GOSH privacy policy

Updated: 2 April 2024

At Great Ormond Street Hospital (GOSH), protection of patient and carer data and being good stewards of this data is a key priority.

We have reviewed our privacy notice and made a few changes which you should know about:

  • We have further clarified who we share your data with from the perspective of NHS and non-NHS partners. This includes how we share data:
    • With new organisations within the healthcare landscape such as the IntegratedCare Systems for the purposes of supporting patient access to healthcare services locally.
    • With healthcare partners to support delivery of effective, immediate care for patients when you access local health services (GOSHLink).
    • With partners through the ethical access to anonymised patient data in order to make children’s lives better by developing new treatments for childhood illnesses.
  • We have outlined how patients can opt out of their data being used in certain circumstances, such as for improving the quality and standards of care provided (National Data Opt out).
  • We have clarified how we collect and hold data for our volunteers and on our website.

A ‘privacy notice’ lets you know what happens to any personal data that you may give us or that we may collect from you or about you (as a patient, family member, carer or visitor). This notice is issued by Great Ormond Street Hospital for Children NHS Foundation Trust as a healthcare provider, and covers the data we hold about our patients, their families and other individuals who may use our services. A separate privacy notice is available for personal data we collect about staff as part of our responsibilities as an employer.

Great Ormond Street Hospital (GOSH) is an international centre of excellence in child healthcare.

Together with our research partner, the University College London Great Ormond Street Institute of Child Health, we form the UK’s only academic Biomedical Research Centre specialising in paediatrics.

We are committed to being open about the data we collect about you, how we use this data, with whom we share it, and how we store and secure it. We recognise the importance of protecting personal data in all that we do, and take care to meet our legal and other duties, including compliance with relevant law, regulations and guidance (please see Annex 1).

What is personal data?

Personal data is information about a living, identifiable individual. Therefore, your personal data is any information that can be attributed to you personally, including your name, weight, height, date of birth, health conditions and treatments you receive. So long as you can be identified from that information, it becomes your personal data.

All personal data that we collect and use is handled in accordance with the Data Protection Act. Further information can be found at Annex 1.

Great Ormond Street Hospital for Children NHS Foundation Trust is the Data Controller of personal data that is collected by the Trust to help us provide and manage healthcare to our patients and relating to the employment of our staff. Our ICO registration number is Z6776821.

Your child and parent/ carer’s’ personal data can be collected in a number of different ways:

- Data may be provided by your GP or another healthcare professional your child has seen when they refer your child for treatment at GOSH.

- Data may be provided directly by you – in person, over the telephone or on a form you have completed.

- Data may also be provided by third parties, for example, social services, education services or children’s charities.

The personal data that we collect about your child may include details such as:

-*Full name, title, address, telephone number (mobile and home), email address

- Date of birth, gender, age

- Who has parental responsibility

- Any contact we have had with your child through appointments, attendance or inpatient stays

- *Details and records of treatment and care/ notes

- *Health reports including any allergies or health conditions

- Information from research/ clinical trials

- *Results of x-rays, scans, blood tests, etc.

- *Genetic Information

- *Other relevant data from people who care for your child and know them well, such as health professionals, social workers, relatives and carers;

- *Whether or not you or your child is subject to any protection orders regarding their health, wellbeing and human rights (safeguarding status);

- A record of contact with us by telephone or email for the purposes of the provision of healthcare including complaints, claims or PALS enquires;

*We may also collect other data about your child, such as your child’s race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).

We collect personal data about you and your child to support the delivery of appropriate healthcare and treatment. In order to provide high quality care, we must keep records about your child, their health and the care that we provide, or plan to provide them. This may include certain information about you or family members (please see * above). It is important for us to have a complete picture as this data enables us to provide the right care to meet a child’s individual needs and this can include social care information.

If you ever have any questions as to why certain data is collected, our staff will be happy to discuss this with you.

