We recognise that privacy notices can feel complex and difficult to read. Our aim is to provide information that is clear, accessible and reassuring, helping you understand:
- what information we collect about you
- how and why we use it
- how we keep it safe
- the choices and rights you have
This notice is intended primarily for patients, service users, carers and members of the public.
Who we are
Bristol NHS Foundation Trust is an NHS organisation responsible for providing healthcare services to the people we serve. For the purposes of data protection law, Bristol NHS Foundation Trust is the Data Controller for the personal information it holds.
This means we are responsible for deciding how your personal information is used and for making sure it is handled lawfully, fairly and securely.
Senior accountability for information assurance sits with:
- the Senior Information Risk Owner (SIRO) at Board level
- the Caldicott Guardian, who is responsible for safeguarding patient confidentiality
- the Data Protection Officer, independent oversight of GDPR compliance
What information we collect
We collect and use information that is necessary to provide you with safe and effective care, which may include:
- basic details such as your name, address, date of birth and NHS number
- contact details such as telephone number and email address
- information about your physical or mental health, care and treatment
- information from other health or care professionals involved in your care
- feedback or experience information that you choose to provide
Most health records are held securely in electronic systems. Access is tightly controlled so that only authorised staff who need the information for your care or for lawful purposes can see it.
Why we use your information
We use personal information to:
- provide, manage and document your care and treatment
- ensure continuity of care between services
- communicate with you about appointments, results and care (for example by letter, SMS, email or the NHS App)
- work safely and effectively with other health and care organisations involved in your care
- monitor, evaluate and improve our services
- investigate concerns, incidents or complaints
- meet legal, regulatory and statutory requirements
Where appropriate, information used for planning, audit, research or service improvement is anonymised or pseudonymised so that individuals are not identifiable.
Lawful basis for using your information
We do not usually rely on consent to use your personal information for your direct care.
Most processing is carried out because it is:
- necessary for a public task – providing healthcare as part of our NHS duties
- required by law – for example to keep clinical records or respond to regulators
- necessary to protect vital interests – such as in emergency or life‑saving situations
Because of these legal duties, some rights (such as deletion of medical records) may not always apply.