Privacy notice and cookies


This document is to inform you as an individual how the Trust and our Services will collect and use information about you; This a legal requirement under UK GDPR and Data Protection legislation and is here to help you be aware of your rights.

Personal information about any living, identifiable individual is protected in law. Some information we hold about you is more sensitive, this is called ‘Special Category Data’. The Trust considers information we hold about you to be confidential and this includes:

  • Name, address, date of birth
  • NHS Number, hospital number
  • Contact information i.e. telephone number, mobile phone, email address
  • Next of Kin details and contact information
  • Special Category Data including:
    • Contacts we have had with you such as clinic visits
    • Details of diagnosis and treatment
    • Allergies and physical, sexual or mental health conditions
    • Racial or Ethnic Origin
    • Sexual orientation
    • Religious or other beliefs of a similar nature
    • Offences, criminal proceedings, outcomes and sentences.
    • Family, lifestyle and social circumstances
    • Education and training details
    • Employment details
    • Financial details

We also hold a duty of confidentiality under common law to the deceased. If you wish to view or obtain a copy of records for someone who had died, you can make a request under the Access to Health Records Act 1990.

We keep records about the health care and treatment you receive as one of our patients or service users This ensures that you receive the best possible care from us with accurate and up to date information readily available.

The legal basis we hold and use this information is broadly covered under UK GDPR:

  • Article 6(1)(e) ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ and
  • Article 9(2)(h) ‘processing is necessary for Health and Social Care purposes’ UK GDPR Article 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine.

In addition, we may process personal data for the purpose of, or in connection with legal proceedings, obtaining legal advice or defending legal rights. We will rely on the following UK GDPR legislation:

  • Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special categories of personal data for these purposes, the legal basis for doing so is:

  • Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims
  • Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

This information will be collected directly from you and others involved in your care, or may be information others have provided as it is necessary for their own care, such as contact details for Next of Kin.

We may use personal data for the following purposes:

  • To prepare statistics on NHS performance
  • To audit NHS Services
  • To monitor how we spend public money
  • To plan and manage the health service
  • To teach and train healthcare professionals and NHS employees
  • To conduct health research and development

We also keep records relating to staff for the purpose of recruitment and leavers processes, pay, disciplinary matters, superannuation, work management, volunteers, contractors or other personnel matters. This is to ensure that employment at the Trust is managed to a high standard and that staff are provided with the information and training required to carry out their role.

Below are listed the Acts of Parliament which affect our ‘public task’ under the Constitution of the NHS:

  • Access to Health Records Act 1990
  • Care Act 2014
  • Children’s Act 2004
  • Coronavirus Act 2020
  • Coroners Act 2009
  • Crime and Disorder Act 1998
  • Data Protection Act 2018
  • Employment Relations Act 1999
  • Employment Rights Act 1996
  • Equality Act 2010
  • Health & Safety at Work Act 1974
  • Health & Social Care Act 2008/2012/15/18
  • Health Act 2009
  • Health and Care Act 2022
  • Human Rights Act 1998
  • Inquiries Act 2005
  • Mental Capacity Act 2005
  • Mental Health Act 1983
  • NHS Act 2006
  • Public Bodies (Admission to meetings) Act 1960
  • Public Services (Social Value) Act 2012
  • Rehabilitation of Offenders Act 1974
  • Trade Union & Labour Relations Act 1992

All of the personal data that we collect, and use is handled in accordance with UK GDPR core principles:

  • Data is processed lawfully, fairly and transparently
  • Purpose limitation: data is processed for a specified purpose
  • Data minimisation: only necessary data is processed
  • Accuracy: data is kept accurate and up to date
  • Storage limitation: data will not be kept longer than necessary
  • Integrity and confidentiality (security): data is kept securely
  • Accountability: The Trust must comply with the above and take responsibility for the data we hold

Our services share data with a range of organisations and we will always endeavour to share the minimum amount of personal data required, anonymising data where we possible.

Some sharing of information is necessary for delivering care to yourself as a patient or service user. Sharing will be completed adhering to national security standards and best practice. We often share personal information with the following organisations for the purposes of delivering or improving healthcare or where there is a legal requirement for us to do so:

  • Clinical Commissioning Groups / Integrated Care Boards
  • Health authorities
  • Other NHS Trusts
  • General Practitioners (GPs)
  • Ambulance services
  • Other NHS common services agencies such as primary care agencies
  • Social services
  • Education services
  • Local authorities
  • Police
  • Department for Work & Pensions
  • Voluntary sector providers and private sector providers

Services in our Trust will hold paper and electronic information in accordance with the Trust Retention Schedule which is aligned with national guidance. This sets out appropriate length of time to hold each type of record and we endeavour to not keep your records for longer than necessary.

The Trust uses Confidential Waste Management and secure destruction of information to ensure that all records are destroyed correctly once their retention period has been met, and the Trust has made the decision that the records are no longer required.

