Privacy
This page outlines NHS Blood and Transplant’s (NHSBT) privacy policy. It explains your rights and gives you the information you are entitled to see under the Data Protection Act 2018 and UK General Data Protection Regulation (GDPR).
Our freedom of information and privacy page includes information on how you can request recorded information held by NHSBT.
Hysbysiad preifatrwydd provides a Welsh language version of our privacy policy.
Click on each section to find out more.
NHSBT provides a blood and transplantation service to the NHS.
We look after blood donation services in England and transplant services across the UK.
This includes managing the donation, storage and transplantation of blood and blood components, organs, tissues, bone marrow and stem cells, and researching new treatments and processes.
Through-out the COVID-19 pandemic the health and care sector, including NHSBT, processed information at a pace and on a scale not previously seen.
We did this to ensure patient safety and protect life during unprecedented times.
In order for us to share and use information for purposes related to COVID-19, The Secretary of State for Health and Social Care issued a Control of Patient Information Regulations (COPI) 2002 notice.
This specifically enabled the health and care sector to share personal data to manage and mitigate the spread and impact of the current outbreak of COVID-19.
View the Control of Patient Information Regulations (COPI) 2002 notice
The notice was in place until the end of June 2022, and we no longer process data in this way.
We process personal information about you so that we can continue to provide an enhanced level of service to the public for blood and organ donation.
High standards in handling personal information are of the upmost importance to us, because they help us to maintain confidence from our customers, suppliers, partners and the wider UK public.
When we handle your information, we:
- make sure you know why we need it
- only ask for what we need, and collect the minimal amount required
- protect your information and ensure no one has access to it who should not
- let you know if we are going to share it with other organisations
- make sure we do not keep your information for longer than necessary
- ensure you have the right to request any incorrect information be rectified
- do not make your personal information available for commercial use without your consent
- ensure that measures are put in place to allow appropriate consent to be obtained for holding personal information of anyone aged under 13
In addition to this, we:
- value the personal information entrusted to us and make sure that we abide by the law when it comes to handling your personal information
- ensure we consider security at the outset of any new project where we are planning to hold or use personal information in new ways, and to continue to review existing systems to ensure they are compliant with new laws
- provide training to staff in how to handle personal information, maintain proper oversight of our information assets and respond appropriately if information is not used or protected properly.
We process information to enable us to:
- Promote our policies, procedures and services to the public
- Maintain our accounts and records and to support and manage our staff
- Undertake research and development to improve patient outcomes
- Provision of blood and organ donation services for patient care and treatment
We also process information to include administration of health and social care services, management and administration of land, property and residential property and undertake research.
We operate a CCTV system on our premises for the prevention crime and the safety and security of our staff and premises.
Paragraph 7 of Chapter 2 to the Data Protection Act 2018 says that, as a government body, NHSBT may process personal data as necessary for the effective performance of a task carried out in the public interest.
Should this provision not apply we will always identify the lawful basis on which your personal information is processed as defined by Article 6 and 9 of the UK GDPR.
NHSBT also has obligations under the Blood Safety & Quality Regulations 2005, Tissue and Cells Quality and Safety Regulations 2007 and Organ Quality and Safety Regulations 2012, to make sure that all blood donations and organ transplants are fully traceable from donor to recipient.
This is an essential requirement to deliver safe clinical care.
This may affect your individual rights, in particular your right to erasure and to be forgotten.
This is because NHSBT must keep all clinical records for 30 years if you donate to ensure traceability in line with the regulations listed above.
Where required, NHSBT will also satisfy the common law duty of confidentiality, and will define a lawful basis for the use of disclosure of the personal information that has been provided in confidence, this can include; valid informed consent; determining an overriding public interest or where there is a statutory basis or legal duty to disclose.
We process information about our:
- Customers
- Employees
- Suppliers and providers
- Advisers, consultants, and other professional experts
- Complaints and enquiries
- Students on placements
- Academics
- Members and supporters of unions
- NHS staff
- Members of the public for CCTV purposes
- Research applicants
- Researchers
- Patients and donors
- Family members of donors
As a Data Controller of your personal data, we may, where necessary, and in line with data protection legislation, need to share your data (and our data processors may also share information) with other organisations.
Here are some examples of types of organisations where we may, if necessary, share your data. Please note the data shared will be dependent on the type of service used within NHSBT.
- Employment and recruitment agencies: to obtain an employment reference for recruitment purposes
- Current and past employers: to verify your employment history for recruitment purposes
- Suppliers and service providers: to support the services we provide to the public
- Government internal audit and other auditors as required: to support regular audit activities and maintain scrutiny over public authority decision making and activities
- Health and care organisations: to verify clinical and non-clinical activity such as the provision of blood products and testing services for patient care and treatment
- Other statutory law enforcement agencies: to assist in any legal or fraudulent activity
- Survey and research organisations: to share your information for research purposes where you have consented to be part of a study
- Government regulators: to support organisational audit and investigations such as the Information Commissioners Office
- The police: to assist with police enquiries in line with relevant legislation
- NHS England Transformation Directorate: NHS Blood and Transplant (NHSBT) work closely with NHS England Transformation Directorate (formerly NHS Digital), which is the national provider of information data and IT systems. NHS England Transformation Directorate has legal powers under the Health and Social Care Act to disseminate data to health and social care providers, such as NHSBT, which we use for service improvement, evaluation and research. This includes:
- Cryostat2 (UK): Evaluating the effects of early high-dose cryoprecipitate
- Melody: Evaluating lateral flow immunoassays to detect SARS-CoV-2 antibody responses
- Convalescent Plasma – Donation Data: Identifying vaccination status to support treatment for COVID-19 patients and further plasma for medicines uses
Outside of specific exemptions under specific legislation related to personal data your information shall be retained for no longer than the purposes for which it is being processed.