We use your child’s data to ensure that:

- The right decisions are made about their care

- Their treatment is safe and effective

- We can work well with other organisations that may be involved in their care

- We can remind a parent or carer about appointments and send you relevant correspondence. This is important because having accurate and up-to-date information will assist us in providing the best possible care. It also ensures that all information is readily available if your child sees another health professional or specialist within GOSH or another part of the NHS.

There is also the potential for you and your child’s data to be used to help improve health care and other services across GOSH and the wider NHS. Therefore, personal data may also be used to help with:

- Ensuring that our services can be planned to meet the future needs of patients

- Reviewing the care provided to ensure it is of the highest standard possible;improving individual diagnosis and care

- Evaluating and improving patient safety

- Training other healthcare professionals

- Conducting clinical research and audits and analysing data to understand more about health risks and causes to develop new treatments

- Preparing statistics on NHS performance and monitoring how we spend public money

- Supporting the health of the general public

- Evaluating Government and NHS policies and complying with legal and regulatory obligations and following guidance and best practice issued by these bodies

- Supporting the funding of your child’s care

- Reporting and investigating complaints, claims and untoward incidents

Whilst the above applies to all insured, sponsored, or self-pay patients, there are some additional data sharing requirements that we have for Private Care patients. We share personal and clinical data, for example name, address, date of birth, insurer policy number, with third parties such as private insurance companies for the assessment and approval of funding requests for private treatment at the Hospital.

For self-funding patients we share personal and clinical data with internal and external (GP’s, consultants and referring hospitals) clinical staff in order to determine the potential treatment costing.

Where necessary, GOSH will share non-clinical personal data for example your name, address, NHS number and/or insurance details and brief history of collection efforts, with credit reference agencies and / or third-party debt recovery agencies to pursue recovery of unpaid debt. Such action is only taken after internal processes have been exhausted.

When you visit our website, you may provide us with personal data such as your name, address, email address or telephone number.

Here are some examples of the personal data you can provide us with on this website:

- Your name

- Your contact details

- Your date of birth

- Your gender

- Your credit or debit card details

- Your job title

- Your employment history

- Information on your usage of our website

- Patient details

Here are some examples of where you may be asked to provide us with personal data on this website:

- When contacting us with an enquiry either via a webform or email link

- When signing up to a newsletter

- When giving feedback

- When filling out a form

We also collect and store personal information relating to our volunteers. Volunteers may be involved in many of the Trust’s services, including the activities associated with individual departments.

In joining as a volunteer, the Trust is required to carry out pre engagement checks which includes retaining a copy of the volunteer’s passport or another form of ID such as driving licence to confirm their identity. References are also obtained and a DBS check carried out for those volunteers who have more than incidental contact with patients or if their role involves visiting patients on any wards or departments. Sensitive data will also be collected and securely stored with regard to Occupational Health matters.

As part of our requirements under the law, GOSH must demonstrate a clear legal reason for collecting, using, sharing and retaining personal data about you or your child. For personal data used in the provision of health and social care our basis is outlined as ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ under 6(1)(e) of UK GDPR. This is because GOSH is a public organisation providing a healthcare service and is required to use names, addresses or other personal data to deliver this service.

Our legal basis for using sensitive personal data (called ‘special categories of personal data’ under UK GDPR) is that this is necessary for the ‘provision of health or social care or treatment or the management of health of social care systems and services’ under 9(2)(h) of UK GDPR. This is because GOSH must use health and social care information about you or your child in the delivery of their care.

Furthermore, these points cover the use of data for clinical audits, service improvement and sharing with other health or social care providers when necessary as part of our service delivery.

There may be times when GOSH uses other different legal bases for other services it provides (for example, research). A more detailed outline of the range of legal bases for processing information and the circumstances in which they arise, are set out in Annex 4.

Under the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR), strict principles govern our use of information and our duty to ensure it is kept safe and secure. Information at GOSH may be stored within electronic or paper records, or a combination of both, for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and other government guidance. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.

