Your information

Surrey and Sussex Healthcare NHS Trust aims to provide you with the highest quality care. To do this, we must keep records about you and the care we provide to you.

Our staff are trained to handle your information correctly and protect your privacy.  We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.

Your information is never collected for direct marketing purposes, and is not sold on to any other third parties.

Sometimes your care may be provided by members of a care team, which might include people from other organisations such as health; social care; education; or other care organisations, we will discuss this with you.

Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care.

The Trust has to provide a legal basis for the processing of your information. The Trust is part of the NHS which has a public duty to care for its patients. Under the new Data Protection Law the Trust may process information which is appropriate to provide the health and social care treatment of patients, as well as the management of health or social care systems and services.
If we need to use your personal information for any reason beyond those stated above, we will discuss this with you. You have the right to ask us not use your information in this way, however there might be times when we still have to share your information, we will discuss this with you.

Your clinical care team and other health and care professionals caring for you keep records about your health and any treatment and care you receive from the NHS.  These help ensure that you receive the best possible care from us. They may be written down (manual records), or held on a computer.

The records may include:

Basic details about you, such as address, date of birth, next of kin

Name, address, date of birth. We collect your name, address and date of birth to enable us to send you letters about your care such as appointment letters.  Additionally, your name, address and date of birth are used to identify you and distinguish you from other patients.  A change of name or incorrect date of birth can result in misidentification, so please inform us of any changes to your details.

Telephone numbers.  We will collect contact telephone numbers for you which will be used to contact you about your care.

We will use any mobile telephone number that you provide us to send a text message reminder of a forthcoming appointment.   Most of our patients appreciate these reminders and we know that it reduces the number of missed appointments, but if you do not wish for your mobile number to be used in this way, reply with STOP to the reminder message and this will automatically opt you out of all future messages.

Next of kin / emergency contact.  We collect details of your next of kin as a person you would like to be contacted in an emergency. The person you name as a next of kin has no legal right to any confidential information held by us about you or to make any decisions about your care. An individual who wishes to make a decision about your care must obtain the appropriate legal Power of Attorney.

Ethnicity.  We are legally required to collect your ethnicity to ensure that we provide a fair and open service where all patients receive equal treatment.  An individual’s ethnicity can also have a bearing on the type of illnesses an individual is susceptible to.

Contacts we have had with you, such as clinical visits

We maintain manual and electronic information about your inpatient and outpatient visits, and visits to the Emergency Department.  Details of your outpatient clinic visits, stays in hospital, appointment letters, notes, x-rays, laboratory tests and reports relating to your health and treatment are stored in a manual and electronic record.

Your record is shared with clinical staff providing your care, to ensure consistent, appropriate and safe healthcare is provided to you.

Details and records about your treatment and care

To ensure the treatment and care provided to you by the Trust is appropriate and consistent, details and records about the treatment and care you have been provided will be recorded. This will ensure that there is a full and comprehensive record which is available to all clinical staff who are involved with providing you care and treatment.

During your treatment the healthcare professional you see will make notes, write a report or letter about the care they have provided to you and copies of letters will be sent to your GP.  Therefore it is very important we have your correct GP details.

Where we do not have your correct GP details, information about the care you have been given may not be received by your GP in a timely manner. This could affect your on-going care.

Results of x-rays and laboratory tests

As part of your care, you may have provided samples e.g. urine or blood etc. which will be processed by the Trust’s laboratory, or, if a specialised test, with another laboratory.   The results of all tests whether processed internally or, (if specialised), by another laboratory, are stored by the Trust on its own systems.

Where you have had an x-ray as part of your treatment, the Trust will keep an electronic copy of this x-ray and may share this with other NHS Organisations who are involved with your care or to whom you have been transferred/discharged/or providing out of hours services.

We may also send radiology referrals to an external health provider working on behalf of the Trust to ensure you have your imaging performed as quickly as possible.

Relevant information from other health and social care professionals

When you visit your GP or another NHS Trust and they refer you to Surrey & Sussex Healthcare NHS Trust for treatment, they will write to the hospital detailing your current medical conditions and the treatment required.

We may also obtain information to assist in giving you the best, most appropriate care from other people who care for you and know you well, for example health and social care professionals and relatives.

It is good practice for people in the NHS who provide care to discuss and agree with you, what they are going to record about you.

