Read our latest advice on Coronavirus (COVID-19)


Our services are open and safe to attend – we are still here to help

Your health records

Patients and visitors

More in this section

Subject access requests and Freedom of Information requests during the current Coronavirus (COVID-19) pandemic

Guy's and St Thomas' NHS Foundation Trust are committed to complying with 'Right of Access' requests made under the Data Protection Act 2018 and the Freedom of Information Act 2000.

However, the NHS has faced and is continuing to face challenges relating to the coronavirus (COVID-19) pandemic at the current time, and our resources have been prioritised to support our frontline colleagues who are working tremendously hard to provide care for our patients.

The Information Commissioner's Office has recognised the current situation in the NHS as being out of the ordinary.

While it is always our aim to be transparent and to work with a culture of openness, at this time, the care of our patients and the safety of our staff takes precedence. As a result of our prioritisation on supporting frontline colleagues, it is likely that responses to requests for information or records will continue to be delayed, and it may sometimes take up to three months to respond to a subject access request. Therefore, please can we ask that you consider if your request is still required or can be delayed until after the pandemic is over.

It should also be noted that we may not be able to provide copies of paper health records and are still experiencing difficulties with requests that require the ability to print or copy health records to complete access requests. For the period of the COVID-19 restrictions, we will do our best to process requests in a timely fashion. For the past few months we have only processed requests if they, in part or wholly, involve electronic health records systems that staff can access and extract data from. We have also had to suspend requests that require only paper health records to complete. We are trying hard to return to a normal service but still expect there will be delays dealing with requests that require health records or any other content to be printed and scanned.

We apologise for this in advance, and will provide you with an update as soon as we are able to.

For Freedom of Information (FOI) requests, the Trust has experienced delays but will continue to process these as normal. This will be dependent on the availability of staff, which could impact on the delivery time of FOI responses during this challenging period.

If you have a complaint linked to how we are dealing with requests, please contact the Trust's data protection officer at dpo@gstt.nhs.uk.

  • What information we collect and why

    We collect and hold personal information about you when you use or come into contact with our services. This information may be held electronically (in our computer systems) and/or in paper form, depending on the service(s) you have accessed.

    Healthcare

    To support the provision of your healthcare, we collect:

    • basic details about you, such as your name, address, date of birth, next of kin and GP
    • additional contact information such as telephone number (home and/or mobile) and email address – where you have provided it to enable us to communicate with you by email and text
    • a record of dates when we've had contact with you. For example, attendances at an outpatient clinic, a visit to the emergency (A&E) department, or a stay in hospital
    • clinical notes made by our doctors and other healthcare professionals during these contacts detailing presenting symptoms, allergies, medication, diagnosis and treatment, along with any chronic (long-lasting) health conditions, such as diabetes or asthma; and results of the clinical examination undertaken by doctors and other healthcare professionals
    • results of investigations that may have been undertaken, like blood tests, x-rays and scans; and results of observations such as your heart rate and blood pressure
    • photographs, images and videos
    • information from other health professionals that have been involved in your care or that have asked us to be involved in your care, eg your GP
    • lifestyle information that may be clinically relevant, such as whether or not you smoke or use illicit drugs. Information on your occupation and your home setting as this may be relevant to your medical condition
    • your ethnicity, as this can be linked to certain medical conditions
    • your religious beliefs, as this may affect how you wish to be treated in certain circumstances
    • there may also be information from other people involved in your care, such as a relative or someone who helps to care for you
    • personal data about other people who are involved in, or may have an impact on your health and social care, for example relatives, friends, people you live with, people who attend hospital with you and people who visit you in hospital.

    How this information is used

    In the first instance, the doctors and other healthcare professionals create and keep a detailed record of your clinical care to provide a continuous record about your past and current health, because this helps to guide and manage the care you receive.

    We aim to provide you with high-quality, safe care. We may also use the information we collect and hold about you to help us to run and improve the services we provide, along with those of the wider NHS. For example, to help us to:

    • provide you with the best possible care
    • inform decisions that we make about your care
    • make sure your treatment is safe and effective
    • work effectively with others who may be involved in your care, eg your GP
    • review the care we have given to our patients, helping us to ensure that it is of the highest possible standard
    • report on how effective our services are/have been
    • investigate complaints, legal claims and untoward incidents
    • look after the health of the general public
    • plan services to meet patient needs in the future
    • support clinical audit and quality improvement projects, which help us to monitor and improve patient care and outcomes via systematic review of care against explicit criteria. Where indicated, changes are implemented and further monitoring is used to confirm that we have improved our healthcare delivery and identify areas in which improvements could be made
    • ensure that the funds allocated to our Trust are used properly and provide value for money
    • educate and train healthcare professionals
    • undertake research (the local research and development and if necessary the Human Research Authority will be asked to review research requests)
    • prepare statistics on our performance.

