Patient Privacy Notice – How We Use, Share & Protect Your Personal Information

Coronavirus (Covid-19) Pandemic: how data about you is used

Please see our Covid-19 privacy notice for further information about how we may share personal data about you during the Covid-19 pandemic.


The Care Organisations within the Northern Care Alliance process patient’s Personal Data for a number of reasons outlined in this Privacy Note. Personal data is information that relates to a living individual who can be identified from that data.

The Trusts are registered with the Information Commissioner's Office as a Data Controller reference Z5006706 for Salford Care Organisation and Z6519461 (which comprises Salford Royal Hospital, community services for Salford, Bury and Oldham) for the Pennine Care Organisations (which comprises North Manchester Hospital, Rochdale Royal Infirmary, Fairfield General Hospital and Rochdale community services), as required by the Data Protection Act 2018.

Why do we keep information about you?

The organisation uses and manages the information it holds about you, including how the information may be shared with other NHS organisations and with non-NHS organisations, and how the confidentiality of your information is maintained. 

We store and use your data under the legal governance of the NHS Plan 2000, the Health Services Act 2006, Health & Social Care Act 2012 and the Care Act 2015.

We hold your personal data for the purposes of providing you with appropriate care and treatment. 

We keep records about the health care and treatment we provide to you. This helps to ensure that you receive the best possible care from us. 

We may also use personal details to issue patient satisfaction surveys relating to the services used. It helps you because: -

  • Accurate, up-to-date information is important for providing the right care;
  • If a patient has to see another doctor or is referred to a specialist or to another part of the NHS, then full details of the patient's healthcare can be made available;
  • Satisfaction surveys enable the Organisation to improve the way it delivers healthcare to its patients.

It helps us: -

  • To plan, manage and audit the health services we provide;
  • To prepare statistics on our performance;
  • To monitor how we spend public money;
  • To teach and train healthcare professionals;
  • To conduct health research and development;
  • To support clinical trials
  • To support cases to obtain funding for your care;
  • Reporting and investigating complaints, claims and untoward incidents;
  • Reporting events to the appropriate authorities when we are required to do so by law.

Please remember that you have the right to access personal information about you held by the organisation, either to view the information in person, or to be provided with a copy.

If you want to access your health records then please contact: -

For Salford Royal NHS Foundation Trust

InformationSecurity& or by telephoning 0161 206 7251 

For Pennine Acute Hospitals Trust: - or by telephoning 0161 627 8591, 0161 656 1215, 0161 656 1750

What information do we hold about you

  • Identity details - name, date of birth, NHS Number
  • Contact details - address, telephone, email address
  • 'Next of kin' - the contact details of a close relative or friend
  • Details of any A&E visits, in-patient spells or clinic appointments
  • Results of any scans, X-rays and pathology tests
  • Details of any diagnosis and treatment given
  • Information about any allergies and health conditions
  • Relevant information about people who are involved in your care and know you
  • Details about people associated with you such as your children, partners, carers relatives
  • Information sent about you to us from others involved in your care such as your GP, Optician, schools etc

By providing us with your contact details, you are agreeing for us to use these channels to communicate with you about your healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address).

We manage all records to the minimum retention periods stated in the NHS Records Management Code of Practice for Health and Social Care. To support your future care needs and to support population health and as your records may become vital in the care of family members or may be used in research or clinical trials we do not destroy or archive electronic clinical records.

How will we keep your information secure and confidential?

All members of staff working in the NHS and other healthcare organisations have a legal duty of confidentiality to keep your information strictly confidential (unless in extreme circumstances where your safety or that of others is compromised). Everyone working for this organisation is subject to the Common Law Duty of Confidence. 

Information provided in confidence will only be used for the purposes advised and consented to by the patient, except in circumstances where the law requires or allows the Organisation to act otherwise. 

What laws are relevant to the handling of personal information? 

  • The General Data Protection Regulation 2018, formerly The Data Protection Act 1998 (including the Data Protection Bill 2018)
  • The Human Rights Act 1998
  • Freedom of Information (Scotland) Act 2002
  • Computer Misuse Act 1998
  • Access to Health Records Act 1990
  • The Human Rights Act 1998
  • Common law Duty of Confidentiality
  • NHS Codes of Practice
  • National Opt Out Policy

How patient records are shared? 