Your records are used to direct, manage and deliver the care you receive. Information collected about you to deliver your health care is used to assist with:

Making sure your care is of high standard

Your information is used by the clinical care team and other healthcare professionals involved in your care. Clinical staff access your information to view the care you have been provided and to ensure the care they give you is appropriate, safe and effective.

Administrative staff may also access your records to support our clinical staff in the delivery of your care, additionally administrative staff ensure the care you have been provided with is recorded correctly and will communicate this with your GP.

Where appropriate, information about your care will be shared with other organisations to enable continuation/support of your care e.g. other NHS hospitals, hospices, community services, your GP and Social Services.

If you need to be transferred to another hospital for further treatment, information about your medical condition and care will be sent to the hospital you are being transferred to.

Using statistical information to look after the health and wellbeing of the general public and planning services to meet the needs of the population

Anonymised information about patient care is sent to NHS Digital on a daily basis.  NHS Digital manages information sent to the Department of Health & Social Care. This information is used by NHS Digital and the Department of Health & Social Care to review the treatment provided to patients across the NHS and identify trends/changes in the health of the population.  Further information on the work undertaken by NHS Digital can be found on the NHS Digital website.

Assessing your condition against a set of criteria to ensure you are receiving the best possible care

The Department of Health & Social Care mandates all NHS Trusts to undertake clinical audits on care delivered to patients, which can be undertaken by clinical staff employed by us or by external audit companies. This could involve individuals who have not been involved with your direct care accessing your medical records. Further information on national clinical audit can be found on the NHS England website.

We have an annual clinical audit programme which requires all clinical staff to participate. Clinical staff consider patient medical records to review the care provided, and to identify ways in which the care could be improved in the future.

Preparing statistics on our performance for the Department of Health and other regulatory bodies

Every NHS Trust is performance managed. Statistical information about patient care is collated by the Trust e.g. the length of time patients are treated in the Emergency Department, how long patients have waited for an outpatient appointment, etc.

The Trust will use and share coded patient information to undertake statistical analysis on the management and performance of NHS Services locally and the NHS as a whole. In these instances, we take strict measures to ensure that individual patients cannot be identified.

We use statistical information about patients to improve the services it provides such as reviewing the length of time a patient has stayed in hospital or the number of hospital infections. Normally this information is anonymised so individual patients cannot be identified.

To help improve the quality of services and better outcomes for patients, ensuring the right treatment is being provided to patients, the Department of Health & Social Care has mandated for Trusts to achieve certain standards – Commissioning for Quality and Innovation (CQUIN). To achieve these standards the Trust will work with other NHS organisations to share information relating to patients to provide them with the best possible care e.g. frequent A&E attenders.

Read the privacy notice for A&E services provided by acute hospitals in Surrey and North East Hampshire.

Visit the Surrey and Borders Partnership NHS Foundation Trust website for more information.

Help train staff and support research

We teach and train students and newly qualified doctors and nurses and help them to gain valuable experience and practice in delivering medical care.

Undertaking research is an important element of providing and improving healthcare. Clinical staff are actively encouraged to participate in research studies. The Trust’s research and development team manages all research projects undertaken by us. Your participation in a research project will only take place with your explicit consent. The Trust works with external research partners e.g. universities to pilot new ways of working, with the aim to provide improved and more efficient services to patients.  Where the Trust undertakes this work you will be informed and be asked if you wish to participate.

Supporting the funding of your care

We receive payment for the services we provide to patients.

Clinical Commissioning Groups (CCGs) and NHS England are responsible for paying us for these services. In order to be paid for the services delivered, information on patients’ treatment needs to be passed to these clinical commissioning groups.

The information will be coded so individual patients cannot be identified. In some cases, the names of the patients may need to be provided; for instance when requesting funding for high cost drugs

Reporting and investigation of complaints, claims and untoward incidents

In order to deal with issues raised by you or to process your complaint or legal claim, staff within our legal team and complaints team will access your medical records and may share this information with other staff as well as external third parties where applicable, including our solicitors or the NHS Resolution.

We take patient safety very seriously. If an incident occurs which was not expected we will investigate it, therefore the staff involved in your care, with support from the Trust’s risk management team, will access your medical records.

Reporting events to the appropriate authorities when we are required to do so by law

If we need to use your personal information for any reason beyond those stated above, we will discuss this with you.  You have the right to ask us not to use your information in this way.  However, there are exceptions to this which are listed below.