Everyone working for the NHS is subject to the common law duty of confidentiality. This means that any data collected about your child (or you or your family) will only be used in connection with the purpose for which it was provided, unless we have explicit consent from you (or a person with a legal right to provide it) or there are other special circumstances covered by law.

Due to our role in the treatment of rare diseases, GOSH works closely with other healthcare providers and will often seek advice from experts in specialist fields. Anyone involved in your child’s care at GOSH will be bound under NHS contracts and under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your personal data will be used, and allow you to decide if your child’s personal data can be shared. In addition, clinicians also have professional codes of conduct with which they need to comply and these deal with confidentiality of healthcare.

All staff are required to undertake annual Information Governance training and, where appropriate, additional training in line with their responsibilities. Staff are reminded throughout the year of various aspects of their responsibilities.

Our IT systems are provided either in-house or by specific suppliers who are required to manage the data securely in a manner compliant with the Data Protection Act 2018 legislation.

We have perimeter and internal protection of our IT systems and monitor access and security in a proactive manner. Only individuals with legitimate reasons are allowed access to areas storing personal data.

Every NHS organisation has a senior person who is responsible for protecting the confidentiality of your personal data and enabling appropriate sharing. This person is known as the Caldicott Guardian, and the detail of this role within GOSH can be found in Annex 3.

In order to communicate with you, we are likely to do this by telephone, SMS, email, and/or post.


- to ensure that we provide you with timely updates and reminders in relation to your healthcare (including basic administration information and appointment information (including reminders)), we may communicate with you by SMS in each case where you have expressed a preference in the patient registration form to be contacted by SMS.

- if we have your mobile number or your email address we may use this method of communication to contact you regarding patient surveys which are for the purpose of improving our service or monitoring outcomes and are not a form of marketing.

Please note that although providing your mobile number and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, your consent is not the basis upon which GOSH will process your personal data in order to correspond with you about your child’s treatment. As set out further above, processing your personal data for those purposes is justified on the basis that it is necessary to provide your child with healthcare services.

To help provide the best possible care, sometimes we will need to share your child’s personal data with others (which may include information about you or a family member – please see above). However, any sharing of data will always be governed by specific rules and laws ensuring the security, access and transfer of any data is protected. We may share data with a range of health and social care organisations and regulatory bodies. As a parent or carer of child, you may be contacted by any one of these organisations for a specific reason, and they will have a duty of telling you why they have contacted you.

We may share personal data with other organisations for the purposes of delivering or improving healthcare, or where there is a legal requirement for us to do so. Whenever we share information with other organisations, we do this in line with the Data Protection Act and the NHS Confidentiality Code of Practice (2003) and relevant legislation or court order and we share the minimum amount of information.

We work with a number of other NHS organisations, independent treatment centres and clinics to provide children with the best possible care (for example with other NHS organisations, General Practitioners, clinical commissioning groups, ambulance services, regulators such as the CQC and NHS England/ Improvement). To support this, data about you and your child may be securely shared.

There are some sector-wide and national initiatives where data is shared due to UK legislation between organisations to speed up access to patient records for direct care purposes. This includes the North London Health and Care Partners HeatheIntent system. HealtheIntent is a platform that allows health and care professionals in North Central London to be more proactive in the care of patients and communities. The purpose of sharing your child’s data is to collate waiting list data from NCL provider organisations and present it in reports which will allow clinicians to make decisions on how best to refer patients within North London to minimise impact on them and the available clinical resource. Strict governance and access controls around these initiatives are in place.

For their benefit, we may also need to share some of your child’s data with authorised non-NHS authorities and organisations involved in their care. This might include organisations such as local authorities, social services, education services, the police, external lawyers, voluntary and private sector health and social care providers, and private healthcare companies. Private patient data may also be securely shared with insurers, debt collection agencies or third parties involved in the payment or delivery of care and this may include transfers to home countries outside the UK.

