Last updated: March 2021
Our freedom of information and privacy page includes information on how you can request recorded information held by NHSBT.
Coronavirus (COVID-19) and Data Protection
You may have already provided information for a specific reason to NHSBT or its health and social partners, but because of the coronavirus pandemic (COVID-19), we may collect and process more of your personal data than usual. We do this to ensure patient safety and protect life. This additional information will be limited to what is proportionate and necessary and take into account the latest legislation from General Data Protection Regulation (GDPR), the Data Protection Act 2018 and guidance issued by NHS Digital, NHSX and the Department of Health and Social Care (DHSC).
Control of Patient Information Regulations – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002
NHSBT would like to inform you that the Secretary of State for Health and Social Care has provided a legal notice in the form of a Control of Patient Information (COPI) Notice to support the processing and sharing of information amongst those organisations that provide healthcare services to the public and monitor and manage the outbreak of COVID-19. The Notice is valid until 31st March 2021.
Coronavirus (COVID-19): notification to organisations to share information on the GOV.UK website provides further information.
NHS Digital and Blood Donation - data sharing during the COVID-19 pandemic
NHS Digital has provided us with information to help us find potential suitable donors to tackle the COVID-19 global pandemic. This information may be shared with processors of NHSBT under strict controls and in compliance with the law.
The description of shared data includes:
- NHS number
- date of birth
- mobile telephone number
- landline telephone number
- email address
- date of test
- source diagnosis
- date of hospital admission for COVID-19
- date of hospital discharge for COVID-19
By registering your interest to donate blood plasma, you agree to be contacted by NHSBT to determine your suitability to donate.
To determine your suitability to donate and arrange an initial appointment, NHSBT, or its agents, may contact you by mail, telephone call, text message or email.
If you are suitable, we will add your details to the Blood Donor Register.
This is so we can book an initial appointment for you.
To book further appointments:
- book an appointment at one of our donor centres
- telephone: 0300 123 23 23
- register with our Blood Donor Digital Service
- this provides access to our online or mobile services
- register for this service online
If you want us to change the way we contact you:
- telephone: 0300 123 23 23
- complete our contact us form
Anyone has the right to opt out of any future communications from NHSBT if they wish to. NHSBT will not retain data if an individual chooses not to donate or register with our services.
Challenges caused by the coronavirus pandemic on the NHSBT website provides more information about how we are working to overcome the coronavirus pandemic.
Giving a blood sample to validate your eligibility to donate blood plasma
To increase your chance of being eligible to donate convalescent plasma when you attend a donor centre, we may ask you to provide a blood sample using a self-collection test kit that will be sent to you by post. This means that you only need to visit one of our donor centres if you have the right level of antibodies to help.
We are working with Medichecks, Superdrug Online Doctor, HomedIQ and Lloyds Pharmacy to provide these test kits. Depending on the process established with these providers, we may need to exchange some of your data with your test kit provider.
Data shared with Medichecks and HomedIQ
To complete the process with Medichecks and HomedIQ, NHSBT will send you an email that includes a link to their registration website. To register, you will be asked to enter some of your personal data. This is needed so that they can send you the test kit and test your blood sample.
When your test is complete, our third-party providers will share your test results, and some of your personal details (like your full name, date of birth, gender, blood type and contact details) to allow the donation process to continue.
Data shared with Superdrug Online Doctor and Lloyds Pharmacy
To proceed with Superdrug Online Doctor and Lloyds Pharmacy, NHSBT will send you an email that includes a link to the NHSBT registration website. During the registration you will be asked to give consent to share your personal data. Your name, gender, address and contact details will then be shared with your test kit provider so that they can send you your test kit and test your blood sample.
When your test is complete, your provider will share your test results with us, so that we can proceed with the donation process.
Who we are
NHSBT is a special health authority that provides blood and transplantation services to the NHS. They look after blood donation services in England and transplant services across the UK. This includes managing the donation, storage and transplantation of blood, organs, tissues, bone marrow and stems cells, as well as researching new treatments and processes.
The personal data we collect to support our services
The information NHSBT needs to collect is largely dependent on which service you use.
