Menu Home Search

Privacy Statement

What information do we collect?

In order to provide you with the best possible care we need to collect information about your health and the treatment provided.  This personal information can be held in a variety of formats, including computer records, paper records and audio files.

The legal reason we need to handle your personal data

Any personal information we hold about you is processed for the purposes of 'provision of health or social care or treatment or the management of health or social care systems' and services under chapter 2, section 9 of the Data Protection Act 2018 (subject to parliamentary approval).

What we need to collect and why

Personal information about you is collected in a number of ways. This can be from referral details from your GP, other hospital or community services and directly from you.

We are likely to hold the following basic personal information about you: your name, address (including letters sent to you), telephone numbers, date of birth, NHS number and your GP details. We might also hold your email address, partnership or marriage status and preferred name or maiden name.

In addition to the above, we may hold sensitive personal information about you which could include:

  • Notes and reports about your health, treatment and care, including:
    • your medical conditions
    • results of investigations, such as x-rays and laboratory tests
  • future care you may need
  • other personal information such as whether you smoke, or if you have any disabilities
  • Your religion and ethnic origin
  • Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status).

It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care in accordance with your needs.

Your records are used to directly manage and deliver healthcare to you to ensure that:

  • The staff involved in your care have accurate and up to date information to advise on the most suitable care for you.
  • Our staff members have the information they need to be able to evaluate and improve the quality of care you receive.
  • Appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.

The personal information we collect about you may also be used to:

  • remind you about your appointments and send you relevant information
  • review the care we provide
  • support the funding of your care
  • prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory organisations
  • help to train and educate staff
  • report and investigate complaints, claims and unexpected incidents
  • report events to the appropriate authorities when we are required to do so by law
  • contact you with regards to patient satisfaction surveys relating to services you have used to improve our services to patients

Where possible, we will remove your personal details (such as your name or date of birth) when sharing information with other organisations unless there is a legal reason that permits us to use it and we will only use/ share the minimum information necessary. We will always aim to protect your personal information.

Who do we share your information with and why?

In order to support your healthcare needs, we may need to share relevant personal information with other NHS organisations such as your own GP, local hospitals, NHS England, Public Health England, ambulance services and those contracted to provide services to the NHS.

There are times when we are required by law to share information provided to us with other official organisations. This also includes, but is not limited to, the release of information under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is a clear public interest to prevent abuse or serious harm to others and other public organisations (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud). Where there is cause to do this, we will always do its best to inform you of the sharing of information.

BEMS is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to BEMS in confidence will only be used for the purposes explained to you and for which you have given permission.

How do we maintain your records?

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in agreement with the Data Protection Act 2018 (subject to Parliamentary approval) as amended by the General Data Protection Regulations 2016. In addition, everyone working for the NHS must follow the Common Law Duty of Confidentiality and various other national standards.

We have a duty to:

  • maintain full and accurate records of the care we provide for you
  • keep records about you confidential and secure
  • provide information in a format that is accessible to you

Use of Email:

  • Some services BEMS provide the option to communicate with patients via email.  We cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.

If we need to use your personal information for any reason apart from those mentioned above, we will contact you and ask for your consent. The Data Protection Act 2018 (subject to parliamentary approval) gives you certain rights, including the right to:

  • Request access to the personal data we hold about you, e.g. health records.
  • Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.
  • Withdraw consent to the sharing of your health records: Under the Data Protection Act 2018 (subject to parliamentary approval), we are authorised to share your health records 'for the management of healthcare systems and services'. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above. Any consent form you will be asked to sign will give you the option to 'refuse' consent and will explain how you can remove any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal.
  • Request your personal information to be transferred to other providers on certain occasions.
  • Object to the use of your personal information:
    • The NHS uses patient data for research, to find ways to improve treatments and identify causes of and cures for illnesses, and for planning purposes, to improve and enable the efficient and safe provision of health and care services. For more information, or if you do not want your data used for research and planning purposes, please visit the NHS Digital national data opt-out programme web site.

We will always try our best to keep your information confidential and only share information when absolutely necessary.

If you have a complaint about how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

How long do we keep your information?

Health and social care records are subject to a nationally agreed code of practice which regulates the minimum period for which records must be kept. This specifies that records should be retained until 10 years after the patient’s death or after the patient has permanently left the country, unless they remain in the European Union. Electronic patient records must not be destroyed or deleted for the foreseeable future. For more information, see the records management code of practice:

How do we keep your information safe?

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Regulation 2017
  • Data Protection Act 1998
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management

The GDPR introduces a new obligation to do Data Protection Impact Assessments before carrying out certain types of processing. We complete Data Protection Impact Assessments to ensure we have identified the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy. These can be provided upon request.

Need to know

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances such as a life or death situation, or where the law requires information to be passed, or where it is in the best interest of the patient to share the information.

In May 2018, the General Data Protection Regulation came into force and BEMS has a legal responsibility to ensure that we comply with these regulations.

You have a right, under the General Data Protection Regulation, to access the personal data we hold on you. To do so, you should made a subject access request.

How to make a subject access request

You have a right, under the General Data Protection Regulation, to access the personal data we hold on you. To do so, you should made a subject access request. 

Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing.

Requests that are made directly by you should be accompanied by evidence of your identity. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request. Requests made in relation to your data from a third party should be accompanied by evidence that the third party is able to act on your behalf. If this is not provided, we may contact the third party to ask that such evidence be forwarded before we comply with the request. 

Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months. 

To make a request, please contact our Office Manager:

Banes Enhanced Medical Services +  (BEMS)
Midford House
St Martins Hospital

NHS National Data Opt-out

Confidential information about your health and care is collected by BEMS and shared with other organisations for the purposes of your individual care.

Confidential patient information about your health and care can be used and provided to other organisations for purposes beyond your individual care where allowed by law.

BEMS does not share your confidential patient information for purposes beyond your individual care. When sharing data for planning and reporting purposes, we use anonymised data so that you cannot be identified in which case your confidential patient information isn’t required.

Health and care organisations that process confidential patient information have to put systems and processes in place so they can be compliant with the national data opt-out. They must respect and apply your opt-out preference if they want to use or share your confidential patient information for purposes beyond your individual care.

BEMS are currently compliant with the national data-out policy as we do not share your confidential patient information for purposes beyond your individual care.

To find out more or to register your choice to opt out, please visit

*NB If you choose to opt out, your confidential patient information will still be used to support your individual care.

You can change your choice at any time.


Who is the Data Protection Officer?

If you have any questions about our privacy notice, the personal information we hold about you, or our use of your personal information, then please contact our Data Protection Officer at:

Banes Enhanced Medical Services + (BEMS)
Midford House
St Martins Hospital


We are registered as a Data controller: Registration Number Z6014909.   For further up to date information please see here


How to contact the Information Commissioner's Office

The Information Commissioner's Office (ICO) is the organisation that controls the Trust under Data Protection and Freedom of Information laws and legislation. If you are not satisfied with our response or believe we are not processing your personal data in a correct and lawful way you can complain to the ICO at:

Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire SK9 5AF


Tel: 0303 123 1113 (local rate) or
01625 545 745 if you prefer to use a national rate number

Fax: 01625 524 510