This organisation shares patient information with a range of organisations or individuals for a variety of lawful purposes, including:

  • Disclosure to GPs and other NHS staff for the purposes of providing direct care and treatment to the patient, including administration;
  • Disclosure to social workers or to other non-NHS staff involved in providing healthcare;
  • Disclosure to specialist organisations for the purposes of clinical auditing;
  • Disclosure to those with parental responsibility for patients, including guardians;
  • Disclosure to carers without parental responsibility (subject to explicit consent);
  • Disclosure to medical researchers for research purposes (subject to explicit consent, unless the data is anonymous);
  • Disclosure to NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services;
  • Disclosure to bodies with statutory investigative powers - e.g. the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman;
  • Disclosure to national generic registries - e.g. the UK Association of Cancer Registries;
  • Disclosure, where necessary and appropriate, to non-statutory investigations - e.g. Members of Parliament;
  • Disclosure, where necessary and appropriate, to government departments other than the Department of Health;
  • Disclosure to solicitors, to the police, to the Courts (including a Coroner's Court), and to tribunals and enquiries;
  • Disclosure to the media (normally the minimum necessary disclosure subject to explicit consent)

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows: 

  • When there is a Court Order or a statutory duty to share patient data;
  • When there is a statutory power to share patient data;
  • When the patient has given his/her explicit consent to the sharing;
  • When the patient has implicitly consented to the sharing for direct care purposes;
  • When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006
  • Patient information may be shared, for the purposes of providing direct patient care, with other NHS 'provider' organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc.

In such cases, the shared data must always identify the patient for safety reasons. 

For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations, such as the local Clinical Commissioning Group (CCG), and the Health & Social Care Information Centre (part of NHS England).

In such cases, the shared data is made anonymous, wherever possible, by removing all patient-identifying details, unless the law requires the patient's identity to be included. 

For the benefit of the patient, the Organisation may also need to share patient health information with non-NHS organisations which are also providing care to the patient.

These may include social services or private healthcare organisations.

However, the Organisation will not disclose confidential health information to third parties without the patient's explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires disclosure. 

The Organisation may also be asked to share basic information about its patients, such as names and addresses, which does not include sensitive health information. 

Generally, the Organisation would do this where it is necessary to assist an organisation to carry out its statutory duties.

These non-NHS organisations may include, but are not restricted to: social services, education services, local authorities, the police, voluntary sector providers, and private sector providers. 

As it may not be practicable in such circumstances to obtain patients' explicit consent, the Organisation is informing its patients through this notice, which is referred to as a Fair Processing Notice, under the Data Protection Act 1998.

Where patient information is shared with other non-NHS organisations, or for reasons other than direct patient care, it is good practice for a Data Processing Contract to be drawn up to ensure that information is shared in a way that complies with all relevant legislation.

The NHS Utilisation Management Unit (UM Unit; hosted by Manchester University NHS Foundation Trust) is commissioned by NHS organisations such as Clinical Commissioning Groups and NHS Trusts, to process data on their behalf. The purpose of data processing by the UM Unit is to undertake review of clinical pathways, clinical audit and other types of service evaluation to improve services for patients. Any access to patient personal data by the UM Unit for these purposes is strictly limited, and explicitly approved by the Trust through the completion of Data Protection Impact Assessment.

What are your rights under GDPR? 

How will we keep your information secure and confidential?

Under GDPR you have a number of rights. These are listed below.

  • That your rights are communicated to you in such a way as to be open, honest and easy to read and understand
  • You should be informed which data we hold has been collected from you and that which has been collected from others
  • You have a right of access to the data we hold on you. This will include how much, of what type, who we share it with and why. You also have the right to know what safeguards we us to protect your data at any point of our handling or sharing your data
  • You have the right to have mistakes or errors in your data corrected which includes having missing data completed.
  • You have the right of erasure also known as the right to be forgotten. This will depend on the legal justification for why you provided the data. For instance most, medical records are collated under the Health and Social Care Act and therefore are not able to be erased. Research and clinical trials data is also protected by the Data Protection Bill. However if you consent for your data to be used outwith of these in all likelihood it will be able to be erased if you wish.
  • You have the right to restrict processing. This means you can stop your data from being used under certain circumstances.
  • You have the right of data portability. This is to have your data provided to you in a format easily read by a commonly used computer program.
  • You have the right to object under certain circumstances to your data being processed.
  • You have the right to prevent automatic decision making. An example of this is when you apply for a loan via the internet and the decision is made via a computer.
  • You have the right to prevent profiling. This is when the recording and analysis of a person's psychological and behavioural characteristics is used. However health profiling is sometimes essential to help us support wellness.
  • You have a right to complain and contact details are written at the end of this document.

