improve data matching methodology to continue to help detect and prevent fraud in the most efficient and effective way possible.

Overseas Patients: If you are an overseas visitor being treated within the Trust, we need information about you to comply with our legal obligations and to ensure that the Trust is paid for any services provided to you (as an overseas patient); as well as to undertake any processing that will allow us to verify whether you are entitled to free NHS care. 

We may share and receive information about you from other organisations as detailed in this privacy notice as well as the Department of Health & Social Care, when you are referred for treatment or in response to questions relating to your eligibility for free NHS Care, further information can be found at Overseas NHS visitors: implementing the charging regulations - GOV.UK (

Where necessary if you are an overseas visitor, your non-medical information may be sent to the Home Office, the information provided may be used and retained by the Home Office for its own purposes, which include enforcing immigration controls overseas, at the ports of entry and within the UK. 

The Home Office may also share this information with other law enforcements and authorised debt recovery agencies for purposes including national security, investigation and prosecution of crime, and collection of fines and civil penalties. 

Police: Must be provided to the Police in certain scenarios: 

  • Help identify a driver alleged to have committed a traffic offence under the Road Traffic Act 1988 
  • Help prevent an act of terrorism or prosecuting a terrorist (Terrorism Act 2000 and Terrorism Prevention and Investigation Measure Act 2011) 
  • All other sharing of information with the police will be with your explicit consent.

Safeguarding concerns: For the prevention and protection of a child or vulnerable adult for safeguarding purposes, including cases relating to female genital mutilation.

Data Protection Law gives individuals rights relating to the personal information that we hold about you. These are:

  • To be informed of why, where, and how we use your informationThis is detailed in the Patient information Notice that you are reading now.
  • Ask for access to your informationUnder the Data Protection Act, individuals have the right to make a Subject Access Request (SAR) which allows you to request a copy of your medical records held by us.

You will need to provide documentation to confirm your identity and clarification of the information that you are requesting to support your request.If you wish for another person to process your request on your behalf, they will need to obtain your written permission to do so before the Trust can provide copies of documentation held in your medical record.We are legally obliged to respond to your request within a calendar month of receiving both your request and identification. If we do not have the relevant information to process your request, we will contact you to ask for it, as we will be unable to process your request until all relevant information has been received.The Common Law Duty of Confidentiality continues after death; therefore, the Trust is unable to provide copies of documentation from a deceased patient’s medical record. These requests will fall under the

Access to Health Records Act 1990, which has a criterion that must be met before information can be released. 

The Subject Access Request Team handle these requests and they are assessed on an individual basis; the Team can provide more information upon application. 

The Legal Services Team handle requests relating to those aged 17 and under, including any claims against the Trust.

Any individual requesting information from the Trust who is unhappy with how their request has been managed/processed, is asked to submit their complaint to the Trust’s Data Protection Officer. 

Additionally, all individuals have the right to appeal to the Information Commissioner’s Office (ICO), further information can be found at

Further information on how to apply for a copy of your medical records including the application form please visit the Accessing your information page.

  • Ask for your information to be corrected if it is inaccurate or incomplete 

We have a legal obligation to ensure that your information is accurate and up to date.Trust staff will check with you that we have the most up to date contact information when you attend your appointment. 

You are also able to update your information by contacting your registered General Practice (GP).

  • Ask for your information to be deleted or removed where there is no need for us to continue processing it.We have a legal obligation to store your medical information. The length of time that we store your information is set out by the Records Management Code of Practice 2021. 

The longest we will keep a patient’s record is 30 years after their care has stopped. For further information on the retention of records within the NHS can be found on the NHS Digital website:

We will not usually delete healthcare related data before the expiration of the relevant retention period. We may also need to retain data for regulatory purposes, or in case you make a legal claim against us.

  • Ask us to restrict the use of your information 

In some circumstances, we must ‘pause’ the processing of our use of your personal data if you ask us to. We do not have to comply if we need to retain your personal information if you make a legal claim against us.

  • Object to how your information is used 

You have the right to object to the processing of your information in certain circumstances; as the Trust has a legal basis for processing your information to provide direct care, the right to object is limited. The NHS uses coded patient information to support the delivery of healthcare to patients, e.g. performance management of services, planning of NHS Services. If you wish to find out more information, or do not wish for your information to be used in this way, please visit

Any choice you make will not impact your individual care.

  • Challenge any decisions made without human intervention (automated decision making) 

The Trust does make any decisions that involve automated decision making.

Throughout this Privacy Notice we have mentioned the following areas:

  • Data Protection Officer - Concerns or queries about how your information is being
  • Subject Access Request Team - Processing of requests for copies of your
  • Legal Services Team - Processing of requests for copies of information for those aged 17 and under including any claims against the
  • Complaints Team - For submission of formal complaints to the Trust about the use of your
  • Patient Advice and Liaison (PALS) Office - Provide information in a format that is accessible to you.sash.pals@nhs.netInformation Commissioner’s Office (ICO)If you are still unhappy with the outcome of your enquiry0303 123 1113