    Find out more about our individual services.

    Many of our services also provide leaflets to explain more about the care and treatment they provide.

  • SMS texting and call recording

    When you attend the Trust for an appointment or procedure, you may be asked to confirm that we are holding a correct contact number (home and/or mobile) for you. Where provided to us, this may be used to send you, via text messages and/or automated calls, reminders of upcoming appointments and on occasion to provide you with the option to confirm or cancel your attendance.

    By providing these details to us, we can assist the delivery of care to our patients by ensuring best use of the time available for appointments and procedures at the Trust.

    When you contact the Trust by telephone, calls may be recorded for training purposes.

  • Research

    The Trust is a centre of clinical and research excellence providing quality up to date care. We are actively involved in undertaking research to help improve the care and treatment of our patients. We believe that research matters and saves lives – today's research is tomorrow's care.

    A member of your healthcare team may review your patient record and discuss current clinical trials and research studies with you. If this happens, the study will be explained to you in detail and you will be given a patient information sheet. You will have the chance to ask questions and speak with family and friends about taking part, and will be given time to make your decision. If you decide not to take part in a study this will not impact on the care you receive. If you agree to take part in a study, you will be asked to sign a consent form and will be given a copy to keep.

    Personal data (data that can identify you) may be shared with external research organisations, such as other NHS organisations, universities, charities and commercial companies exclusively for scientific research purposes. More details can be found on the research and development page.

  • Images and audio

    The Trust uses surveillance equipment in the form of closed circuit television (CCTV), body worn video (BWV) and automatic number plate recognition (ANPR) across the Trust. The images (and audio from BWV) are used to help:

    • increase personal safety and reduce the fear of crime
    • support the police and deter, detect and prevent crime
    • assist in identifying, apprehending and prosecuting offenders
    • protect the Trust buildings and other assets
    • protect members of the public, patients, staff and private property
    • assist in traffic management
    • assist in the management of health and safety
    • assist in the investigation of civil claims
    • assist in disciplinary investigations
    • monitor patient safety during clinical procedures.

    Please note BWV is worn and used only by the Trust security staff who have been trained in its use and application. The equipment will only be activated if the security officer believes that an incident is occurring or is about to occur. In addition to the above, BWV also aims to:

    • support a reduction in the number of incidents of violence and aggression
    • support an increase in the number of prosecutions for violence and/or disorder
    • mitigate any malicious complaints against security staff.

    ANPR is used in some of our car parks to facilitate staff access but will, by its nature, capture all number plates as vehicles enter and leave premises.

    Images and audio are retained for a minimum of 31 days, but may be retained for longer than the designated period if needed for an active investigation or legal proceeding.

  • Surveys

    The Trust is committed to listening to and learning from its patients. The NHS Constitution also encourages Trusts to ask patients for feedback on their experience of treatment and care to help the Trust improve the services it provides to the different communities that we serve. To help us do this:

    • we may invite you to complete a survey at the end of your visit or hospital stay or we may send you a text message or call you to ask you about your overall experience of care (the Friends and Family Test question)
    • you may invited to complete a questionnaire as part of the National Patient Survey Programme. The government requires Trusts to carry out these surveys as part of its commitment to inform developments and improvements to NHS services.

    As part of these commitments and in the public interest we may share your contact details and demographic details with an NHS approved contractor to administer these surveys on our behalf. The results of these surveys will be returned to us in an anonymous format. Any decision to take part or not will not affect the care you receive now or in the future.

    If you would like to opt out of these surveys, please contact the patient experience team by emailing patientexperience@gstt.nhs.uk.

  • NHS video call appointments

    As part of our plans to reduce the risk of coronavirus infection, you may be asked to attend one of our virtual clinics through NHS video calling. This allows you to speak to a clinician from home, so you can avoid travelling to our hospitals.

