Legal Bases and Statutory Duties

Legal Bases and Statutory Duties

Direct Healthcare

To collect identifiable data about service users that we are responsible for.

Personal confidential data describes personal information about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people. 

Legal Basis

Processing is necessary for the performance of a contract in which the patient has taken steps to enter in to and is necessary for the purposes preventative or occupational medicine, for assessing the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or management of social care systems and services.

Statutory Duty under the NHS Act 2006, Common Law Duty of ConfidentialityHuman Rights Act 1998


To collect identifiable data about employees that we are responsible for.  Data collected includes, but is not limited to the following:

  • Staff administration (payroll and pensions)
  • Education, training and development
  • Information and database administration
  • Business management and planning
  • Accounting and auditing
  • Criminal prosecution and prevention
  • Health administration and services
  • National fraud initiatives
  • Quality monitoring (such as staff surveys)

Key payroll data may be provided to bodies responsible for auditing and administering public funds for the purposes of preventing and detecting fraud.

Legal Basis

By signing your contract with the trust, you consent to us holding and processing any information about you which you provide to us, or which we may acquire as a result of employment.  These include circumstances where the processing is necessary for the performance of staffs’ contracts with us or for compliance with any legal obligations which applies to us as your employer.

Statutory Duty under the Equality Act 2010, Health & Safety at Work Act 1974 and Employment Rights Act 1996


To provide information in order to fulfil a contractual obligation with a third party for supply of good and services to the Organisation.

Legal Basis

Processing is necessary for the performance of a contract for supply of services and is necessary for the purposes preventative or occupational medicine, for assessing the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or management of social care systems and services.


To collect NHS data about service users that we are responsible for. 

Processing Activities

Hospitals and community organisations that provide NHS-funded care must submit certain information about services provided to our service users. 

This information is generally known as commissioning datasets and they relate to service users registered with us. 

These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research. 

The datasets include information about the service users who have received care and treatment from those services.  They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included. 

We also share information that does not identify you for a number of other purposes such as:

  • Performance managing contracts; 
  • Reviewing the care delivered by providers to ensure service users are receiving good quality and cost effective care; 
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
  • To help us plan future services to ensure they continue to meet our local population needs; 
  • To reconcile claims for payments for services received in your GP Practice; 
  • To audit NHS accounts and services. 

Statutory Duty under the Health and Social Care Act 2012

If you do not wish for your information to be included in these datasets a National Opt Out Programme is available:  

National Data Opt Out Programme

Patients and the public who decide they do not want their personally identifiable data used for planning and research purposes will be able to set their national data opt-out choice online. We will provide a non-digital alternative for patients and the public who can't or don't want to use an online system. Individuals can change their mind anytime. Existing Type 2 opt-outs (the option for a patient to register with their GP, to prevent their identifiable data leaving NHS Digital) will be converted to the new national data opt-out. Patients with type 2 opt-outs will be informed of this change individually.


To collect personal information about you when you ask about our activities, make a donation to us, register for an event, engage with our social media, order products and services (such as newsletters), or otherwise give us personal information.

Legal Basis

We will only process your personal data where we have your explicit consent.


Foundation Members

To inform you of Governor Elections and voting information, to distribute membership newsletters and general hospital updates

Legal Basis

In respect of processing personal data the processing is necessary for the Trust to comply with its legal obligations under the National Health Service Act 2006 and for the performance of a "public task" laid down in law; and

In respect of any "special category data" the processing is necessary for reasons of substantial public interest, or is necessary for the management of healthcare services.


To support research orientated proposals and activities. 

Legal Basis

Your consent will be obtained before identifiable information about you is disclosed for any research. 

Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken. 


Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole. 

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records. 

Processing Activities

Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies. 


To support evaluation of services to assist with monitoring and service planning.

Legal Basis

Evaluation of tasks carried out in the exercise of official authority by the controller for the reasons of public health, to ensure high standards of healthcare and of medicinal products or medical devices

Statutory Duty under the NHS Act 2006


We have installed CCTV cameras in our offices in areas that are used by members of the public and staff.

Legal Basis

This is for the purposes of public safety and crime prevention / detection.  In all locations, signs are displayed notifying of the fact the CCTV is in operation and providing details of whom to contact for further information about the scheme. 


We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns. 

Legal Basis

Because of public interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use. 

Statutory Duty under the Care Act 2014

Recording of Telephone Calls

Netcall calls are recorded. 


This is to help us ensure that we provide the best possible service to patients. This helps us to deliver care and identify ways that we can provide you with a better service. 

National Registries

National Registries have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user. 

Statutory Duty under the NHS Act 2006


To process your personal information if it relates to a complaint where you have asked for our help or involvement. 

Legal Basis

We will need to rely on your explicit consent to undertake such activities. 

Complaint Processing Activities 

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. 

We will only use the personal information we collect to process the complaint and to check on the level of service being provided. 

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. 

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis. 

We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.