Electronic patient records:

We strive to make the best use of digital technology to deliver great patient care. GOSH holds patient data on an electronic patient record (EPR) system provided by the Epic Systems Corporation. The EPR includes a child and young person friendly portal, which is age appropriate called MyGOSH. Your child’s personal data (healthcare record) is held within the EPR as well as other clinical systems external to the EPR but within GOSH. For example, some data from the EPR may be processed within GOSH’s Data Reporting Environment (DRE) for analysis to improve clinical care, operational planning and patient experience.

Access to your child’s personal data for scientific or research purposes is subject to strict research and information governance frameworks and for these purposes only de-identified data is routinely used. Further information can be found below (Clinical Training, Research and Audit).

In March 2023 GOSH extended their EPIC system with The Royal Marsden Hospital NHS Foundation Trust (RMH). The two Trusts share a single Epic system and the shared system holds information about a patient’s clinical care at either Trust.

There will be some instances where patients will be patients of both Trusts, in which case, staff will have access to data pertinent to providing direct care (which may include data, which originated at the other Trust).

For shared patients the full record will be visible to clinicians with legitimate access for direct patient care. Each Trust will be responsible for the quality of the data entered by their clinicians and administrative staff, and there will be governance processes in place for the management of data quality impacting shared patients.

We have agreements in place with RMH so that each organisation is aware of its data protection responsibilities and that your personal data is kept secure and confidential and is only accessed when there is a lawful basis to do so.

RMH staff have their own unique logon credentials for accessing the EPR system; and can only access the system for purposes necessary for their job role. This ensures confidential data is processed on a “need to know” basis.

GOSH Link is a digital web portal, designed to provide health and social care staff at other NHS Trust sites with legitimate access (read and print only) to the GOSH electronic patient record, to support the delivery of immediate and direct clinical care. Personal data within the EPR is made available to these external NHS partners under strict governance controls at both an organisation and individual access level.

Care Everywhere is used within the Epic patient record to exchange electronic health records with outside organisations who have an Epic electronic patient record. It provides access, at the point of care, to a patient's health records in situations where an NHS Trust, using the Epic system, has a patient in common.

NHS Children and Young People’s Gender Service (London): NHS Children and Young People’s Gender Service (London) is a partnership between Great Ormond Street Hospital for Children NHS Foundation Trust, South London and Maudsley NHS Foundation Trust and Evelina London Children’s Hospital (part of Guy’s and St Thomas’ NHS Foundation Trust).

Together we are commissioned by NHS England to provide specialist gender-related care and support for children and young people. Find out more about the new NHS Children and Young People’s Gender Service (London).

For patients whose care has transferred from the Gender Identity Development Service to the London regional centre, their data has moved from Tavistock and Portman NHS Foundation Trust and is now held by Great Ormond Street Hospital for Children NHS Foundation Trust on our electronic patient record system.

This privacy notice details how this personal data will be held and processed.

We are required by law to report certain information to the appropriate authorities—for example incidences of certain communicable diseases, crimes or suspicion of terrorist acts to the police or other UK bodies, courts, the General Medical Council, Healthcare Safety Investigation Branch of NHS investigations.

NHS Digital

NHS Digital, on behalf of NHS England assesses the effectiveness of the care provided by publicly-funded services - we have to share information from your patient record such as referrals, assessments, diagnoses, activities (for example, taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.

You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way. For information about how you can Opt-Out of sharing your data with NHS Digital please see below under ‘National data opt-out: How the NHS and care services use your information’.

NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services. We may share your contact information with an NHS approved contractor to be used for the purpose of the NPSP. Please note that no information about your care and treatment is provided to the organisation that does this survey.

There will also be occasions when GOSH is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure we are robustly and legally compliant against national data and reporting standards.

Preventing fraud

Great Ormond Street Hospital for Children NHS Foundation Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office under the NFI is responsible for carrying out data matching exercises. Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal data. Computerised data matching allows potentially fraudulent claims and payments to be identified.

As the Trust participates in the Cabinet Office’s National Fraud Initiative it is required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. It then receives a report of matches which it will be required to investigate, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update its records accordingly.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014 (LAAA) and the data sets which the Trust submit can be found in the Cabinet Office guidance.