    If you have requested a video consultation using Guy's and St Thomas' video consultation solutions this will be treated the same as any other consultation you have. However, you will need to be aware of the following:

    • we always take your privacy and the security of your personal information very seriously and will do everything we can to ensure it is kept secure and protected. However, you should be aware that no communication over the internet is 100% secure. If you have any concerns about this, you may request a face-to-face or telephone appointment
    • to ensure the safety of your personal information, all communication between the Trust and patient devices is encrypted to NHS standards, we only use corporate devices that have adequate security and protection. All necessary updates are downloaded and strong passwords are always used. The video consultation application itself cannot protect users from spyware so you should always ensure that you have adequate anti-virus/malware protection on any device you use for the video consultation
    • if you choose to use one of the Trust video consultation solutions on your mobile device you should make adequate provision to ensure the security of the device you choose to use
    • we will always conduct a video consultation in a quiet, private space, free of interruptions where others cannot overhear. You are responsible for ensuring that you are in an appropriate environment and recommend that you find a quiet, private place to speak to us
    • you will be provided with instructions for joining your consultation, you should never call us directly
    • the solution will inform you if your device is not capable of running the video consulting solution (it does not check or validate your security)
    • you will need to provide your consent to the terms and conditions of the service and the invitation in order for you to proceed with the scheduled consultation
    • if you share an account with other people, such as your family members, they may have access to some information about the consultation. We advise that you should create your own account
    • if you are using a public or shared device, then you should be aware that some of your personal information may be stored locally on the computer you are using.
  • Consequences of failing to provide data

    We need information about you to support the provision of your healthcare; the information you provide to us helps us to understand any conditions that you may have. If you do not want to provide us with information, or do not want us to share it, then that is your choice, but please be aware that this could seriously affect the care we are able to provide.

    If you have concerns about telling us something or us sharing something about you (for example, if we want to refer you to another service), please talk to the healthcare professional in charge of your care, and hopefully we will be able to reassure you if you have any concerns.

  • The Local Care Record

    The Local Care Record (Bromley, Lambeth and Southwark) and Connect Care (Bexley, Greenwich and Lewisham) systems have been linked, connecting 15,000 care professionals across six boroughs. This means relevant information about you can be safely shared between the staff who need it across the whole of south east London. No matter where you receive care in south east London, the staff looking after you will have the most up-to-date information when they need it.

    For example, if you live in Lewisham but are receiving treatment from Guy's and St Thomas' NHS Foundation Trust, your records are immediately available to the staff looking after you or making the referral.

    How does this help with my care?

    • You won’t have to tell your story to lots of different professionals.
    • You will have fewer unnecessary appointments and tests.
    • Transfer of care between services will be smoother.
    • Care records are available immediately online.
    • Delays in care and treatment will be reduced.
  • Mobile apps

    The Trust, in common with all organisations within the NHS, make use of new technologies in particular opportunities afforded by mobile apps that offer the ability to improve the provision of care or allow improved communications between patients and the Trust which will aid improved healthcare. The Trust will apply the same standards and safeguards to the collection and processing of data using as it does when using any type of information systems.

    Each mobile app adopted by the Trust for official use goes through a security and privacy assessment before being adopted to make sure any risk to patient data is minimised. Wherever possible, patients will be given further information before they are enrolled onto the use of mobile apps.

  • International transfers

    The Trust will make sure that any international transfers of confidential patient information will only be undertaken in accordance with the GDPR and with countries that can ensure an adequate level of protection for the rights and freedoms of our patients. Where applicable, your consent will be sought.

  • How long do we keep your information?

    The length of time we keep your information depends on what sort of information it is. We use the guidance provided in the Records Management Code of Practice for Health and Social Care 2016 to support our actions in relation to records management, including retention periods. The Code is based on current legal requirements and professional best practice. We keep our records for at least the minimum stated required retention period.

  • Lawful processing

    We are only allowed to process your information if we have a legal basis to do so.

    To provide you with healthcare, we process information such as your name, address, and date of birth; this is your 'personal data'. To process your personal data, we must meet one of the criteria in article 6 of the GDPR. The Trust is a public authority tasked with providing healthcare services in the public interest, and it is this role which gives the Trust its legal basis to process personal data under Article 6:

    • 6(1)e – 'Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.'

    Some information, such as health data, is described as 'special category' data, and its processing is prohibited unless we are able to meet one of the additional criteria in article 9 of the GDPR. This is a list of all the 'special categories of personal data':

    • racial or ethnic origin

    • political opinions

    • religious or philosophical beliefs

    • trade union membership

    • genetic data

    • biometric data (for the purpose of uniquely identifying a natural person)

    • health

    • sex life or sexual orientation.