We comply with the Records Management Code of Practice for 2021.
We are required under the Blood and Safety Quality Regulations 2007 and Organ Quality and Safety Regulations 2012 to hold and process your data for at least 30 years.
This is to ensure full ensure traceability to the point of delivery to a hospital.
The data we are collecting is your personal information and you have considerable say over what happens to it. Depending on the legal basis for processing, you have a set of individual rights.
You can:
- See what data we hold about you (right of access)
- Ask us to stop using your data, but keep it on record (right to erasure)
- Have some or all of your data deleted (right to deletion)
- Have some of your data corrected (right to rectification)
- Lodge a complaint with the Information Commissioner's Office (ICO) if you think we are not handling your data fairly or in accordance with the law
Data Protection legislation allows you to find out the personal information we hold about you on computer and IT records (formerly known as a subject access request).
The legislation requires us to respond to a valid request within one month. However, in the event we are unable to meet this timescale (for example due to a large volume of information to be assessed) we will keep you informed of progress towards fulfilling your request.
To request access to personal data we hold about you, please write to our Data Protection Officer using the contact details on this page.
To make a Subject Access Request please email: sar@nhsbt.nhs.uk
NHSBT is working to find ways to develop better treatments for care. The information we hold on you can be used to help our researchers understand more about causes of illnesses and how best to treat them.
We follow strict rules to make sure your personal data is always kept secure and confidential. Where possible, we take out any information that could identify you, such as your name, address and postcode.
If we cannot practically take out such information, it is our legal responsibility to ask for your explicit consent or to identify an appropriate legal basis to process your data.
The personal data that you provide when registering your decision for organ and tissue donation is recorded on the NHS Organ Donor Register and is used to enable your decision to be discussed at the time of potential donation.
NHSBT ask for the minimum data necessary at point of registration to ensure we are able to identify you and that we clearly understand your organ donation decision.
The personal data requested as part of your registration process is detailed below:
- Mandatory data items for the purpose of identification and confirmation of your decision
- Name (First name, Last name)
- Address
- Postcode
- Date of birth
- Organ donation decision (Donate – some or all organs and tissue, Do not donate, Withdraw)
- Optional data items to further assist with identification, retrieval of your NHS Number, further understanding of your decision and your contact details
- Title
- Middle name
- Preferred name
- How you are recorded on your GP medical record (Female, Male or Neither)
- Telephone
- Mobile
- Faith declaration
- The following two additional optional data items (together with data item Gender that may be collected through third party registration partners), are used to help us understand more about the people registering. Ethnicity and Religion are not stored against individual registrations.
- Ethnicity
- Religion
Contact details such as address, email, telephone and mobile are used for the purposes of completing your registration which may include sending you a confirmation letter. These details will never be used for marketing purposes.
As part of the registration process, some additional personal data items may also be obtained and recorded on your registration to assist with identification at the time of potential donation:
- NHS Number
- See below NHS England Digital Demographics Batch Service (Public Health Service)
- CHI Number
- See below NHS National Services Scotland (Public Health Service)
- HCN Number
- See below Health and Social Care Northern Ireland Business Services Organisation (Public Health Service)
- DVLA Driving License Number
- If you register your organ donation decision through the Driver and Vehicle Licensing Agency (DVLA)
- DVANI Driver Number
- Obtained if you register your organ donation decision through the Driver and Vehicle Agency Northern Ireland (DVANI)
The NHS Organ Donor Register shares your personal data within NHSBT and with a select group of NHS organisations and third-party service providers.
Further information on the people and organisations we share information with and the purpose, is detailed below.
Who do you share my personal data with?
NHSBT staff directly involved in the organ and tissue donation process. This includes:
- Specialist nurses and administrators for organ and tissue donation, who support the process of organ and tissue donation in the United Kingdom and have access to the minimum data necessary to establish if you have recorded an organ and tissue donation decision, which will help to inform a conversation with your family about organ donation
- NHS Organ Donor Register Operations, who have access to your registration data to manage the NHS Organ Donor Register service
Third Party Service Providers. This includes:
- NHS Organ Donor Helpline advisors, who have access to the registration data to assist callers in response to their enquiries. This can include creating or updating a registration on the NHS Organ Donor Register
- Mailing Service, who are responsible for producing and sending written organ donation registration confirmation letters. The minimum data necessary is shared with the mailing service for this purpose only
- Information Technology Services, who provide technical support and maintenance for the NHS Organ Donor Register
- NHS England, who provide the NHS App. As a user of the NHS App you can record your organ donation decision and when applicable, you can access your organ donation decision data as recorded on the NHS Organ Donor Register. The NHS App does not store your organ donation decision data but does enable your personal data or decision data to be processed within the NHS Organ Donor Register
Other NHS services who are directly involved in the organ and tissue donation process. This includes:
- NHS National Services Scotland (public health service), who employ specialist nurses for tissue donation who support the process of tissue donation in Scotland and have access to the minimum data necessary to establish if you have recorded a tissue donation decision which will help to inform a conversation with your family about organ donation.