As the process is mandated by the Cabinet Office it does not require the consent of the individuals concerned under the Data Protection Act 2018 or the UK General Data Protection Regulation 2018.

Where the sharing involves a non-NHS organisation outside the clear scope of care delivery, a specific data sharing agreement is put in place to ensure that only relevant minimal data is shared in an appropriate format and this is done securely in a way which complies with the law.

Outsourcing of services

We outsource a limited number of administration and IT support services to external organisations. The majority of companies are based within the European Economic Area (“EEA”) and all services are provided under specific contractual terms, which are compliant with UK data protection legislation.

Digital, data and technology in health and care

There has been a rapid growth of digital health technology and the use of apps and artificial intelligence (AI) over the past few years. This work is actively encouraged by the government with the ultimate objective of the provision of better care and improved health outcomes for people in England.

The new GOSH five-year strategy ‘Above and Beyond’ outlines our commitment to ‘innovate through digital’ and ‘accelerate translational research and innovation to save and improve lives’. We want to be at the forefront of digital innovation to secure better outcomes, improve clinical care and reduce costs. Collaborations with industry and academia are key to this through the establishment of our Data Research, Innovation and Virtual Environments (DRIVE) unit.

In order to deliver our commitment, we need to think differently, work differently and engage with new partners. GOSH, as a trusted provider of care and sector leader in digital innovation, may enter into a partnerships to make children’s lives better by developing new treatments for childhood illnesses through the ethical access to anonymised patient data.

A robust governance framework is in place to manage access to our data. We will only use anonymised datasets so your confidentiality is protected. In circumstances where small, anonymised datasets are involved and there is a potential risk of re-identification, explicit consent will be sought from patients/ parents/ carers before providing access to this patient data.


The Trust uses CCTV in various parts of the site for the safety and security of our patients and staff.

The recordings are classed as personal data but do not form part of any health or staff record. Images are held for a period of 31 days, or longer if required for any investigation.

We (or third parties acting on our behalf) may store or process information that we collect about you in countries outside the EEA. Where we make a transfer of your personal information outside of the EEA we will take the required steps to ensure that your personal data is protected to the standard required by UK and EU law. All flows of information are reviewed annually..

GOSH is committed to carrying out pioneering research to find treatments and cures for some of the most complex illnesses, for the benefit of children here in the UK and worldwide. Your permission may be required for some of this work. If you agree to be involved, a full explanation will be given to you and your child and appropriate consent will be obtained before proceeding. Explicit consent may not be required if the information being used has been de-identified/anonymised. This means that it cannot be used to identify an individual person.

If you would like further information about how your child’s data could be used for research purposes please see the NHS Health Research Authority’s website.

Some health records are needed to teach student clinicians about rare cases and diseases. Without such materials, new doctors and nurses would not be properly prepared to treat your child and others. It is also possible that individuals, such as student nurses, allied health professionals and medical students are receiving training in the service that is caring for your child. If staff would like a student to be present, they will always ask for your permission and you have the right to refuse without this affecting the care or treatment that your child is receiving.

We also undertake audits within GOSH as part of our duty to review the care we provide to ensure it is of the highest standard and quality. Wherever possible we will do this in an anonymised format but you and your child’s information will only be accessible to appropriate NHS staff.

You may have signed up to join as a member of the GOSH Foundation Trust. Our membership database is held and managed by Civica UK.

Where we are relying on your explicit consent to process information about you or your child, you have the right to refuse (or withdraw) from information sharing at any time. This is also referred to as ‘opting out’. If you choose to prevent your child or family information from being disclosed to other authorised professionals involved in your care, it might mean the care that can be provided is limited and, in certain circumstances, it may not be possible to offer certain treatment options. The possible consequences of withholding your consent will be fully explained to you at the time should this situation occur.