    The Trust meets this requirement because it’s our job to provide healthcare:

    • 9(2)h – 'Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.'

    Depending on the activity there are other legal gateways which can be applied, for example:

    • to support safeguarding children and vulnerable adults

    • to carry out obligation as an employer

    • to protect an individual's vital interests (protect someone's life)

    • to support research

    • to comply with a legal obligation

    • image recording (not for direct healthcare), eg CCTV, BWV, ANPR

    • there may be instances where we ask for your consent to process your information if another legal basis does not apply. If this is the case you can expect that your consent will be sought.

  • The national data opt-out

    The national data opt-out was introduced for 'the health and social care system' on 25 May 2018. It gives people more control over how their confidential patient information is used. Find out more about confidential patient information on the NHS website.

    NHS Trusts are required to be compliant with the national data opt-out policy by 30 September 2020. 

    What is the national data opt-out?

    It is a service that allows the public to register to opt-out of their confidential patient information being used for research and planning. The public can change their national data opt-out choice at any time.

    What is confidential patient information?

    Confidential patient information is when two types of information from your health records are joined together.

    The two types of information are:

    • something that can identify you
    • something about your health care or treatment.

    For example, your name and what medicine you take.

    Information that only identifies you, like your name and address, is not considered to be confidential patient information and may still be used. For example, to contact you about your care or change in appointments or to ask you if you want to opt back in for an individual research study you may consider worth opting back in for.

    Information about your health or care that is anonymised so that you can no longer be identified is not considered to be confidential patient information.

    The choice you make does not apply when your information is used to help with your own treatment and care. Visit the NHS website for more information on when your choice does not apply.

    Who needs to comply with national data opt-out policy?

    The national data opt-out applies to data for patients where their care is provided in England by a publicly funded organisation, or the care has been arranged by a public body such as the NHS or a local authority. It does not apply to data related to private patients at private providers.

     In summary, the national data opt-out applies to:

    • all NHS organisations (including private patients treated within such organisations)
    • all local authorities providing publicly funded care
    • adult social care providers where the care provided is funded or arranged by a public body
    • private or charitable healthcare providers providing NHS funded treatment or arranged care.

    Which data disclosures do national data opt-outs apply to?

    National data opt-outs apply to a disclosure when an organisation, such as a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation such as an NHS Trust (the data controller). Find out more about the Confidential Advisory Group on the NHS health research authority website.

    The CAG approval is also known as a section 251 approval, and refers to section 251 of the National Health Service Act 2006 and its current regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations allows the common law duty of confidentiality to be temporarily lifted, so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.

  • Your information rights

    In general, GDPR provides the rights outlined below to individuals regarding their data, but how these apply in detail depends on:

    • the legal basis for processing the information
    • the situation, known as 'restrictions'
    • these are applied when it is seen as a necessary and proportionate measure in a democratic society to safeguard aspects such as, but not limited to:
      • national or public security
      • defence
      • the prevention, investigation and detection of crime.

    The rights are:

    • To be informed – we need to tell you about how we use your information. A range of communication methods are used to do this, including:
      • the internet, eg this privacy notice
      • discussion with your health professional
      • posters
      • leaflets
      • inclusion in correspondence.
    • to access your information – you can ask to view or have a copy of any information we hold about you
    • to rectification – we will amend any errors in the information we hold about you if it is agreed to be inaccurate or incomplete. Please be aware that sometimes we may hold information that you do not agree with, but it is not adjudged to be incorrect, eg a clinical opinion recorded by a health professional. In such instances, we may (by mutual agreement) add a statement from you to your record regarding your concern, but not change the information
    • to erasure – also known as 'the right to be forgotten'. This empowers individuals to have personal data about them erased where there is no overriding legal justification for its processing. As such, this is unlikely to apply to health records or staff records where there is strong legal justification for the records to be kept
    • to restriction – you have the right to request that we stop processing your personal data on a temporary basis, without deleting it. This is mostly likely to apply while a request for rectification, erasure, or objection is being considered
    • to portability – this enables individuals to obtain and reuse their personal data for their own purposes across different services ie copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies where processing is based on consent or as part of a contract and is carried out by automated means
    • to object – yhis provides the right for you to object to us processing your data under certain circumstances. (Please also see the above section outlining the 'consequences of failing to provide data')
    • to not be subject to a decision based solely on automated processing, including profiling – our Trust does not use automated processing in this way; decisions about your care and treatment are made by our health professionals
    • to be informed if a data breach occurs that is likely to result in a high risk to your rights and freedoms.

