[Skip to content]

Mid Cheshire Hospitals - NHS Foundation Trust
Departments and services How To Find Us
Search our Site

Privacy Notice

Privacy Policy & Data Protection

Mid Cheshire Hospitals NHS Foundation Trust (MCHFT) is committed to handling your information securely and in line with the Data Protection Act 2018 and General Data Protection Regulation (GDPR).

Local health services such as hospitals, like ourselves, and GP Practices will record and keep your information to ensure you receive the best possible care.

These records include:

  • Your name, date of birth, NHS Number and contact details
  • Information about your appointments and clinical visits
  • Reports and notes about your health, treatment and care
  • Relevant information about people who care for you, such as next of kin and other Health Professionals
  • Visual Images, such as CCTV for security purposes


This information provides essential reference for Health Professionals who you see, in all parts of the NHS. It also enables us to investigate any issues, complaints or legal claims.

All NHS staff have a legal duty to keep your information confidential and secure and records are held securely and in the strictest confidence.


Processing your Information

We process personal information to enable us to:

  • Provide healthcare services for patients and maintain accurate and up to date information on your health and help us decide what care you need
  • Provide feedback on services and assess the quality of care you have received
  • Data match under the national fraud initiative
  • To provide research opportunities and enable our patients to partake in research projects and programs
  • Support and manage our employees
  • Maintain our accounts and records and review and monitor how we spend public money
  • Maintain CCTV systems for crime prevention
  • To enable the analysis of statistical data to review NHS performance and key performance indicators
  • To audit care and services across the NHS
  • To help plan and develop strategic direction for the future delivery of our NHS service
  • To teach and train healthcare professionals



Type/Classes of Information Processed

We process relevant information including (but not limited to):

  • Personal details
  • Family details
  • Education, training and employment history
  • Financial details
  • Goods and services
  • Lifestyle and social circumstances
  • Visual images, personal appearance and behaviour
  • Details held in the patients’ record
  • Survey Responses


We also process ‘special category’ classes of information that may include:

  • Racial and ethnic origin
  • Offences and alleged offences
  • Criminal proceedings, outcomes and sentences
  • Trade union membership
  • Physical and mental health details
  • Religion and beliefs
  • Sexual life
  • Genetic data
  • IP addresses


We process personal information about:

  • Our patients
  • Suppliers
  • Employees
  • Complainants, enquirers
  • Survey respondents
  • Professional experts and consultants
  • Individuals captured by CCTV


Sharing Information

We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of The Data Protection Act 2018 and General Data Protection Regulation (GDPR). Only information that is relevant will be shared.

Where necessary or required we share information with:

You, your family, associates and representatives of the person whose personal data we are processing

  • Staff
  • Healthcare, social and welfare organisations
  • Suppliers, service providers, legal representatives
  • Auditors and audit bodies
  • Survey and research organisations
  • People making an enquiry or complaint
  • Financial organisations
  • Professional advisers and consultants
  • Business associates
  • Police forces
  • Security organisations
  • Central and local government
  • Voluntary and charitable organisations
  • Community Pharmacists – regarding discharge information (for patient follow up and for patients requiring compliance devices)
  • Regulatory bodies; e.g. Care Quality Commission (CQC)


As a health care provider, the MCHFT are required to use and share your information for your best interests and may share with external providers if deemed necessary without prior consent, this is for direct care purposes only.  We may also share information with external parties where there is a legal basis to do so for other matters for example, crime and taxation purposes. 

Using Personal Information in the Wider Health Service

In recent years the NHS has changed the way we share patient information among Health Professionals in different settings e.g. Hospitals, GP practices, Urgent Care Centers.

To prevent delay and ensure safe treatment, especially in urgent situations, doctors and other specialists may access essential parts of your record electronically, rather than writing to or phoning your GP or other Healthcare Professionals involved in your treatment and care.

The NHS nationally and locally currently uses three systems to share information electronically. These are all currently ‘opt out schemes’, meaning that your records are automatically included unless you opt out of each Individual scheme.

