Privacy notice and cookies

We keep records about the health care and treatment you receive as one of our patients or service users This ensures that you receive the best possible care from us with accurate and up to date information readily available.

The legal basis we hold and use this information is broadly covered under UK GDPR:

• Article 6(1)(e) ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ and
• Article 9(2)(h) ‘processing is necessary for Health and Social Care purposes’ UK GDPR Article 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine.

In addition, we may process personal data for the purpose of, or in connection with legal proceedings, obtaining legal advice or defending legal rights. We will rely on the following UK GDPR legislation:

• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
• Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special categories of personal data for these purposes, the legal basis for doing so is:

• Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims
• Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

This information will be collected directly from you and others involved in your care, or may be information others have provided as it is necessary for their own care, such as contact details for Next of Kin.

We may use personal data for the following purposes:

• To prepare statistics on NHS performance
• To audit NHS Services
• To monitor how we spend public money
• To plan and manage the health service
• To teach and train healthcare professionals and NHS employees
• To conduct health research and development

We also keep records relating to staff for the purpose of recruitment and leavers processes, pay, disciplinary matters, superannuation, work management, volunteers, contractors or other personnel matters. This is to ensure that employment at the Trust is managed to a high standard and that staff are provided with the information and training required to carry out their role.

Below are listed the Acts of Parliament which affect our ‘public task’ under the Constitution of the NHS:

• Access to Health Records Act 1990
• Care Act 2014
• Children’s Act 2004
• Coronavirus Act 2020
• Coroners Act 2009
• Crime and Disorder Act 1998
• Data Protection Act 2018
• Employment Relations Act 1999
• Employment Rights Act 1996
• Equality Act 2010
• Health & Safety at Work Act 1974
• Health & Social Care Act 2008/2012/15/18
• Health Act 2009
• Health and Care Act 2022
• Human Rights Act 1998
• Inquiries Act 2005
• Mental Capacity Act 2005
• Mental Health Act 1983
• NHS Act 2006
• Public Bodies (Admission to meetings) Act 1960
• Public Services (Social Value) Act 2012
• Rehabilitation of Offenders Act 1974
• Trade Union & Labour Relations Act 1992
• UK GDPR

All of the personal data that we collect, and use is handled in accordance with UK GDPR core principles:

• Data is processed lawfully, fairly and transparently
• Purpose limitation: data is processed for a specified purpose
• Data minimisation: only necessary data is processed
• Accuracy: data is kept accurate and up to date
• Storage limitation: data will not be kept longer than necessary
• Integrity and confidentiality (security): data is kept securely
• Accountability: The Trust must comply with the above and take responsibility for the data we hold

Our services share data with a range of organisations and we will always endeavour to share the minimum amount of personal data required, anonymising data where we possible.

Some sharing of information is necessary for delivering care to yourself as a patient or service user. Sharing will be completed adhering to national security standards and best practice. We often share personal information with the following organisations for the purposes of delivering or improving healthcare or where there is a legal requirement for us to do so:

• Clinical Commissioning Groups / Integrated Care Boards
• Health authorities
• Other NHS Trusts
• General Practitioners (GPs)
• Ambulance services
• Other NHS common services agencies such as primary care agencies
• Social services
• Education services
• Local authorities
• Police
• Department for Work & Pensions
• Voluntary sector providers and private sector providers

Services in our Trust will hold paper and electronic information in accordance with the Trust Retention Schedule which is aligned with national guidance. This sets out appropriate length of time to hold each type of record and we endeavour to not keep your records for longer than necessary.

The Trust uses Confidential Waste Management and secure destruction of information to ensure that all records are destroyed correctly once their retention period has been met, and the Trust has made the decision that the records are no longer required.

On occasion we may be required to keep information beyond our retention schedule to comply with investigations and inquiries.

Our services are committed to securing your personal information from unauthorised access, use or disclosure. A combination of physical and electronic controls will help protect your personal information, creating a secure environment that allows for the provision of best quality care and preventing misuse of that data.

All our staff must complete and keep up to date with appropriate data security training within their employment. Each service monitors compliance with the policies and procedures in the Trust, and a high standard of behaviour is expected from all employees when handling confidential information.

Please refer to our Data Protection How to access information page.

If you have a concern about any aspect of your care or treatment at this hospital or about the way your records have been managed, please contact the Trust’s Patient Advice and Liaison Service (PALS).

Furthermore, you have a right to complain to the Information Commissioner if you are dissatisfied with the way the Trust has handled or shared your personal information:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Tel: 0303 123 1113 (or 01625 545745 or 44 1625 545745 if calling from overseas)
Website: https://ico.org.uk

We will occasionally update this document to reflect how our services use your information and feedback we receive. We therefore encourage you to periodically review this web page in case of any changes.

To learn more about how we use, manage and maintain confidentiality of your information, please speak to the health professionals dealing with your care.

The NHS is committed to respecting the privacy of individuals using this website. Torbay and South Devon NHS Foundation Trust does not collect any personal information about those using the site or use cookies to track or log information about users. We do analyse the server log files which contain details of the Internet Protocol address (IP address) of computers using the site, pages looked at, the times of day and the type of web browser used. None of this information is linked to individuals or distributed to third parties.

There are two types of cookie you may encounter:

First party cookies: these are our own cookies, controlled by us and used to provide information about usage of our site.

Third party cookies: these are cookies found in other companies’ internet tools which we are using to enhance our site, for example Facebook or Twitter have their own cookies, which are controlled by them

First party cookies

A to Z list (filter): We use cookies for the a to z filter on our services page. This allows your browser to remember which letter you selected when returning to the page.

Third party cookies

Browsealoud: Our website uses the Browsealoud plugin which allows text on the page to be read aloud. Cookies may be set to store information and preferences when using the plugin. To find out more please visit Texthelp.

