Privacy Notice

Oxford Health NHS Foundation Trust is a community focused organisation that provides physical, mental health and social care for people of all ages across Oxfordshire, Buckinghamshire, Swindon, Wiltshire, Bath and North East Somerset.

Our Trust is registered with the Information Commissioner’s Office to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z1411013.

About the Trust

Our services are delivered at community bases, hospitals, clinics and people’s homes. We focus on delivering care as close to home as possible.

Our vision is that no matter who you are or where you are, you will tell us that you receive: “outstanding care delivered by outstanding people.” Our values are to be caring, safe and excellent.

For information on all our services please visit “Your Services” on our website at

Photo of Highfield Unit building.

Personal information

Why do we collect personal information about you?

In this Privacy Notice the term Personal Information means any information about you or other people.

In order to provide you with the appropriate and best possible health and social care and treatment, our staff need to collect and maintain information about your health, treatment and care. 


Personal information that we collect about you can be held in:

  • Paper format in a structured file
  • On an electronic patient record system

There are different systems used in the Trust depending on which service you are referred to. 

Some services may wish to video and/or audio record part of your treatment. This would be with your knowledge and consent.

CCTV is used by the Trust in some internal and external areas. This is for the following purposes:

  • To protect patients, employees, and visitors.
  • To protect Trust premises and Trust assets.
  • To support the Police in reducing and detecting crime.
  • To assist in identifying, apprehending and prosecuting offenders.
  • To assist in traffic management.

Legal basis

What is our legal basis for processing personal information?

The Trust processes personal information for the purpose of the provision of:

“health and Social care treatment to include the management of health and social care systems and services”.  

This is a “Public Task” as set down in UK Law.

Read more about the legislation, Data Protection Act 2018.  

Photo of a man signing a legal document

Collection of personal information

What personal information do we need to collect about you and how do we obtain it?

Creating a health and social care record we need to collect demographic information consisting of:

  • Your name
  • Address (including correspondence if different)
  • Telephone numbers
  • Date of birth
  • Ethnic origin
  • Contacts (next of kin, familial, carers)
  • GP details.

Further information may be collected such as your marital status, occupation, religion, email address, place of birth, overseas status and any preferred name or alias.

It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans and contact you, in accordance with your needs. 

We may also hold sensitive personal information about you, which could include:

  • Notes and reports about your health, treatment and care, including:
    • Your medical conditions
    • Your dental health
    • Your mental health
    • Results of investigations, such as x-rays and laboratory tests
    • Future care you may need
    • Personal information from people who care for and know you, such as relatives and health or social care professionals
    • Other personal information such as smoking status and any learning disabilities
    • Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status)

Health and social care record

Creating a health and social care record – collecting information about you from different sources.

  • The data may be collected directly from you, as the patient or a relative, carer or health or social care professional.
  • The data may be collected from your GP or another healthcare provider at the point of referral.
  • The data may be collected from another Hospital Provider at the point of transfer
Photo of a clinician updating a patient health record

Use of personal information

What do we do with personal information and what we may do with personal information?

Personal information is used to manage and assist the staff involved in your care in ensuring that you are appropriately assessed and advised on the most appropriate care for you.

Personal information is used to ensure that the type of care given by the different types of service providers is communicated and shared with all relevant health professionals.

Where possible, we will always look to anonymise/pseudonymise personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/share the minimum information necessary.

Personal information may be used to provide information to other healthcare professionals, or if you are referred to a specialist or another part of the NHS, social care or health provide.

It may also be used to:

  • Remind you about your appointments and send you relevant correspondence
  • Review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement
  • Support the funding of your care, e.g. with commissioning organisations
  • Prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
  • Help to train and educate healthcare professionals
  • Report and investigate complaints, claims and untoward incidents
  • Report events to the appropriate authorities when we are required to do so by law
  • Train healthcare professionals and support research and development
  • Contact you with regards to patient satisfaction surveys relating to services you have used without our hospitals so as to further improve our services to patients

Information sharing

Who do we share information with and why?

The trust is required to protect personal information and inform you of how personal information will be used.

The trust provides health care services and personal information that can be shared as part of providing a health care service.

Personal information you provide to the trust in confidence will only be used for the purposes explained to you.

The trust does share information with consent, but importantly can also use information about you where there is another legal basis to do so.

We may need to share relevant personal information with other NHS or Non-NHS Organisations.

