Privacy

Last updated: November 2021

This page outlines NHS Blood and Transplant (NHSBT) privacy policy, and provides information on how the data we collect is shared.

Our freedom of information and privacy page includes information on how you can request recorded information held by NHSBT.

Hysbysiad preifatrwydd provides a Welsh language version of our privacy policy.

Coronavirus (COVID-19) and Data Protection

You may have already provided information for a specific reason to NHSBT or its health and social partners, but because of the coronavirus pandemic (COVID-19), we may collect and process more of your personal data than usual. We do this to ensure patient safety and protect life. This additional information will be limited to what is proportionate and necessary and take into account the latest legislation from General Data Protection Regulation (GDPR), the Data Protection Act 2018 and guidance issued by NHS Digital, NHSX and the Department of Health and Social Care (DHSC).

Control of Patient Information Regulations – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002

NHSBT would like to inform you that the Secretary of State for Health and Social Care has provided a legal notice in the form of a Control of Patient Information (COPI) Notice to support the processing and sharing of information amongst those organisations that provide healthcare services to the public and monitor and manage the outbreak of COVID-19. The Notice is valid until 30th September 2021.

Coronavirus (COVID-19): notification to organisations to share information on the GOV.UK website provides further information.

NHS Digital and Blood Donation - data sharing during the COVID-19 pandemic

NHS Digital has provided us with information to help us find potential suitable donors to tackle the COVID-19 global pandemic. This information may be shared with processors of NHSBT under strict controls and in compliance with the law.

The description of shared data includes:

  • Name
  • NHS number
  • Date of birth
  • Gender
  • Address
  • Postcode
  • Mobile telephone number
  • Landline telephone number
  • Email address
  • Date of test
  • Source diagnosis
  • Date of hospital admission for COVID-19 
  • Date of hospital discharge for COVID-19

Who we are

NHSBT is a special health authority that provides blood and transplantation services to the NHS. They look after blood donation services in England and transplant services across the UK. This includes managing the donation, storage and transplantation of blood, organs, tissues, bone marrow and stems cells, as well as researching new treatments and processes.

The personal data we collect to support our services

The information NHSBT needs to collect is largely dependent on which service you use.

As a minimum, all services require NHSBT to collect your:

  • Name
  • Address
  • Date of birth
  • Next of kin details (not required for blood donation)
  • Relevant clinical and lifestyle history

This information is used to support your direct care and may be shared with other NHS organisations and professionals involved in your care.

Your data may be used by NHSBT staff outside your clinical team to audit and improve services or investigate complaints and incidents. Anonymised and pseudonymised data (which does not identify you) is used to conduct research.

Your identifiable data will not be used for research without your consent, unless there is a legal basis for doing so.

Enquiries and complaints

NHS Blood and Transplant directly respond directly to the majority of the opt-out legislation enquiries and complaints received. However, and only where necessary, such an enquiry or complaint may be shared, without prior notification, with the appropriate department within UK Government organisations in order to provide an appropriate response.

The General Data Protection Regulation (GDPR) and the legal basis for processing your data

The GDPR and the Data Protection Act 2018 replaced the Data Protection Act 1998. All organisations processing data, under GDPR, are required to have a legal basis for doing so.

The majority of NHSBT’s data processing is necessary under Article 6(e) and 9(h) of GDPR, which allows NHSBT (a public authority) to process personal data for the performance of our tasks or in the public interest and for the provision of health care.

The Organ Donor Register allows you to register based on your explicit consent This means you can remove your consent at any time if you change your mind.

NHSBT also has obligations under the Blood Safety & Quality Regulations 2005, Tissue and Cells Quality and Safety Regulations 2007 and Organ Quality and Safety Regulations 2012, to make sure that all blood donations and organ transplants are fully traceable from donor to recipient. This is an essential requirement to deliver safe clinical care.

Therapeutic Apheresis Services (TAS) are delivered across England and North Wales from eight TAS Units. NHSBT will share your data with the relevant unit to support the safe delivery of your treatment. Your data will be shared securely with other NHS professionals and in some circumstances regulatory bodies such as the HTA and CQC who have a statutory responsibility to monitor this activity.

Your TAS record will be held securely within NHSBT for a minimum of 30 years.

Why it is important for us to collect your information

NHSBT needs to obtain accurate and complete information from all those who use our services; this is used to support the delivery of safe healthcare and ensure our services are equitable (fair).

We also use data to continuously improve the quality of our service and advance scientific and clinical understanding and study through audit, inspections and research.

Communications and marketing

For all services, we’d like to keep in touch with you to inform you of the valuable work and services NHSBT does, and inform you of other ways to support NHSBT. You are always in full control of the messages you receive.

If you are a blood donor, we will ask you to provide us with additional contact information like your email address and mobile phone number. We do this so that we can provide you with timely communications relating to when donation appointments are available, preparing for your donation and letting you know where your donation was issued.