Google: We use Google Analytics to collect statistics about site usage such as when the visitor last visited the site. The cookie contains no personal information and is used only for web analytics. This information is used by us to help to improve the experience for you on our website.
Some of our pages include interactive Google maps. Cookies may be set to store information and preferences about these maps or other associated services on pages where we embed Google maps. To find out more please visit Google’s Privacy Policy page.

Vimeo: We embed videos from our Vimeo channel using their ‘do not track’ setting. This setting may set cookies on your computer once you click on the video player, but Vimeo will not store personally-identifiable cookie information for playbacks of embedded videos using the ‘do not track’ setting. To find out more please visit Vimeos’ cookie policy information page.

[Vimeo ‘do not track’ videos last checked: 05/02/2026]

YouTube: We embed videos from our YouTube channel using their privacy-enhanced mode. This mode may set cookies on your computer once you click on the video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. To find out more please visit YouTube’s embedding videos information page.

[YouTube privacy-enhanced mode videos last checked: 05/02/2026]

How to control and delete cookies

If you wish to restrict or block the cookies which are set by the Torbay and South Devon NHS Foundation Trust website, or indeed any other website, you can do this through your browser settings. Each browser is different, so check the ‘Help’ menu of your particular browser (or your mobile phone’s handset manual) to learn how to change your cookie preferences.

The websites www.aboutcookies.org.uk or www.allaboutcookies.org contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your machine as well as more general information about cookies.

Please be aware that restricting cookies may cause the Torbay and South Devon NHS Foundation Trust website to work incorrectly.

Torbay and South Devon NHS Foundation Trust reviews all of our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies.

If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our service users have opted out of their data being used for this purpose. This will not impact on the personal care your receive and the data we collect for that purpose.

for more information, visit: The NHS Website – Your NHS data matters.

Torbay and South Devon NHS Foundation Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Trust is a mandatory participant of the Cabinet Office’s National Fraud Initiative (NFI) which is a data matching exercise undertaken by the Cabinet Office to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for each exercise.

This notice link sets out how the Cabinet Office use your personal data, and your rights. It is made under Article 14 of the UK General Data Protection Regulation (GDPR).

The Cabinet Office process information that you provide when seeking payment for employment from an organisation that takes part in the NFI. This is referred to as payroll data.

They process information you provide when seeking payment of an invoice from an organisation that takes part in the NFI. This is referred to as trade creditor standing and payment history data.

Data matching involves comparing sets of data, such as payroll of a body against other records held by the same or another body to see how far they match. This is usually personal information and Trust creditors’ data. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014

Data matching by the Cabinet Office is subject to a Code of Practice. Should you wish to know more information on this Fair Processing Notice please see the more detailed full text. View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.

For further information on data matching at Torbay and South Devon NHS Foundation Trust contact Gareth Cottrell, Local Counter Fraud Specialist

Service name: High Intensity Users
Address and contact telephone number: British Red Cross, 83 Caxton Business Park, Tower Road North, Warmley, BS30 8XP 07860 401986
Email and public website: https://www.redcross.org.uk
Data Protection Office: dataprotection@redcross.org.uk

What type of personal information we collect

Torbay and South Devon NHS Foundation Trust are working with British Red Cross to support “high intensity users” of our Emergency Department, this initiative is supported by NHS Devon ICB to ensure patients are receiving the most appropriate support.

If you are in the top 150 patients who have accessed the Emergency Department in the last 3 months, your data may be shared with British Red Cross to ensure you are getting appropriate support. The information shared may include:

• NHS Number
• Name
• Date of birth
• Age
• Address
• Telephone number
• GP practice
• ICB/NHS code
• Arrival mode
• Warning flag information
• Presenting complaint from last 3 months ED attendances (chief/coded complaint and free text complaint)
• A&E attendance in the last 12 months (admission number)
• A&E attendance in the last 3 months (admission number)
• Non-elective admissions in the last 12 months (admission reference)
• Non-elective admissions in the last 3 months (admission reference)
• Ambulance conveys in the last 12 months
• Ambulance conveys in the last 3 months
• Date of each A&E attendance in last 3 months

If you are contacted by the British Red Cross, you will be asked to formally consent to any support they may offer.

How we get this information and why we have it

Torbay and South Devon NHS Foundation Trust process your personal information provided by you during your healthcare and treatment.

We use this information to allow the British Red Cross to provide assertive outreach to patients who attend the Emergency Department on a regular basis with a high number of attendances. This information is provided by way of a quarterly report issued from the Trust’s Business Intelligence (BI) Team.

We rely on the following legal bases to process this information

• UK GDPR Article 6.1.e ‘Public Task’ – Processing is necessary for the performance of official authority vested in the controller
• UK GDPR Article 9.2.h ‘Direct healthcare’ – Processing is necessary for health or social care purposes

How we are storing your information

Torbay and South Devon NHS Foundation Trust store all information in secure systems and share information with British Red Cross via secure methods.

Your information is securely stored by British Red Cross prior to contacting patients to ask if they would like additional support. British Red Cross will store no more than six months’ worth of data provided directly by Torbay and South Devon NHS Foundation Trust.

The British Red Cross team will then gain explicit consent to store any further personal data.

Your data rights under data protection law

• A right of access (copies), a right to rectification (if you believe data is inaccurate), a right to erasure (under certain circumstances), a right to restrict processing (in certain circumstances), a right to object to processing (in certain circumstances) and a right to portability (transfer information to another organisation – in certain circumstances)
• To make a request you should contact dataprotection@redcross.org.uk or visit the British Red Cross public website.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at vikkiamiss@redcross.org.uk or dataprotection@redcross.org.uk

You can also complain to the ICO if you are unhappy with how we have used your data.

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk