This privacy notice explains how Gateshead Health NHS Foundation Trust uses personal information, why we use it, and your rights.

We are committed to protecting your privacy and using your information lawfully, fairly and transparently.

Who we are

Gateshead Health NHS Foundation Trust looks after your personal information.
This means we decide how and why your information is used.

Our address:
Queen Elizabeth Hospital, Sheriff Hill, Gateshead, NE9 6SX

General phone number: Switchboard 0191 482 0000

Link to the general enquiry form

How we obtain your information and why we hold it

The information we use varies depending on your relationship with us and may include your personal details (such as your name, address, and contact information), NHS number, date of birth, health and care records, employment and payroll details, training and occupational health records, financial and transactional information, as well as any correspondence, complaints or feedback you provide. We treat all health and care information as highly confidential.

We collect your information in several ways:

you have provided information to seek care – this is used directly for your care, and to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care.
you have provided information as an overseas patient to pay for your treatment.
you have sought funding for continuing health care or personal health budget support.
you have applied for a job with us or work for us.
you have signed up to our newsletter/patient participation group or applied for membership
you have made a complaint.

We also receive information about you indirectly from others, in the following scenarios:

from other NHS organisations and healthcare providers involved in your care
from GPs, local authorities, and partner organisations
from family members or carers, where appropriate, to support your care
from education providers, referees or previous employers for staff and job applicants
from suppliers and contractors for business and corporate functions

The information we collect

Personal information is any information relating to a person that can be directly or indirectly identified from that information.

This includes, but is not limited to:

Name,
Date of birth,
Address
Full postcode,
Telephone numbers,
Next of kin
NHS number

We currently collect and use the following personal information:

personal identifiers and contacts (for example, name and contact details)
photographic identity (photo ID) (for example, photographs of staff for ID badges or our website)
image recordings through closed circuit television (CCTV) for prevention and detection of crime.
Financial information for employment or payment services (for example payroll, pension)

More sensitive information is any information which requires more protection than personal information. This includes, but is not limited to information such as:

Medical history including details of appointments and contact with you,
Medication,
Emergency appointments and admissions,
Clinical notes,
Treatments,
Results of investigations,
Supportive care arrangements,
Social care status,
Race,
Ethnic origin,
Genetics
Sexual orientation
Biometrics

We process the following more sensitive data (including special category data):

data concerning physical or mental health (for example, details about your appointments or diagnosis)
data revealing racial or ethnic origin.
data concerning a person’s sex life.
data concerning a person’s sexual orientation.
genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
biometric data (where used for identification purposes)
data revealing political opinions [unlikely to apply outside of employment conditions]
data revealing religious or philosophical beliefs.
data revealing trade union membership [unlikely to apply outside of employment conditions]
data relating to criminal or suspected criminal offences.

How your information is used and shared

We use your personal information to provide safe and effective care and treatment, manage and improve our services, employ and support our staff, ensure the safety of patients and the public (including safeguarding), investigate complaints and concerns, and to meet our legal and NHS obligations. We only use information when the law allows us to do so.

Employment and workforce
Job applications and recruitment processes
Employment contracts, payroll and pensions
Training, appraisal and professional development
Occupational health and workforce safety
Legal and regulatory requirements

Complaints and concerns
Investigate and respond to complaints and concerns
Learn from feedback and improve services
Meet legal and regulatory obligations

This may include information about patients, carers, staff and others involved.

Corporate and business functions
Finance, billing and payments
Procurement and contract management
Audit, risk management and governance
Information technology and security
Estates, facilities and business continuity

We only use information for these purposes where the law allows and keep it secure.

Who we share information with

We only share information where it is lawful and necessary, including with:

Other NHS organisations and GP practices
Integrated Care Boards (ICBs)
Local authorities and safeguarding partners
NHS England and national NHS bodies
Approved suppliers, auditors and regulators
Organisations involved in employment, payroll and pensions
All organisations we work with must keep your information safe.

How long we keep your information

We retain information only as long as necessary, following NHS record-keeping guidelines. When no longer needed, data is securely deleted or destroyed.

Your information is stored for the periods set out in the Records Management Code of Practice and disposed of as recommended, such as shredding paper records, wiping hard drives, or archiving with contracted services.

The law that allows us to use your information

We must follow the law when we use your personal information.

In health and care, this means we must comply with three related legal frameworks:

Data protection law,
The Data (Use and Access) Act 2025 (DUAA), and
The common law duty of confidentiality

These laws work together and must be satisfied when we use or share health and care information.

Data protection law

Data protection law includes the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This law applies to personal information about living people and requires us to use information lawfully, fairly and transparently.

Personal information (Article 6 UK GDPR)

Under the UK GDPR, we must have a lawful basis under Article 6 to use personal information. The Trust relies on the following:

Consent – where you have given freely given, specific, informed and unambiguous consent, such as for website cookies
Contract – where processing is needed to meet a contract, for example privately funded care or employment contracts
Legal obligation – where the law requires us to use or share information, for example where required by NHS England or the courts
Public task – where we carry out our duties as a public body, such as providing NHS healthcare or meeting regulatory requirements
Legitimate interests – where this applies, for example for certain financial or debt‑recovery activities (this does not override your rights)

Your rights depend on the lawful basis we are using.

Sensitive or special category data (Article 9 UK GDPR)

Health information and some employment information is classed as special category data and needs extra protection.

Under Article 9 UK GDPR, the Trust relies on the following lawful bases:

Employment, social security and social protection – where authorised by law
Legal claims – where information is needed for legal claims or court proceedings
Substantial public interest – where there is a clear legal basis
Health or social care – to provide and manage healthcare and services
Public health – to protect public health and safety
Archiving, research and statistics – where there is a legal basis and safeguards are in place

The Data (Use and Access) Act 2025 (DUAA)

The Data (Use and Access) Act 2025 updates and supports existing data protection laws.

It:

Amends parts of the UK GDPR and the Data Protection Act 2018
Helps public organisations like the NHS use and share information safely
Supports improved data sharing, research and service planning
Introduces clearer rules for information standards and digital systems

The DUAA does not reduce your data protection rights.
It provides clearer legal gateways to support safe and effective use of information for NHS purposes

The common law duty of confidentiality

We also have a common law duty of confidentiality to keep health and care information private.

This applies to information:

Shared in confidence, and
Which you would reasonably expect to be kept confidential

We will only use or share confidential information when:

You have given consent (explicitly or implicitly for direct care), or
The law allows or requires us to do so (including where supported by legislation such as the DUAA), or
There is an overriding public interest, such as protecting patients, staff or the public

This duty continues to apply even when data protection law does not, including after someone has died.

How these laws work together

For health and care information, we usually need to meet the requirements of all three frameworks. We carefully consider this each time information is used or shared and only use the minimum information necessary.

Your rights

You have rights over how your personal information is used.
Your rights depend on the legal reason we are allowed to use your information.

You can:

Ask to see the information we hold about you
Ask us to correct information if it is wrong or incomplete
Ask us to limit how your information is used in some situations
Object to how your information is used in some circumstances
Ask for your information to be shared with another organisation, where this applies

You do not have to pay to use your rights.
We usually respond within one month.

Important to know

These rights do not always apply in every situation.

This is because we often need to use your information to:

Provide safe and lawful healthcare
Meet legal or NHS requirements
Protect patients, staff or the public
Carry out our duties as an NHS organisation

If the law requires us to keep or use your information, we may not be able to agree to your request. If this happens, we will explain the reason clearly.

Trust’s Access to records page

National and regional NHS systems

Great North Care Record (GNCR)

The Great North Care Record allows health and care professionals involved in your care to share relevant information securely.

This helps:

Improve safety and decision‑making
Avoid repeating tests
Support joined‑up care

Only authorised staff involved in your care can access this information.

Be directed to the GNCR website

Patient Engagement Platforms (PEP) and digital services

We use approved digital services to communicate with you, including:

Appointment reminders
Letters and messages
Access to information through the NHS App

Approved suppliers must only use your information for NHS purposes and keep it secure.

Find out more about the NHS App

Other national NHS systems

We may also use national NHS systems to:

Plan and improve services
Monitor safety and quality
Support NHS operational and reporting requirements

Information used for these purposes is only shared where the law allows and appropriate protections are in place.

Research and the National Data Opt‑out

Research

We may use your information to support research and planning. This helps improve care, treatments and services for patients now and in the future.

Where possible, information used for these purposes is anonymised.

Your information is only used for research and planning when:

There is a legal reason, and
The correct approvals and safeguards are in place

If a research study needs your consent, you will be told and given a choice.

Find out more on the Trust website.

Find out how health researchers use information.

Your choice – the National Data Opt‑out

You have a choice about whether your confidential patient information can be used for research and planning beyond your individual care. This is called the National Data Opt‑out.

If you are happy for your information to be used in this way, you do not need to do anything.
If you choose to opt out, your confidential information will still be used to support your own care, but it will not be used for research and planning purposes where the opt‑out applies.

When the opt‑out may not apply

In some situations, the National Data Opt‑out does not apply. This is when the law allows or requires information to be used, for example:

For public health and safety reasons
Where a legal exemption applies
Where information is already anonymised

Managing your choice

You can find out more about the National Data Opt‑out, or change your choice at any time, by visiting: www.nhs.uk/your-nhs-data-matters

Automated decisions

Important decisions concerning individuals are not made solely by computers, artificial intelligence, or software; staff members remain actively involved whenever such systems are utilised.

Data Protection Officer and Data Protection Complaints

If you have concerns regarding the use of your information in relation to care, employment, or corporate functions, please raise them initially with your care team, line manager, or relevant corporate representative.

Should the issue remain unresolved, you may contact:

Data Protection Officer:
Email: [email protected]

If you are not satisfied with the DPO’s response, you can contact the Information Commissioner’s Office (ICO): www.ico.org.uk

Patient Leaflet Link

Patient Easy Read Leaflet Link

Changes to this notice

We review this notice regularly and update it when needed.

Date of last review and update 24/03/2026