    Exercising your rights

    There are some umbrella provisions to describe what we do if you make a request to exercise your rights:

    • we always check the identity of a person making a request before we act upon it. We need to establish that a request is genuine, either from you or your agreed representative
    • we aim to act upon requests as soon as possible and usually within one month. Occasionally we may need more time, for example, if a request is complex. This can extend the response time by up to a further two months. If we need more time we will contact you as soon as possible and within month one to explain the reasons for the delay
    • if you make your request by electronic means, we will aim to respond in the same way unless you request otherwise. Please be aware that this may not always be possible
    • we may refuse a request, not provide everything you have requested or not do everything that you have asked of us. If this happens we will:
      • tell you as soon as possible and within one month

      • outline our reasons for not taking the action you have requested

      • explain how you can make a complaint if you are unhappy with our decision. We would always ask that you come back to us in the first instance, either informally or via our Trust's complaints procedure, to try to resolve the situation. We will also provide you with information about how to complain to our supervisory authority, the Information Commissioner's Office (ICO).

    • if we have disclosed your data to a third party (eg your GP) and we then rectify, restrict or erase your data, (if applicable) we will:
      • inform the third party of the decision, unless it is impossible or would involve a disproportionate effort to do so (in which case we would explain the reasons)
      • tell you to whom we disclosed your data.
    • we will normally undertake our duties regarding your rights without charging a fee but occasionally we may consider that it is appropriate to do so. If so, we will tell you as soon as possible, within one month, and before undertaking any related activity that has been requested
    • if you want to exercise any of the rights described or would like any additional information please see the 'can I access my health records' section below.
  • Can I access my records and who do I ask?

    Yes, with very rare exceptions (such as where the member(s) of staff caring for you believe this would cause serious physical or mental harm to you or anyone else).

    If you would like to see your health records you can ask the clinician who is treating you, or another member of staff. 

    If you would like a copy of your health records, please complete the access to records request form (Word 81Kb) and send it to the below address or email it to subjectaccess@gstt.nhs.uk.

    Information governance
    St Thomas' Hospital
    Westminster Bridge Road
    London SE1 7EH

    Is there a charge?

    Where we process data about you, you can request to receive a copy of the data free of charge. In some circumstances a fee may be charged, for example if repeated requests are made.

  • Confidentiality

    Under the Data Protection Act 2018 we are required to keep your health records secure.

    Every member of staff working for, or with the NHS, has an individual duty to keep your information confidential. We will only share it with other organisations in strict accordance with the law and where this will help us in providing high quality care.

    Please see the section on 'what information we collect, why and how it's used' above. A printable leaflet titled How we use and protect your health information (PDF 35Kb) is also available.

  • Privacy notice on coronavirus (COVID-19)

    This notice describes how we may use your information to protect you and others during the (coronavirus) COVID-19 outbreak. It supplements our main privacy notice (PDF 160Kb).

    The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

    Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital, NHS England and Improvement, arm's length Bodies (such as Public Health England), local authorities, health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on the gov.uk website and some frequently asked questions on this law are available on the NHSX website.

    During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes national data opt-outs. Find out about National data opt-outs on the NHS website. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to subject access requests, freedom of information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

    In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals, private healthcare providers and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

    During this period of emergency we may offer you a consultation via telephone or video-conferencing when this is clinically appropriate. By accepting the invitation and entering the consultation you are consenting to this. Your personal and confidential patient information will be safeguarded in the same way it would with any other consultation.

    We will also be required to share personal and confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Visit the NHSX website for further information about the variety of ways that health and care data is being used and shared by other NHS and social care organisations to support the COVID-19 response.

    NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and emergency department (A&E) capacity data as well as data provided by patients themselves on the NHS coronavirus status checker. All the data held in the platform is subject to strict controls that meet requirements of data protection legislation.

    For purposes beyond individual care, your information relating to COVID-19 may be shared with other health care providers, with private health care organisations, universities conducting research into COVID-19 and private sector organisations.

    If you tell us you're experiencing COVID-19 symptoms, we may need to collect specific health data about you. If we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

a patient discussing her health records with a nurse

Contact us

If you would like more advice on any aspect of the information on this page, please contact the information governance team.

Information governance
St Thomas' Hospital
Westminster Bridge Road
London SE1 7EH

Tel: 020 7188 7525 Email: subjectaccess@gstt.nhs.uk