For a Welsh language version of our privacy information, visit: Hysbysiad preifatrwydd
Coronavirus (COVID-19) and Data Protection
You may have already provided information for a specific reason to NHS Blood and Transplant or its health and social partners. Due to the rapidly emerging situation we may seek to collect and process your personal data in response to the coronavirus pandemic (COVID-19) which is above and beyond what would ordinarily be collected. We are doing this to ensure patient safety and protect life. Such information will be limited to what is proportionate and necessary, taking into account the latest legislation from GDPR, the Data Protection Act 2018 and guidance issued by NHS Digital, NHSX and Department of Health and Social Care.
Control of Patient Information Regulations – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002
NHS Blood and Transplant would like to inform you that the Secretary of State for Health and Social Care has provided a legal notice in the form of a Control of Patient Information (COPI) Notice to support the processing and sharing of information amongst those organisations providing healthcare services to the public and monitoring and managing the outbreak of COVID-19. The Notice is valid until 31st March 2021.
Further information on the Notice can be found on the Government website
NHS Digital and Blood Donation - data sharing during the COVID-19 pandemic
Information has been provided to us by NHS Digital in these unique circumstances to help us find potential suitable donors to tackle the COVID-19 global pandemic. This information may be shared with processors of NHSBT under strict controls and in compliance with the law. The description of data shared includes:
- NHS number
- Date of Birth
- Mobile telephone number
- Landline telephone number
- Date of test
- Source diagnosis
- Date of hospital admission for COVID-19
- Date of hospital discharge for COVID-19
Anyone has the right to opt out of any future communications from NHSBT should they wish to do so. NHSBT will not retain data if an individual chooses not to donate or register with our services.
Find out more about how we are working to overcome the challenges caused by the Coronavirus pandemic
Who we are
NHSBT is a special health authority that provides blood and transplantation services to the NHS, looking after blood donation services in England and transplant services across the UK. This includes managing the donation, storage and transplantation of blood, organs, tissues, bone marrow and stems cells, and researching new treatments and processes.
The personal data we collect to support our services
The information NHSBT needs to collect is largely dependent on which service you are using. As a minimum, all services require NHSBT to collect your:
- date of birth
- next of kin details (not required for blood donation)
- relevant clinical and lifestyle history.
This information will be used to support your direct care, and may be shared with other NHS organisations and professionals involved in your care.
Your data may be used by NHSBT staff outside your clinical team, to audit and improve services or investigate complaints and incidents. Anonymised and pseudonymised data (which does not identify you) is used to conduct research. Your identifiable data will not be used for research without your consent, Unless there is a legal basis for doing so.
Opting out of Organ Donation
Organ donation in England has now moved to an 'opt out' system. You may also hear it referred to as 'Max and Keira's Law'.
This means that all adults in England are now considered to have agreed to be an organ donor when they die unless they have recorded a decision not to donate or are in one of the excluded groups.
You still have a choice if you want to be an organ donor or not when you die. Get the facts about organ donation to help you decide.
If you wish to opt out of being considered a donor you can register your decision on the NHS Organ Donor Register. Your decision will be recorded on the register with the personal details necessary to identify you. This data will be held solely for this use and statistical use internally at NHSBT.
The General Data Protection Regulation (GDPR) and the legal basis for processing your data
The GDPR and the Data Protection Act 2018 replaced the Data Protection Act 1998. All organisations processing data, under GDPR, are required to have a legal basis for doing so.
The majority of NHSBT’s data processing is necessary under Article 6(e) and 9(h) of GDPR, which allows NHSBT (a public authority) to process personal data for the performance of our task or in the public interest and for the provision of health care.
Registration to the Organ Donor Register is based on your explicit consent. This means you can remove your consent at any time should you change your mind.
NHSBT also has obligations under the Blood Safety & Quality Regulations 2005, Tissue and Cells Quality and Safety Regulations 2007 and Organ Quality and Safety Regulations 2012, to ensure that all blood donations and organ transplants are fully traceable from donor to recipient. This is an essential requirement to deliver safe clinical care.
Therapeutic Apheresis Services (TAS) are delivered across England and North Wales from eight TAS Units. NHSBT will share your data with the relevant unit to support the safe delivery of your treatment. Your data will be shared securely with other NHS professionals and in some circumstances regulatory bodies such as the HTA and CQC who have a statutory responsibility to monitor this activity.
Your TAS record will be held securely within NHSBT for a minimum of 30 years.
Why it is important for us to collect your information
NHSBT needs to obtain accurate and complete information from all those who use our services; this is used to support the delivery of safe healthcare and ensure our services are equitable (fair).
We also use data to continuously improve the quality of our service and advance scientific and clinical understanding and study through audit, inspections and research.