Summary Care Record

The Summary Care Record (SCR) is a secure national electronic record, enabling doctors and health specialists to access information about you that could be vital in an emergency or out-of-hours situation.

Records for each individual will be created automatically. This will enable NHS staff caring for you anywhere in England to access the following information to support your care in an emergency.

  • Any medicines you are taking
  • Any allergies you have
  • Any bad reactions you had to medicines


Healthcare staff will ask your permission before they look at your record except in certain circumstances (e.g. if you are unconscious).

How to Opt-Out of the Summary Care Record

You can download the ‘opt-out form’ at NHS Care Records and give this to your GP.

Cheshire Care Record

The Cheshire Care Record is a local electronic patient record that allows health and social care professionals directly involved in your care, to share a summary of your medical record.

Your Cheshire Care Record will help those caring for you to manage your care better, and allow information to be shared quickly and safely. Only authorised staff providing health and social care services, or services such as palliative care across Cheshire and Merseyside can access this record.

For more information about Cheshire Care Record, visit the Cheshire Care Record website at www.cheshirecarerecord.co.uk (external link, opens in a new window) which includes information on:

  • What the Cheshire care record is
  • Why share information
  • Who information is shared with
  • How to Opt Out/In of sharing

National Data Opt-Out Programme

The Trust is one of many organisations working in the health and care system to improve care for patients and the public.  The Information collected about you when you are using NHS services can be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness.  

All of these help to provide better health care for you, your family and future generations.  Confidential personal information about your health and care is only used in this way where allowed by law and would never be used used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to be used in this way. 

You can find out more about the wider use of confidential personal information and to register your choice to opt out by visiting www.nhs.uk/your-nhs-data-matters.


Legal Basis for Processing - What are the lawful bases for processing?

The lawful bases for processing personal data are set out in Article 6 of the General Data Protection Regulation and article 9 for the processing of special categories data.

We collect and process your Personal Data for a variety of purposes as outlined in this Privacy Policy. 

In many cases, separate consent is not required and therefore we will rely on another ‘legal basis for processing’. These include:

Contract: the processing is necessary for a contract we have with you or because you have asked us to take specific steps before entering into a contract.

Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).

Vital interests: the processing is necessary to protect someone’s life.

Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

Health Purposes: the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of working capacity of the employee, medical diagnosis, the provision of health or social care treatment or the management of health or social care services.  

Occasionally we may ask you for your consent.

Managing Preferences and Withdrawing Consent

Consent means offering individuals genuine choice and control. Under the General Data Protection Regulation, consent requires a positive opt-in. 

We will not use pre-ticked boxes or any other method of consent by default.

As explicit consent requires a very clear and specific statement of consent, we will ensure that this is done.

  • We will keep consents separate from other terms and conditions
  • Be specific and granular, clear and concise
  • We will name any third party controllers who will rely on consent as required
  • Make it easy for people to withdraw consent.


We will:

  • Keep evidence of consent - who, when, how and what individuals were told
  • Keep consent under review and refresh if and when anything changes
  • Avoid making consent a precondition of a service.



Security of Information

The Trust takes the security of your information seriously and uses different controls and access mechanisms for both electronic and paper based data. Everyone working for the NHS has a legal duty to keep information about you confidential and secure under Data Protection Legislation, Caldicott Principles and Confidentiality Code of Conduct.  We use the minimum necessary information about you to be able to provide you with the care and services required.  Anyone who receives information from us, as part of a sharing initiative or continuity of care, is also bound by the same legal duties as our staff and have the same confidentiality clauses within their contracts.  Breaking those rules can result in investigations, disciplinary and even dismissal from employment.


Retaining your Information

The Trust will retain your information for as long as you receive health care services from us, and in line with Health and Social Care Records Management Code of Practice 2016.

Your Individual Rights

You as an individuals have the right to:

  • Be informed about what information an organisation hold about you as the 'Data Subject'
  • The right of access to that information (commonly known as a ‘Subject Access Request’)
  • The right to rectify any inaccuracies of that information
  • The right in certain circumstances to have that information erased (known sometimes as ‘right to be forgotten’)
  • The right to object to that processing of information and restrict that processing of information
  • To know about whether certain decisions have been made about you through automated decision making or profiling.


