Privacy Notice

This Privacy Notice explains how Bristol NHS Foundation Trust uses, shares and protects your personal information.

We recognise that privacy notices can feel complex and difficult to read. Our aim is to provide information that is clear, accessible and reassuring, helping you understand:

  • what information we collect about you
  • how and why we use it
  • how we keep it safe
  • the choices and rights you have

This notice is intended primarily for patients, service users, carers and members of the public.

Who we are

Bristol NHS Foundation Trust is an NHS organisation responsible for providing healthcare services to the people we serve. For the purposes of data protection law, Bristol NHS Foundation Trust is the Data Controller for the personal information it holds.

This means we are responsible for deciding how your personal information is used and for making sure it is handled lawfully, fairly and securely.

Senior accountability for information assurance sits with:

  • the Senior Information Risk Owner (SIRO) at Board level
  • the Caldicott Guardian, who is responsible for safeguarding patient confidentiality
  • the Data Protection Officer, independent oversight of GDPR compliance

What information we collect

We collect and use information that is necessary to provide you with safe and effective care, which may include:

  • basic details such as your name, address, date of birth and NHS number
  • contact details such as telephone number and email address
  • information about your physical or mental health, care and treatment
  • information from other health or care professionals involved in your care
  • feedback or experience information that you choose to provide

Most health records are held securely in electronic systems. Access is tightly controlled so that only authorised staff who need the information for your care or for lawful purposes can see it.

Why we use your information

We use personal information to:

  • provide, manage and document your care and treatment
  • ensure continuity of care between services
  • communicate with you about appointments, results and care (for example by letter, SMS, email or the NHS App)
  • work safely and effectively with other health and care organisations involved in your care
  • monitor, evaluate and improve our services
  • investigate concerns, incidents or complaints
  • meet legal, regulatory and statutory requirements

Where appropriate, information used for planning, audit, research or service improvement is anonymised or pseudonymised so that individuals are not identifiable.

Lawful basis for using your information

We do not usually rely on consent to use your personal information for your direct care.
Most processing is carried out because it is:

  • necessary for a public task – providing healthcare as part of our NHS duties
  • required by law – for example to keep clinical records or respond to regulators
  • necessary to protect vital interests – such as in emergency or life‑saving situations

Because of these legal duties, some rights (such as deletion of medical records) may not always apply.

Data sharing and partnership working

Providing high‑quality care often means working closely with other organisations involved in your health and care.

We share personal information lawfully and securely with partner organisations where there is a clear need to do so, for example to support your direct care or to improve local health and care services.

Bristol NHS Foundation Trust is part of the Bristol, North Somerset and South Gloucestershire (BNSSG) Integrated Care System (ICS).

Within BNSSG, organisations that share information do so in line with the BNSSG / Integrated Care Board (ICB) Data Sharing Charter, which sets out shared principles for:

  • protecting confidentiality and privacy
  • using only the minimum necessary information
  • sharing data safely, transparently and lawfully
  • respecting patient choice, including the National Data Opt‑Out

This charter supports consistent and trustworthy information sharing across NHS and local authority partners to improve care, reduce duplication and support better outcomes for patients and service users.

Sharing information with others

Your information is treated as confidential. We only share it where there are a lawful basis and a clear need to do so.

This may include sharing information with:

  • healthcare professionals and NHS organisations directly involved in your care
  • your GP and community care providers
  • ambulance services and urgent care providers
  • local authorities and social care services where relevant
  • trusted suppliers who provide services to us (such as IT systems or patient communication services), under strict contractual and security controls

We will never sell your information and will not use it for marketing or insurance purposes without your explicit consent.

Patient communications and digital services

We use approved digital systems to support patient care and communication, such as appointment reminder services, patient portals and the NHS App.

These services help us to:

  • send appointment reminders and updates
  • provide access to digital letters or documents
  • support virtual consultations where appropriate

You can manage your communication preferences through the NHS App or by contacting our services directly. Choosing to opt out of certain communications may affect how quickly we can contact you about your care.

National Data Opt‑Out

When you receive health or care services in England, information about you may also be used beyond your individual care for purposes such as:

  • planning and improving health and care services
  • research
  • protecting public health

You have a choice about whether your confidential patient information is used in this way.

What the National Data Opt‑Out means

  • it applies only to uses of information beyond your direct care
  • it does not affect your treatment or care
  • it applies across health and care organisations in England

How to manage your choice

You can change your choice at any time. If you are happy for your information to be used in this way, you do not need to do anything.
Please note that some uses of information are required by law and are not affected by the opt‑out.

How long we keep information

We keep personal information in line with the NHS Records Management Code of Practice. Records are retained only for as long as necessary for their purpose and are then securely disposed of.

Different types of records have different retention periods depending on legal and clinical requirements.

Your rights

Data protection law gives you important rights over how your personal information is used, including the right to:

  • request access to your personal information (a Subject Access Request)
  • ask for information to be corrected if it is inaccurate or incomplete
  • object to certain uses of your information in specific circumstances
  • request that processing is restricted in limited situations

These rights are not absolute and may be limited where we have a legal duty to continue using or retaining information.

How to contact us

Data protection enquiries

Information Governance / Data Protection Officer

Southmead site email: Information.Governance@nbt.nhs.uk

City and Weston sites email: InformationGovernance@uhbw.nhs.uk 

You also have the right to raise concerns with the Information Commissioner's Office (ICO) if you remain dissatisfied with how your information has been handled.

Services integrated on this website

  • Klaro!
  • Cludo AI 
  • Google Analytics 
    • Anonymous information your web browser gives us, such as your computer's IP address, your city and your screen size. We also monitor your use of the website by seeing which pages you visit and how long you spend on them. We send this information to Google's "Google Analytics" service so that we can measure how effective our website is at giving you the information you're after.

Keeping this notice up to date

We review this Privacy Notice regularly to ensure it remains accurate and reflects how we use your information. The most up‑to‑date version will always be available on our website.

Page last updated: 1 July 2026