Full details of the terms and conditions associated with being a blood donor can be viewed on NHSBT’s Give blood website. 

If you want us to change the way we contact you, please let us know by contacting us:

Telephone: 0300 123 23 23

Email the Customer Services team

How the NHS and care services use your information

NHSBT is one of many organisations who work in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, like attending A&E or using Community Care services, important information about you is collected to help make sure you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving provided care, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to be used in this way.

Make your choice webpage on the NHS website provides more information about the wider use of confidential personal information and how to register your choice to opt out, if you do not want your data to be used in this way. If you do choose to opt out, you can still consent to your data being used for specific purposes.

If you are happy with this use of information, you do not need to do anything, but you can change your choice at any time.

Who we share data with

Depending on what service you use, your personal data may be shared with other NHS organisations.

When you donate blood, your donation is given a unique reference number and all personal data, like your name and address, is removed before being sent to the hospital.

For our organ transplant services, it is essential that NHSBT shares and receives data from the Transplant Centre to support your care. This information is shared securely between NHS professionals.

Third party service providers

This includes Mailing Service, who are responsible for producing and sending correspondence relating our services. The minimum data necessary is shared with the mailing service for this purpose only. 

The Organ Donation and Transplantation website provides more information on the UK and international transplant registries and how these are used.

NHS Organ Donor Register

The personal data that you provide when registering your decision for organ and tissue donation is recorded on the NHS Organ Donor Register and is used to enable your decision to be discussed at the time of potential donation. NHSBT ask for the minimum data necessary at point of registration to ensure we are able to identify you and that we clearly understand your organ donation decision.

The personal data requested as part of your registration process is detailed below:

  • Mandatory data items for the purpose of identification and confirmation of your decision
    • Name (First name, Last name)
    • Address
    • Postcode
    • Date of birth
    • Organ donation decision (Donate – some or all organs and tissue, Do not donate, Withdraw)
  • Optional data items to further assist with identification, retrieval of your NHS number, further understanding of your decision and your contact details
    • Title
    • Middle name
    • Preferred name
    • How you are recorded on your GP medical record (Female, Male or Neither)
    • Email
    • Telephone
    • Mobile
    • Faith declaration
  • The following two additional optional data items (together with data item Gender that may be collected through third party registration partners), are used to help us understand more about the people registering. Ethnicity and Religion are not stored against individual registrations.
    • Ethnicity
    • Religion

Contact details such as address, email, telephone and mobile are used for the purposes of completing your registration which may include sending you a confirmation letter. These details will never be used for marketing purposes.

As part of the registration process, some additional personal data items may also be obtained and recorded on your registration to assist with identification at the time of potential donation:

  • NHS Number
    • See below NHS Digital Demographics Batch Service (Public Health Service)
  • CHI Number
    • See below NHS National Services Scotland (Public Health Service)
  • DVLA Driving License Number
    • If you register your organ donation decision through the Driver and Vehicle Licensing Agency (DVLA)
  • DVANI Driver Number
    • Obtained if you register your organ donation decision through the Driver and Vehicle Agency Northern Ireland (DVANI)

The NHS Organ Donor Register shares your personal data within NHSBT and with a select group of NHS organisations and third-party service providers. Further information on the people and organisations we share information with and the purpose, is detailed below.

Who do you share my personal data with?

NHSBT staff directly involved in the organ and tissue donation process. This includes:

  • Specialist nurses and administrators for organ and tissue donation, who support the process of organ and tissue donation in the United Kingdom and have access to the minimum data necessary to establish if you have recorded an organ and tissue donation decision, which will help to inform a conversation with your family about organ donation
  • NHS Organ Donor Register Operations, who have access to your registration data to manage the NHS Organ Donor Register service

Third Party Service Providers. This includes:

  • NHS Organ Donor Helpline advisors, who have access to the registration data to assist callers in response to their enquiries. This can include creating or updating a registration on the NHS Organ Donor Register
  • Mailing Service, who are responsible for producing and sending written organ donation registration confirmation letters. The minimum data necessary is shared with the mailing service for this purpose only
  • Information Technology Services, who provide technical support and maintenance for the NHS Organ Donor Register
  • NHS Digital, who provide the NHS App. As a user of the NHS App you can record your organ donation decision and when applicable, you can access your organ donation decision data as recorded on the NHS Organ Donor Register. The NHS App does not store your organ donation decision data but does enable your personal data or decision data to be processed within the NHS Organ Donor Register

Other NHS services who are directly involved in the organ and tissue donation process. This includes:

  • NHS National Services Scotland (public health service), who employ specialist nurses for tissue donation who support the process of tissue donation in Scotland and have access to the minimum data necessary to establish if you have recorded a tissue donation decision which will help to inform a conversation with your family about organ donation.