On occasion we may be required to keep information beyond our retention schedule to comply with investigations and inquiries.

Our services are committed to securing your personal information from unauthorised access, use or disclosure. A combination of physical and electronic controls will help protect your personal information, creating a secure environment that allows for the provision of best quality care and preventing misuse of that data.

All our staff must complete and keep up to date with appropriate data security training within their employment. Each service monitors compliance with the policies and procedures in the Trust, and a high standard of behaviour is expected from all employees when handling confidential information.

Please refer to our Data Protection How to access information page.

If you have a concern about any aspect of your care or treatment at this hospital or about the way your records have been managed, please contact the Trust’s Patient Advice and Liaison Service (PALS).

Furthermore, you have a right to complain to the Information Commissioner if you are dissatisfied with the way the Trust has handled or shared your personal information:

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire SK9 5AF

Tel: 0303 123 1113 (or 01625 545745 or 44 1625 545745 if calling from overseas)

We will occasionally update this document to reflect how our services use your information and feedback we receive. We therefore encourage you to periodically review this web page in case of any changes.

To learn more about how we use, manage and maintain confidentiality of your information, please speak to the health professionals dealing with your care.

The NHS is committed to respecting the privacy of individuals using this website. Torbay and South Devon NHS Foundation Trust does not collect any personal information about those using the site or use cookies to track or log information about users. We do analyse the server log files which contain details of the Internet Protocol address (IP address) of computers using the site, pages looked at, the times of day and the type of web browser used. None of this information is linked to individuals or distributed to third parties.

There are two types of cookie you may encounter:

First party cookies: these are our own cookies, controlled by us and used to provide information about usage of our site.

Third party cookies: these are cookies found in other companies’ internet tools which we are using to enhance our site, for example Facebook or Twitter have their own cookies, which are controlled by them

First party cookies

A to Z list (filter): We use cookies for the a to z filter on our services page. This allows your browser to remember which letter you selected when returning to the page.

Third party cookies

Browsealoud: Our website uses the Browsealoud plugin which allows text on the page to be read aloud. Cookies may be set to store information and preferences when using the plugin. To find out more please visit Texthelp.

Google: We use Google Analytics to collect statistics about site usage such as when the visitor last visited the site. The cookie contains no personal information and is used only for web analytics. This information is used by us to help to improve the experience for you on our website.
Some of our pages include interactive Google maps. Cookies may be set to store information and preferences about these maps or other associated services on pages where we embed Google maps. To find out more please visit Google’s Privacy Policy page.

Vimeo: We embed videos from our Vimeo channel. Vimeo sets a number of cookies on any page that embeds a Vimeo video. These cookies appear to include a mixture of pieces of information to measure the number and behaviour of Vimeo viewers, to hold information about current viewing video settings as well as a personal identification token, if you are logged into Vimeo. To find out more please visit Vimeos’ cookie policy information page.

YouTube: We embed videos from our YouTube channel using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. To find out more please visit YouTube’s embedding videos information page.

How to control and delete cookies

If you wish to restrict or block the cookies which are set by the Torbay and South Devon NHS Foundation Trust website, or indeed any other website, you can do this through your browser settings. Each browser is different, so check the ‘Help’ menu of your particular browser (or your mobile phone’s handset manual) to learn how to change your cookie preferences.

The websites or contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your machine as well as more general information about cookies.

Please be aware that restricting cookies may cause the Torbay and South Devon NHS Foundation Trust website to work incorrectly.

Torbay and South Devon NHS Foundation Trust reviews all of our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies.

If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our service users have opted out of their data being used for this purpose. This will not impact on the personal care your receive and the data we collect for that purpose.

for more information, visit: The NHS Website – Your NHS data matters.

Torbay and South Devon NHS Foundation Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Trust is a mandatory participant of the Cabinet Office’s National Fraud Initiative (NFI) which is a data matching exercise undertaken by the Cabinet Office to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for each exercise.

This notice link sets out how the Cabinet Office use your personal data, and your rights. It is made under Article 14 of the UK General Data Protection Regulation (GDPR).

The Cabinet Office process information that you provide when seeking payment for employment from an organisation that takes part in the NFI. This is referred to as payroll data.

They process information you provide when seeking payment of an invoice from an organisation that takes part in the NFI. This is referred to as trade creditor standing and payment history data.

Data matching involves comparing sets of data, such as payroll of a body against other records held by the same or another body to see how far they match. This is usually personal information and Trust creditors’ data. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014

Data matching by the Cabinet Office is subject to a Code of Practice. Should you wish to know more information on this Fair Processing Notice please see the more detailed full text. View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.

For further information on data matching at Torbay and South Devon NHS Foundation Trust contact Gareth Cottrell, Local Counter Fraud Specialist


Emma Davies, Data Protection Officer
Email: Data Access & Disclosure Office