The public interest is thought to be of greater importance for example:

  • If a serious crime has been committed
  • If there are risks to the public or our staff
  • To protect vulnerable children or adults

We have a legal duty, for example registering births, reporting some infectious diseases, wounding by firearms and court orders.

We need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (appointment by the NHS Health Research Authority).

For information about how patient data is used in health and care research on the NHS Health Research Authority website.

Sharing your information with NHS and external organisations

We will share your information with other organisations, to assist with giving you the best care possible.  Where we share your information with these organisations, they are subject to strict information sharing protocols.  Anyone who receives information from the Trust has a legal duty to keep it confidential and secure.  Only information that is required and appropriate to support your care and treatment will be provided.

There are occasions where we have a legal duty to pass patient information to external organisations which operate to oversee and address issues relating to the management of the NHS as a whole.

The Summary Care Record (SCR) is a summary electronic patient record of national health services patient data held on a central secure database covering the whole of England.  The purpose of the system is to make ‘essential’ patient data readily available anywhere the patient seeks treatment.  The Trust does not feed any information into the system however staff that are treating you at the Trust may access the SCR to view your record, this will be done with your consent.

NHS Patient Survey Programme (NPSP)

The NHS national patient survey programme is part of the government’s commitment to ensure hospital patient feedback informs the continued development and improvement of our medical services, improving the standard of your healthcare. Your contact information may be used for the purpose of the NPSP, where relevant this will include passing those details to an approved contractor who has been appointed for the purpose of carrying out the survey only.

Anonymised reports produced by the survey programme are used to help make service improvements.

Find out more about the national patient survey programme

Surrey and Sussex Healthcare NHS Trust patient survey results

If you wish for your information not be used in this way please contact the Trust’s data protection officer.

Friends and Family Test (FFT)

As part of the NHS Constitution, we may also use your mobile number for the purpose of the FFT to gather feedback on services provided. If you do not wish for your mobile number to be used in this way, reply with STOP to the reminder message and this will automatically opt you out of the FFT.

Find out more about the Friends and Family Test on our patient feedback page


The trust has partnered with Induction Zesty to provide access to letters and appointments through the NHS app.


Please note that if you access the Zesty service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose.


For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity.


To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.  

Weblink to use for the above 'click here' text:


NHS Login to NHS App
Legal Basis: NHS England (NHSE) is the data controller for both login and App. NHS Login is used solely to authenticate the request.

NHS App to Patient Care Aggregator
The Patient Care Aggregator has been built by an assured Third party i.e. Servita, hosted within the Amazon Web Services (AWS) NHSE infrastructure under contract to NHS England (NHSE).

Legal Basis: NHSE will be the data controller for the service support and the Patient Care Aggregator in the initial phases. NHSE will be Data Controllers for the data surfaced in the NHS App where NHSE are issuing NHS App, Services Directions (2022) to provide the summary details of patient scheduled secondary care outpatient appointments in the NHS App. This will remain until the new NHS App Directions provided by the Secretary of State for Health and Social Care replace the above-mentioned.

This Direction is given in the exercise of powers under the Health and Social Care Act 2012 and Regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013 (the Regulations). NHSE is the data controller of the Application Programme Interface (API) Management System. NHSE is processing data under UK GDPR: - Art. 6(1)[c] - legal obligation by virtue of the Direction Art. 9(2)[g] - substantial public interest and Part 2 Sched.1, DPA 2018, para 6 (statutory and governmental process by Direction) Servita are a data processor of NHSE.

NHS Trusts to Patient Care Aggregator
Legal Basis: In the host environment, this will be to provide health and care services under UK GDPR Article 6(1)(e) and for sensitive data Article 9(2)(h). NHS Trusts as data controllers, will not currently be mandated to provide secondary care appointment data to the Care Aggregator - their decision to send data will be voluntary. They will remain responsible for the management of an Excluded Patient List including those users that wish to remove their data from the Patient Care Aggregator Records Service. Note: - This is likely to change when the new NHS App Direction is in place between DHSC and NHSE and a DPN (Data Provision Notice) can be issued by NHSE to Trusts. NHSE does not hold NHS Trust patient data and a patient’s information access rights under UK GDPR will be executed by the NHS Trust as data controller for the care information they hold.