Other NHS services who support the organ and tissue donation process. This includes:

  • NHS Digital Demographics Batch Service (public health service), who enable the NHS Organ Donor Register to link with this service for residents of England and Wales and share the minimum data necessary in order to retrieve your NHS number and record this on your registration. Your NHS number can further help to identify you
  • NHS National Services Scotland (public health service), who enable the NHS Organ Donor Register to link with this service for residents of Scotland and share the minimum data necessary in order to retrieve your CHI number and record this on your registration. Your CHI number can further help to identify you

NHSBT will only share your data outside the organisation if there is a legal reason to do so, in which case you will usually be informed of this disclosure.

NHSBT works with third parties to provide services to support our work, like telecommunications, ICT support and communications. All companies that have access to NHSBT data go through a series of strict data protection and privacy checks, and are held to the same high standard of data protection and regulation as NHSBT under the General Data Protection Regulation.

You can request to know which organisations your data has been shared with by contacting Customer Services.

Email the Customer Services team

How long we keep your data

NHSBT will hold your data for the time period stated in the Blood Safety & Quality Regulations 2005, Tissue and Cells Quality and Safety Regulations 2007, the Organ Quality and Safety Regulations 2012 and the Records Management Code of Practice for Health and Social Care. These set out minimum retention periods. For example, for blood donation we must retain records for a period of not less than 30 years for the identification of each single blood donation, and each single blood unit and its components (including blood and blood components that are imported into the European Community) and to ensure full traceability to the point of delivery to a hospital.

All organ transplant records are also retained for a minimum period of 30 years. NHSBT can retain records for longer than the minimum period so long as there is a justifiable reason. Your information will always be stored securely with access restricted to only those staff with appropriate and justifiable reason to access them.

You can request a copy of your data free of charge by emailing Customer Services.

Email the Customer Services team 

Your right to access and control how your data is used

You have a right to be informed about how your data is used. It is the intention of this page to give you an overview of how NHSBT uses your data. However, everyone’s journey through NHSBT services is different and you can obtain more information or ask specific questions about your data by contacting customer services or the Data Protection Officer. 

Email the Data Protection Officer

Email the Customer Services team

You also have a right to:

  • Request a copy of the information we hold about you
  • Update or amend the information we hold about you if it is wrong
  • Change your communication or marketing preferences at any time
  • Erasure (also called the right to be forgotten)
  • Restrict how your data is processed
  • Raise a concern or complaint about the way in which your information is being used

Please note that applications to apply the right of erasure will be considered by NHSBT on a case-by-case basis due to our obligations under the Human Tissues Act and Blood Safety and Quality Regulations 2005.

The Data Protection Officer

Under GDPR, all NHS organisations are legally required to appoint a Data Protection Officer (DPO). The DPO for NHSBT is Katrina Smith, who is responsible for making sure that all practices and processes within NHSBT are designed to support people’s privacy and data rights, and make sure data protection is represented at a board level.

You can contact the Data Protection Officer if you have any questions or concerns about your privacy rights within NHSBT.

Email the Data Protection Officer

The Information Commissioner's Office (ICO)

The ICO are the UK’s independent authority created to uphold information rights in the public interest, promote openness in public bodies and data privacy for individuals. The ICO provide free and independent advice to citizens on their privacy rights.

You can contact the ICO for advice or log a complaint via:

  • Website: www.ico.org.uk
  • Helpline :0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). If you're calling from outside the UK, you may not be able to use the 03 number, so please call +44 1625 545 700.
  • Welsh speaking service: 029 2067 8400.
  • Rydym yn croesawu galwadau yn Gymraeg ar: 029 2067 8400.
  • Normal opening hours are Monday to Friday between 9am and 5pm.
  • Post:
    Information Commissioner's Office
    Wycliffe House
    Water Lane
    Wilmslow
    Cheshire
    SK9 5AF

The website and cookies

You can use our website without providing any personal details. However, to sign up to any services such as blood donation, you must provide data to support this. Cookies are a record made on your computer that save information about the particular web pages you visit and services you use. You may disable the use of cookies, but this may limit the functionality of our websites or your access to it.

Cookies are files or pieces of information that are stored by your browser on your computer's hard drive. NHSBT may use cookies to collect information about you and to identify you during your visit to our websites, like the particular site areas you visit and the services you use through our websites. We collect this information to better tailor our site to your interests and needs.

Cookies may also be used to help speed up your future activities on our websites. For example, a site can recognise that you have provided personal information to us and refrain from requesting the same information a second time.

Remarketing

We also use cookies for online retargeting purposes to show you relevant adverts from us on third-party sites, including social media websites, based on pages you have visited on our site and others.

We hold cookie information for 30 days before the cookie expires.

Most browsers are initially set to accept a cookie. If you prefer, you can set yours to refuse cookies or to alert you when cookies are being sent. Refusal of cookies at the site you enter may result in an inability to visit certain areas of the site or to receive personalised information when you visit the site.
For further information on 'cookies' please consult the ‘help’ section of your browser.

Our cookie information page also provides more information.