You also have the right to ‘opt out’ of having your information used in any mandatory audits which GOSH is subjected to. If this is the case, you should write to our Information Governance team (using the information provided below) with your name, address, date of birth and hospital number or NHS number.

Within GOSH the Information Governance team can be contacted using the Mailbox address: Your.Data@gosh.nhs.uk

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

- improving the quality and standards of care provided

- research into the development of new treatments

- preventing illness and diseases

- monitoring safety

- planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

- See what is meant by confidential patient information

- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care

- Find out more about the benefits of sharing data

- Understand more about who uses the data

- Find out how your data is protected

- Be able to access the system to view, set or change your opt-out setting

- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone

- See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

- https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

- https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Under data protection law you have certain rights in relation to the personal information that we hold about you and your child. These include rights to know what information we hold about you or your child and how it is used. You may exercise these rights at any time by contacting us using the details set out below.

Your rights include:

The right to access personal information about you or your child

You are usually entitled to a copy of the personal information we hold about you and your child and details about how we use it.

The right to rectification

We take reasonable steps to ensure that the information we hold about you and/or your child is accurate and complete. At any attendance we will confirm your contact details we hold. However, if you do not believe we have correct information, you can ask us to update or amend it.

The right to erasure (also known as the right to be forgotten)

In some circumstances, you have the right to request that we delete the personal information we hold about you or your child. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to restriction of processing

In some circumstances, we must "pause" our use of your child’s personal data if you ask us to. We do not have to comply with all requests to restrict our use of personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to data portability

In some circumstances, we must transfer to you or (if this is technically feasible) another individual/ organisation of your choice personal information that you have provided to us. The information must be transferred in an electronic format and this will be done via a secure transfer.

The right to object to marketing

GOSH does not use any personal data for marketing.

The right not to be subject to automatic decisions (for example, decisions that are made about you by computer alone)

Your child and you have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on either party.

If you or your child have been subject to an automated decision and do not agree with the outcome, you can challenge the decision.

The right to withdraw consent

In some cases we need your explicit consent in order for our use of your child’s personal information to comply with data protection legislation.

Although consent is not our legal basis for processing data for healthcare purposes, we would always encourage you to contact us using the details below if you have any concerns with regards to how personal data is used.

The right to complain to the Information Commissioner's Office

You can complain to the Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations. These details are below.

Making a complaint will not affect any other legal rights or remedies that you have.

We will only keep your or your child’s personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. A summary of the legal retention periods of NHS records can be found in the Records Management Code of Practice for Health and Social Care.

If you would like further information regarding the periods for which your personal information will be stored, please contact our DPO for further details.

Under the terms of the Data Protection Act 2018 and the UK General Data Protection Regulation, you have the right to request access to the information that we hold about you.

To support you through the process you can contact our Health Records Team.

Or you can contact our Health Records Team directly:
Email: Records.SAR@gosh.nhs.uk

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, please contact our Information Governance team including your name and hospital number:

Email: Your.Data@gosh.nhs.uk

You can also find details of our registration with the Information Commissioner’s Office online

Our ICO registration number is Z6776821.

You have the right to make a complaint if you feel unhappy about how we hold, use or share you or your child’s information. We would recommend contacting our Information Governance team initially to talk through any concerns that you have.

It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS) before (or without the need to start) a more formal process:

Email: pals@gosh.nhs.uk

Phone: 020 7829 7862

Alternatively drop into their office in the main reception area.

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:

Post: Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113

Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.

Data Protection Act 2018

All of the personal data that we collect and use is handled in accordance with the Data Protection Act principles.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

- used fairly, lawfully and transparently

- used for specified, explicit purposes

- used in a way that is adequate, relevant and limited to only what is necessary

- accurate and, where necessary, kept up to date

- kept for no longer than is necessary

- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Find out further information on the principles.