Sometimes special permission will be given to use information that identifies you without your consent. This may be for medical research or checking quality of care.

This permission is given by the Secretary of State for Health on advice from the National Information Governance Board for Health and Social Care under strict conditions.

For approved medical research. In most instances the information will be made anonymous so that you cannot be identified. If this is not possible, we will ask for your consent to participate or request approval from the Health Research Authority. Should you not wish information about you to be used for research please speak to your clinical team who are treating you.

The trust may be required by law to share information provided to us. The trust would not disclose any health information to third parties without your explicit consent, however there may be circumstances where the law permits or requires us to share.

Where appropriate the trust will notify you of this sharing. The trust may be required by law to share information provided to us with other bodies these may be, but not limited to:

  • Those responsible for auditing or administering public funds, in order to prevent and detect fraud. 
  • Disclosure under a court order
  • Sharing with the Care Quality Commission for inspection purposes
  • Police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies

Sharing personal information with other NHS Organisations would be for the purpose of healthcare.

These authorities would be:

  • NHS England
  • Public Health England
  • Other NHS Trusts
  • General Practitioners (GPs)
  • Ambulance Services
  • Primary Care Agencies. 

This may also include those contracted to provide service to the NHS in order to support your healthcare needs.

Sharing personal information with Non-NHS Organisations from which you may be receiving care could include Social Services or private care homes.

If you are registered with a Buckinghamshire GP, the Trust shares information about you with other health and care organisations that may be involved in your care as part of the Buckinghamshire My Care Record programme.

My Care Record is a programme of work to help make sure that health and care professionals involved in your treatment and care can securely access up-to-date information about you to help them make the right choices about the care and medical attention you need.

For more information about My Care Record, please visit

The Trust is one of many organisations working in the health and care system to improve care for patients and the public.

The information collected about you when you are using NHS services can be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness.

All of these help to provide better health care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

Your choice

You have a choice about whether you want your confidential patient information to be used in this way.

Learn more

You can find out more about the wider use of confidential personal information and to register your choice to opt out by visiting:

Maintenance of personal information

How do we maintain personal information that is held as a health and social care record?

Personal information is held in both paper and electronic format. This is in line with the NHS Records Management Code of Practice for Health and Social Care 2016 and National Archives Requirements

We hold and process information in accordance with the Data Protection Act 2018 (subject to parliamentary approval) as amended by the GDPR 2016. 

In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements

The Department of Health and the Information Governance Alliance have set out the current retention periods for maintaining a health and social care record. 

The information is kept as long as necessary for your health needs and in line with the standards and you can find these on this link, NHS Record Management code of practice: 

We have a duty to:

  • Maintain full and accurate records of the care we provide to you
  • Keep records about you confidential and secure
  • Provide information in a format that is accessible to you

Security of personal information

The Trust is required to ensure that personal information is held securely.

We take appropriate technical and organisational measures including securing computers with access control through user names and passwords for electronically held personal information.

For personal information held on paper, this information is held in locked facilities and where permanently based for archive purposes the records are held in secure external storage.

Photo of secure storage of paper health records

What are your rights?

  • You have the right to request access to the personal data we hold about you, e.g. in health and social care records.
  • You have the right to request the correction of inaccurate or incomplete personal information where it is recorded within a health and social care record, subject to certain safeguards. 
  • You have the right to refuse/withdraw consent to the sharing of personal information if it is beyond the purpose for which it is collected and held, (e.g. research). Should you not wish information about you to be used for research without your consent (anonymous) please speak to your clinical team who are treating you. 
  • You have the right to request the correction of inaccurate or incomplete information recorded in the record, subject to certain safeguards. 
  • You have the right to request personal information to be transferred to other providers on certain occasions, this may include another international organisation.

National Clinical Audit of Psychosis

We are taking part in the National Clinical Audit of Psychosis to help improve the care people with Psychosis receive.

We will be collecting information about the care received by people in Early Intervention in Psychosis (EIP) services.

Contact information

Data Protection Officer

Please contact the Head of Information Governance:

Mark Underwood

IM&T Directorate, The White Building, Littlemore Mental Health Centre, 33 Sandford Road, Littlemore, Oxford. OX4 4XN

Data Protection Impact Assessment (DPIAs)

Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is the body that regulates the trust under Data Protection and Freedom of Information legislation. 

If you are not satisfied with our response or believe we are processing personal information not in accordance with the law you can complain to the ICO at: 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 6 

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number 

Fax: 01625 524 510