Further information can be found on our Accessing Your Records page, www.mcht.nhs.uk/accessing-records.


Contact Information

Data Controller Details: 

Mid Cheshire Hospitals NHS Foundation Trust

Leighton Hospital




ICO Registration Number: Z4846564


Data Protection Officer:

Stuart Basford

Mid Cheshire Hospitals NHS Foundation Trust

Leighton Hospital




Email: dpo@mcht.nhs.uk 

Telephone: 01270 273812


The Information Commissioner

Wycliffe House

Water Lane,




Telephone: 01625 545700.


Changes to our policy

If our privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

General Data Protection Regulation Rights

Your individual rights

You as an individuals have the right to:

  • Be informed about what information an organisation hold about you as the 'Data Subject'
  • The right of access to that information (commonly known as a ‘Subject Access Request’)
  • The right to rectify any inaccuracies of that information
  • The right in certain circumstances to have that information erased (known sometimes as ‘right to be forgotten’)
  • The right to object to that processing of information and restrict that processing of information
  • To know about whether certain decisions have been made about you through automated decision making or profiling.


Subject Access Requests (SAR)

The GDPR gives individuals (Data Subjects) the right to request and in most cases to be given, a copy of the information which Mid Cheshire Hospitals NHS Foundation Trust holds about them. This is called a Subject Access Request (SAR).

Please note that the Act only entitles an individual to see, or be given a copy of, their own information. You are not entitled to see someone else’s information unless they have given their permission for you to do so. Likewise, someone else cannot ask for your information unless you have given permission for them to do so. This applies to spouses, relatives, friends etc.

If you want to see, or be given, a copy of information that Mid Cheshire Hospitals NHS Foundation Trust holds about you, you need to make a Subject Access Request.

The Trust is not required to respond to a request made verbally, but depending on the circumstances, it may be reasonable to do so (as long as your identity has been satisfied). 

As a requestor you do not have to tell us the reason for making the request or what you intend to do with the information. However, it might be helpful to inform us so we can find the relevant information if you do explain the purpose of the request.

What Information am I entitled to?

‘Subject Access’ is most often used by individuals 'Data Subjects' who want to see the information the Trust holds about them, but now goes further than this and entitles an individual to be:

  • Told whether any personal data is being processed
  • Given a description of that information and be told whether it will be shared with any other organisation of people
  • Given details of the source of the data (where this is known and available)
  • Access to their personal information
  • Other supplementary information - this will correspond to the information supplied in our ‘Privacy Policy’.


‘Subject Access’ provides a right for you to see your own personal data, rather than a right to see copies of documents that contain personal data.

Is there a fee for submitting a Subject Access Request?

The Trust must provide a copy of the information free of charge. However, the Trust can charge a ‘reasonable fee’ when the request is deemed ‘manifestly unfounded or excessive’ and particularly if it is repetitive.

The Trust can also charge a ‘reasonable fee’ to comply with a request for further copies of the same information.

The fees will be based on administrative costs of providing the information; for example photocopying, postage and packaging.

How long for the Trust have to comply?

Information must be provided without delay and at least within one calendar month of receipt of the request. However, the Trust can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case the Trust will inform you within one month of receipt of the request and explain why the extension is necessary.

If requests are manifestly unfounded or excessive because they are repetitive, the Trust can:

  • Charge a ‘reasonable fee’ taking into account administrative costs or refuse to respond.
  • If the request is for a large amount of personal data, the Trust is permitted to ask you to specify the information the request relates to.


Verifying your identity

The Trust has a legal obligation to verify the identity of the Data Subject and any authorised person making the request and to verify if they are entitled to the information.

The Trust will verify the identity of the person making the request, using ‘reasonable means’.

Can information be exempted?

Some types of personal information are exempt from the right of subject access and so cannot be obtained by making a ‘Subject Access Request’.

Information may be exempt because of its nature or because of the effects its disclosure is likely to have.

There are also some restrictions on disclosing information in response to a subject access request that would involve disclosing information about another individual.

Latest news