Communications and marketing
For all services we’d like to keep in touch with you to inform you of the valuable work and services NHSBT does and inform you of other ways to support NHSBT. You are always in full control of the messages you receive.
If you are a blood donor we will ask you to provide us with additional contact information such as your email address and mobile phone number so that we can provide you with timely communications relating to when donation appointments are available, preparing for your donation and letting you know where your donation was issued.
You can find full details of the terms and conditions associated with being a blood donor here.
If you want us to change the way we contact you, please let us know by contacting our helpline on 0300 123 23 23, or email firstname.lastname@example.org.
How the NHS and care services use your information
NHSBT is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.
You have a choice about whether you want your confidential patient information to be used in this way.
To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/your-nhs-data-matters/manage-your-choice/. If you do choose to opt out you can still consent to your data being used for specific purposes.
If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
Who we share data with
Depending on what service you use, your personal data may be shared with other NHS organisations.
When you donate blood, your donation is given a unique reference number and all personal data such as your name and address are removed before being sent to the hospital.
For our organ transplant services, it is essential that NHSBT shares and receives data from the Transplant Centre to support your care. This information is shared securely between NHS professionals.
You can find out information on the UK and international transplant registries and how these are used on the Organ Donation and Transplantation website: www.odt.nhs.uk.
NHSBT will only share your data outside the organisation if there is a legal reason to do so, in which case you will usually be informed of this disclosure.
NHSBT works with third parties to provide services to support our work, such as telecommunications, ICT support and communications. All companies that have access to NHSBT data go through a series of strict data protection and privacy checks and are held to the same high standard of data protection and regulation as NHSBT under the General Data Protection Regulation.
You can request to know which organisations your data has been shared with by making a subject access request via Customer Services by emailing email@example.com.
How long we keep your data
NHSBT will hold your data for the time period stated in the Blood Safety & Quality Regulations 2005, Tissue and Cells Quality and Safety Regulations 2007, the Organ Quality and Safety Regulations 2012 and the Records Management Code of Practice for Health and Social Care. These set out minimum retention periods. For example, for blood donation we must retain records for a period of not less than 30 years for the identification of each single blood donation and each single blood unit and its components (including blood and blood components which are imported into the European Community) and to ensure full traceability to the point of delivery to a hospital.
All organ transplant records are also retained for a minimum period of 30 years. NHSBT can retain records for longer than the minimum period so long as there is a justifiable reason. Your information will always be stored securely with access restricted to only those staff with appropriate and justifiable reason to access them. You can request a copy of your data free of charge by emailing Customer Services at firstname.lastname@example.org.
Your right to access and control how your data is used
You have a right:
- to be informed about how your data is used. It is the intention of this page to give you an overview of how NHSBT uses your data. However, everyone’s journey through NHSBT services is different and you can obtain more information or ask specific questions about your data by contacting customer services at email@example.com or the Data Protection Officer at DPO@nhsbt.nhs.uk
- to request a copy of the information we hold about you
- to update or amend the information we hold about you if it is wrong
- to change your communication or marketing preferences at any time
- to erasure (also called the right to be forgotten). Applications to apply this right will be considered by NHSBT on a case by case basis due to our obligations under the Human Tissues Act and Blood Safety and Quality Regulations 2005
- to restrict how your data is processed
- to raise a concern or complaint about the way in which your information is being used.
The Data Protection Officer
Under GDPR, all NHS organisations are legally required to appoint a Data Protection Officer (DPO). The DPO for NHSBT is Katrina Smith, the Head of Information Governance, who is responsible for ensuring that all practices and processes within NHSBT are designed to support people’s privacy and data rights and making sure data protection is represented at a board level.
You can contact the Data Protection Officer if you have any questions or concerns about your privacy rights within NHSBT via: DPO@nhsbt.nhs.uk
The Information Commissioners Office (ICO)
The ICO are the UK’s independent authority set up to uphold information rights in the public interest and promote openness in public bodies and data privacy for individuals. The ICO provide free and independent advice to citizens on their privacy rights.
You can contact the ICO for advice or log a complaint via:
- Website: www.ico.org.uk
- Helpline :0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). If you're calling from outside the UK, you may not be able to use the 03 number, so please call +44 1625 545 700.
- Welsh speaking service: 029 2067 8400. Rydym yn croesawu galwadau yn Gymraeg ar 029 2067 8400.
- Normal opening hours are Monday to Friday between 9am and 5pm.
Information Commissioner's Office
The website and cookies
Cookies may also be used to help speed up your future activities on our websites. For example, a site can recognise that you have provided personal information to us and refrain from requesting the same information a second time.
We hold cookie information for 30 days before the cookie expires.
For further information on 'cookies' please consult the ‘help’ section of your browser. Learn more at our cookie information page.