- Data Protection Act 2018

- UK General Data Protection Regulations (GDPR)

- Human Rights Act 1998

- Access to Health Records Act 1990

- Freedom of Information Act 2000

- Health and Social Care Act 2012, 2015

- Public Records Act 1958

- Copyright Design and Patents Act 1988

- Re-Use of Public Sector Information Regs 2004

- Computer Misuse Act 1990

- Common Law Duty of Confidentiality

- NHS Care Records Guarantee for England

- Social Care Records Guarantee for England

- International information Security Standards

- Information Security Code of Practice

- Records Management Code of Practice

- Accessible Information Standards

Caldicott Guardian

Caldicott Guardians are appointed to develop and maintain responsible, appropriate and secure practices for the sharing and handling of personal health information, in accordance with the eight principles developed from the Caldicott Report.

Caldicott Guardian Responsibilities:

- Actively support work to facilitate and enable information sharing, and advise on options for lawful and ethical processing of information as required

- Represent Information Governance requirements and issues at Board level

- Support development of processes, including performance frameworks, that satisfy the highest practical standards for handling person-identifiable information and acts as “the conscience” of the organisation.

Within GOSH this position can be contacted using the Mailbox address: Caldicott.Guardian@gosh.nhs.uk

Senior Information Risk Owner (SIRO)

The Senior Information Risk Owner in the organisation supports implementation of international / government standard for information management and security.

SIRO responsibilities:

- Ultimately accountable for assurance of information security at the Organisation

- Champions information security at Board level

- Owns corporate policy on information security

- Provides an annual statement of the security of information assets for the Annual Governance Statement (as part of the audit process).

- Within GOSH this role sits with John Quinn, Chief Operating Officer.

Data Protection Officer

Data protection is a designated person within an organisation that is responsible for collection and protection of the personal data. The officer makes sure that the organisation follows the law and appropriate regulations.

Within GOSH this role sits with Dr Anna Ferrant, Company Secretary. Contact: your.data@gosh.nhs.uk

Purpose of using personal data: Direct care and Administrative Purposes


- Delivery of care

- Sharing between individuals involved in care

- Local clinical audit

- Waiting list management

- Performance against national targets

Conditions for lawful processing of personal data (Article 6 of UK GDPR): 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

Conditions for lawful processing special categories (including health) of personal data (Article 9 of UK GDPR): 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Purpose of using personal data: Commissioning and planning purposes


- Legal requirements to provide data to health commissioners

Conditions for lawful processing of personal data (Article 6 of UK GDPR): 6(1)(c) ‘…for compliance with a legal obligation…’ or 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

Conditions for lawful processing special categories (including health) of personal data (Article 9 of UK GDPR): 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Purpose of using personal data: Research (GOSH will still require consent or an appropriate legal basis (e.g. section 251 support) that meets confidentiality and ethical requirements to use personal identifiable data for research ; Consent may not be required if the information being used has been de-identified/anonymised)


- Studies with regards to patients with specific diagnosis

Conditions for lawful processing of personal data (Article 6 of UK GDPR): 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

Conditions for lawful processing special categories (including health) of personal data (Article 9 of UK GDPR): 9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject …’

Purpose of using personal data: Regulatory and public health functions


- Monitor health status to identify community health problems

- Preparing for and responding to public health emergencies

Conditions for lawful processing of personal data (Article 6 of UK GDPR): 6(1)(c) ‘…necessary for compliance with a legal obligation…’

Conditions for lawful processing special categories (including health) of personal data (Article 9 of UK GDPR): 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’

Purpose of using personal data: Safeguarding (following the provisions of the Children Acts 1989 and 2004, and the Care Act 2014)


- Safeguarding children and vulnerable adults

- Sharing information for a safeguarding purpose (for example, with social work)

Conditions for lawful processing of personal data (Article 6 of UK GDPR): 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

Conditions for lawful processing special categories (including health) of personal data (Article 9 of UK GDPR): 9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’

Harnessing the power of data at GOSH

We have created an animation that explains how we harness the power of data at Great Ormond Street Hospital. If you’d prefer, you can take a look at a simplified storyboard of the main messages - called an Easy Read version