How we use and protect your personal information for patients

How we use and protect your personal information for patients

How we use and protect your personal information as a patient under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). 

Privacy Notice – Patient Records 

Updated May 2022 

Bolton NHS Foundation Trust provides patient care in the community at health centres and clinics as well as services such as district and school nursing. We also provide services at the Royal Bolton Hospital. 

Information about you, your medical treatment and family background may be held on both paper and computers, as part of providing you with health services. 

This information is vital to the proper operation of the Trust and is needed to give you and others the best possible healthcare. 

We will also ensure that your full information is available if you see another doctor, or are referred to a specialist or another part of the NHS. 

Any correspondence you send to us may also form part of your health record. 

The legal basis for the processing of data for these purposes is that the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health.  

The organisation responsible for processing your data is Bolton NHS Foundation Trust.   

The teams of hospital and community professionals caring for you need to keep records about your health and any treatment and care you have received. 

Your health records help to ensure you receive the best possible care. 

Your doctor, nurse and the team of health & care professionals caring for you, keep records about your treatment and care both on paper and electronically.

These include, but are not limited to:

  • Personal details such as name, address, date of birth, ethnicity and religion, NHS number and next of kin. 
  • Contact we have with you e.g. hospital admissions, outpatients/clinic appointments and home visits. 
  • Notes and reports by health and care professionals about your health, GP details etc. 
  • Details and records about your treatment and care. 
  • Results of x-rays, laboratory tests, and any other tests.  
  • Relevant information about people that care for you and know you well. 
  • Basic details about associated people e.g. children, partners, carers, relatives etc.  

This information may be given to us directly by you. We may also hold information relating to your direct care which has been provided to us by third parties, such as referral information from your GP, Optician or from other bodies such as schools.  

Your health records are used to make sure that the teams of health and social care professionals caring for you have accurate and up to date information about your medical condition and circumstances.  

Also we will manage your records with clear retention periods under the NHS Records Management Code of Practice for Health and Social Care.  

A copy of the code is available here. 

Information collected about you to deliver your health care is also used to assist with:  

  • Making sure your care is of a high standard.  
  • Using statistical information to look after the health and wellbeing of the general public and planning services to meet the needs of the population.  
  • Assessing your condition against a set of risk criteria to ensure you are receiving the best possible care.  
  • Preparing statistics on our performance for the Department of Health and other regulatory bodies.  
  • Helping train staff, support research and conduct surveys to maintain the quality of our services.  
  • Supporting the funding of your care.  
  • Reporting and investigation of complaints, claims and untoward incidents.  
  • Reporting events to the appropriate authorities when we are required to do so by law 

All members of staff working in the NHS and other healthcare organisations have a legal duty to keep information about you strictly confidential (unless in extreme circumstances where your safety or that of others is compromised). 

The NHS has a code of confidentiality which all staff must adhere to. 

We also keep all paper and electronic records securely to prevent unauthorised access in accordance with the UK General Data Protection Regulation and Data Protection Act 2018. 

The law and your personal information 

There are many government policies and Acts of Parliament which require the Trust to report certain personal information to other organisations. 

The Trust will not disclose personal information about you without your permission, unless required by law to do so, such as: 

  • When a baby is born.
  • When a death occurs.
  • When a court order has been issued.
  • At the request of the Coroner.
  • When an infectious disease is diagnosed.

We will also share relevant information about you to: 

Assess and plan the type of care or treatment you need. 

  • Provide up to date information to other health and social care organisations involved in your care.
  • Keep your GP fully informed.
  • Share with external organisations for the purposes of continuity of your care and wellbeing when appropriate.
  • Reviewing and auditing the quality of the services we provide.

You have rights under the Data Protection Laws: 

Data Protection laws give individuals rights in respect of the personal information that we hold about you.  These are: 

  1. To be informed why, where and how we use your information. 
  2. To ask for access to your information. 
  3. To ask for your information to be corrected if it is inaccurate or incomplete. 
  4. To ask for your information to be deleted or removed where there is no need for us to continue processing it. 
  5. To ask us to restrict the use of your information.  
  6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information. 
  7. To object to how your information is used. 
  8. To challenge any decisions made solely without human intervention (automated decision making) 

The National Data Opt-Out was introduced to give you, the patient a choice on how your confidential patient information is used for purposes beyond their individual care. 

The information that the opt-out applies to is special category data as it includes information about your health care and/or treatment that has been collected as part of the care we provide for the patient. 

As a patient you can set or change their National Data Opt-Out choice using an online or contact centre service. When you set a National Data Opt-Out it is in held in a repository on a national database against the patient’s NHS number. 

In accordance with your wishes and National Data Opt-Out policy, we as a health and care organisation located in England, we are required to apply National Data Opt-Outs when applicable to a use or disclosure of confidential patient information for purposes other than your care or treatment. 

Applying the opt-out to a data use/disclosure requires that we check, by using the NHS numbers of patients, whether a patient has registered an opt-out before the data is used/disclosed. 

To do this a separate list of the NHS numbers in the data that is going to be used/disclosed needs to be created. 

The list of NHS numbers is then submitted to the Check for National Data Opt-Outs service via the secure Message Exchange for Social Care and Health (MESH) messaging service. The Check for National Data Opt-Outs service is an external service provided by NHS Digital. The service checks the list of NHS Numbers against a list of opt-outs created from the repository on the NHS Spine, where a match is found it removes the NHS number from the list and then returns an updated list of NHS numbers (with opt-outs removed) back to us via MESH. 

We then match the updated list of NHS numbers against our original set of data that was going to be used/disclosed and remove the entire record for those patient records where the NHS numbers match. This creates a ‘cleaned’ set of data with opt-outs applied that we can then use/disclose. 

To find out more information about the National Data Opt-Out please visit 

If at any point you believe the information we process on you is incorrect, you can request to see this information and have it corrected.  


If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter. 


Data Protection Officer 

Bolton NHS Foundation Trust, 

Minerva Road, Farnworth, Bolton, BL4 0JR 

Tel: 01204 390 861,  


Right to lodge a complaint with a Supervisory Authority  


If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO). 


The ICO can be contacted at The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.  

We may use your details to contact you with regards to patient satisfaction surveys relating to services you have used within our Trust. This is to improve the way we deliver healthcare to you and other patients. 

At any time you have the right to refuse/withdraw consent to information sharing. The possible consequences will be fully explained to you and could include delays in receiving care.

The Greater Manchester Care Record is a vital digital resource for the city region’s 2.8m citizens, that is used to help improve health and care services and save lives.

It brings together your information from NHS and care services across all 10 Greater Manchester boroughs into one joined up record, so that your information can be accessed by frontline health and care workers, wherever you receive your care.

Each health and care organisation in Greater Manchester collects information about you and keeps records about the care and services they have provided. The GM Care record pulls together the information from these different health and social care records and displays it in one combined record.

You can get more information from here

Privacy Notices

Skip to content