Breakup of The Pennine Acute Hospitals NHS Trust and split of services between Manchester University NHS Foundation Trust and Salford Royal NHS Foundation Trust

Pennine Acute Hospitals NHS Trust will cease to be a single organisation. North Manchester General Hospital will move to become part of Manchester University NHS Foundation Trust (MFT), and the residual parts of Pennine (Royal Oldham Hospital, Fairfield Hospital and Rochdale Infirmary) will become Care Organisations within Salford Royal Foundation Trust, which is part of the Northern Care Alliance (NCA).

However here is a  key update on the progress being made on the future arrangements for PAT hospitals.

We are now technically ready to deliver the safe disaggregation (i.e. separation) of PAT sites and services on 1 April 2021 as planned.

From 1 April, MFT will formally acquire and be responsible for NMGH. The NCA will continue to deliver some services on site or jointly.

From now on, parts of or all of your care may start to be provided by either the NCA or MFT. To ensure that your care is informed by your previous history, the NCA and MFT will be joint data controllers for your data. This means that your personal and special category data will follow you wherever you go ensuring that you continue to receive safe, high quality care. This arrangement will continue for as long as is required to ensure that your relevant care data is available in each organisation you attend.

Work is taking place to prepare for this change, and we will be sharing a minimal amount of personal data between the organisations to make sure that, from 1 April 2021, your care will be transitioned smoothly .e.g. limited use of clinical data for finance purposes, limited use of personal and special category data i.e in some cases only your NHS No. will suffice.

Due to the complexity of the NCA’s part of the PAT transaction, we have asked for an extension by up to six months to formally complete our part of the legal transaction. This means it will complete by no later than the end of September 2021. The NCA will continue with a Management Agreement for Oldham, Rochdale and Bury Care Organisations during this interim period.

Pennine Acute Trust will therefore remain a statutory organisation until the transaction is fully complete and the PAT Board and Trust is dissolved.

On 1 April 2021 services will be disaggregated as planned so that MFT can acquire NMGH by a commercial transfer.

The legal aspects of the transfer of Oldham, Rochdale and Bury Care Organisations to the NCA as a statutory legal entity will be completed before 30 September 2021, formally establishing the Northern Care Alliance NHS Foundation Trust and the final dissolution of PAT, subject to approval by regulators and the Secretary of State for Health.

We will keep you updated on this progress using the websites for MFT and the NCA and the Privacy Notice available for each organisation. If you would like to contact us in regards to this, please contact us at

Essential Contacts

The Data Controller

The Data Controller for the Northern Care Alliance is Sir David Dalton. He can be contacted via

The Data Protection Officer

The Data Protection Officer for the Northern Care Alliance can be contacted via

The Caldicott Guardian

The Caldicott Guardian for the Northern Care Alliance can be contacted via

Freedom of Information Requests

If you want to make a request for information held by Salford Royal NHS Foundation Trust send details to 

If you want to make a request for information held by Pennine Acute Hospitals Trust send details to or by telephoning 0161 206 6610

Subject Access Requests

If you want to access your health records then please contact: - 

For Salford Royal NHS Foundation Trust

InformationSecurity& or by telephoning 0161 206 1130

For Pennine Acute Hospitals Trust: - or by telephoning 0161 627 8591, 0161 656 1215, 0161 656 1750 

The Information Commissioner

You have the right at anytime to complain about how we have processed your data by contacting the Information Commissioner: -

The Information Commissioner's Office (ICO)

Wycliffe House

Water Lane




Tel: 0303 123 1113 or 01625 545745

Information Commissioner's Office website (