Other NHS services who support the organ and tissue donation process. This includes:
- NHS England Demographics Batch Service (public health service), who enable the NHS Organ Donor Register to link with this service for residents of England and Wales and share the minimum data necessary in order to retrieve your NHS number and record this on your registration. Your NHS number can further help to identify you
- NHS National Services Scotland (public health service), who enable the NHS Organ Donor Register to link with this service for residents of Scotland and share the minimum data necessary in order to retrieve your CHI number and record this on your registration. Your CHI number can further help to identify you
- Health and Social Care Northern Ireland (HSCNI) Business Services Organisation (Public Health Service), who enable the NHS Organ Donor Register to link with this service for residents of Northern Ireland and share the minimum data necessary to retrieve your HCN Number and record this on your registration. Your HCN Number can further help to identify you
NHS England (formerly NHS Digital who merged with NHS England in February 2023):
- NHSBT are currently working with NHS England and is sharing information for analysis and research for those individuals on the UK Transplant Registry. The purpose of this sharing is to study risk factors for developing skin cancer after organ transplantation, and to improve the care of transplant recipients who develop skin cancer.
NHSBT will only share your data outside the organisation if there is a legal reason to do so, in which case you will usually be informed of this disclosure.
NHSBT works with third parties to provide services to support our work, like telecommunications, ICT support and communications.
All companies that have access to NHSBT data go through a series of strict data protection and privacy checks, and are held to the same high standard of data protection and regulation as NHSBT under the General Data Protection Regulation.
You can request to know which organisations your data has been shared with by contacting Customer Services.
For all services, we’d like to keep in touch with you to inform you of the valuable work and services NHSBT does and inform you of other ways to support NHSBT. You are always in full control of the messages you receive.
If you are a blood donor, we will ask you to provide us with additional contact information like your email address and mobile phone number.
We do this so that we can provide you with timely communications relating to when donation appointments are available, preparing for your donation and letting you know where your donation was issued.
Full details of the terms and conditions associated with being a blood donor can be viewed on NHSBT’s Give Blood website.
If you want us to change the way we contact you, please let us know by contacting us:
Telephone: 0300 123 23 23
Email the Customer Services team
Please note: if you do choose to opt out of communications it can take up to 30 days to process your request.
You can use our website without providing any personal details. However, to sign up to any services such as blood donation, you must provide data to support this.
Cookies are a record made on your computer that save information about the web pages you visit and services you use.
You may disable the use of cookies, but this may limit the functionality of our websites or your access to it.
Cookies are files or pieces of information that are stored by your browser on your computer's hard drive.
NHSBT may use cookies to collect information about you and to identify you during your visit to our websites, like the particular site areas you visit and the services you use through our websites.
We collect this information to better tailor our site to your interests and needs.
Cookies may also be used to help speed up your future activities on our websites. For example, a site can recognise that you have provided personal information to us and refrain from requesting the same information a second time.
We also use cookies for online retargeting purposes to show you relevant adverts from us on third-party sites, including social media websites, based on pages you have visited on our site and others.
We hold cookie information for 30 days before the cookie expires.
Most browsers are initially set to accept a cookie. If you prefer, you can set yours to refuse cookies or to alert you when cookies are being sent.
Refusal of cookies at the site you enter may result in an inability to visit certain areas of the site or to receive personalised information when you visit the site.
For further information on 'cookies' please consult the ‘help’ section of your browser.
Our cookie information page also provides more information.
Our organisation is compliant with the national data opt-out policy.
Whenever you use a health or care service or using any of our services, important information about you is collected in a patient record for that service.
Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information is not needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
Find out more or register your choice to opt-out.
You can find out more about how patient information is used for health and care research.
You can also find out more about how and why patient information is used, the safeguards and how decisions are made.
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
NHS Blood and Transplant is the Data Controller for the personal data we hold and process about you.
We are also the Data Controller for Serious Hazards of Transfusion (SHOT). Please see SHOT’s privacy policy for more information.
The Data Protection Officer is Eleanor Ward who can be contacted:
In writing:
NHS Blood and Transplant
500 North Bristol Park
Filton
Bristol
BS34 7QH
UK
By email: Email our Data Protection Officer
For independent advice about data protection, privacy and data sharing issues, you can contact the independent ICO at:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AGF
UK
Tel: 0303 123 1113
Authors: Umar Sabat and Rosie Underwood
Page last updated: 21 March 2024