As a minimum, all services require NHSBT to collect your:
- date of birth
- next of kin details (not required for blood donation)
- relevant clinical and lifestyle history
This information is used to support your direct care and may be shared with other NHS organisations and professionals involved in your care.
Your data may be used by NHSBT staff outside your clinical team to audit and improve services or investigate complaints and incidents. Anonymised and pseudonymised data (which does not identify you) is used to conduct research.
Your identifiable data will not be used for research without your consent, unless there is a legal basis for doing so.
Opting out of organ donation
'Max and Keira's Law' sometimes referred to as the opt out system, changed the law around organ donation in England to help save and improve more lives.
This means that organ donation in England has moved to an 'opt out' system, and that all adults in England are now considered to have agreed to be an organ donor when they die unless they have recorded a decision not to donate or are in one of the excluded groups.
Excluded groups information is available on the NHSBT website.
You still have a choice if you want to be an organ donor, or not, when you die.
Get the facts about organ donation to help you decide.
Register your decision on the NHS Organ Donor Register if you wish to opt out of being considered a donor.
Your decision will be recorded on the register with the personal details we need to identify you with. This data will be held solely for this use and statistical use, internally at NHSBT.
Enquiries and complaints
NHS Blood and Transplant directly respond directly to the majority of the opt-out legislation enquiries and complaints received. However, and only where necessary, such an enquiry or complaint may be shared, without prior notification, with the appropriate department within UK Government organisations in order to provide an appropriate response.
The General Data Protection Regulation (GDPR) and the legal basis for processing your data
The GDPR and the Data Protection Act 2018 replaced the Data Protection Act 1998. All organisations processing data, under GDPR, are required to have a legal basis for doing so.
The majority of NHSBT’s data processing is necessary under Article 6(e) and 9(h) of GDPR, which allows NHSBT (a public authority) to process personal data for the performance of our tasks or in the public interest and for the provision of health care.
The Organ Donor Register allows you to register based on your explicit consent This means you can remove your consent at any time if you change your mind.
NHSBT also has obligations under the Blood Safety & Quality Regulations 2005, Tissue and Cells Quality and Safety Regulations 2007 and Organ Quality and Safety Regulations 2012, to make sure that all blood donations and organ transplants are fully traceable from donor to recipient. This is an essential requirement to deliver safe clinical care.
Therapeutic Apheresis Services (TAS) are delivered across England and North Wales from eight TAS Units. NHSBT will share your data with the relevant unit to support the safe delivery of your treatment. Your data will be shared securely with other NHS professionals and in some circumstances regulatory bodies such as the HTA and CQC who have a statutory responsibility to monitor this activity.
Your TAS record will be held securely within NHSBT for a minimum of 30 years.
Why it is important for us to collect your information
NHSBT needs to obtain accurate and complete information from all those who use our services; this is used to support the delivery of safe healthcare and ensure our services are equitable (fair).
We also use data to continuously improve the quality of our service and advance scientific and clinical understanding and study through audit, inspections and research.
Communications and marketing
For all services, we’d like to keep in touch with you to inform you of the valuable work and services NHSBT does, and inform you of other ways to support NHSBT. You are always in full control of the messages you receive.
If you are a blood donor, we will ask you to provide us with additional contact information like your email address and mobile phone number. We do this so that we can provide you with timely communications relating to when donation appointments are available, preparing for your donation and letting you know where your donation was issued.
Full details of the terms and conditions associated with being a blood donor can be viewed on NHSBT’s Give blood website.
If you want us to change the way we contact you, please let us know by contacting us:
Telephone: 0300 123 23 23
How the NHS and care services use your information
NHSBT is one of many organisations who work in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, like attending A&E or using Community Care services, important information about you is collected to help make sure you get the best possible care and treatment.
The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving provided care, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.
You have a choice about whether you want your confidential patient information to be used in this way.
Make your choice webpage on the NHS website provides more information about the wider use of confidential personal information and how to register your choice to opt out, if you do not want your data to be used in this way. If you do choose to opt out, you can still consent to your data being used for specific purposes.
If you are happy with this use of information, you do not need to do anything, but you can change your choice at any time.
Who we share data with
Depending on what service you use, your personal data may be shared with other NHS organisations.
When you donate blood, your donation is given a unique reference number and all personal data, like your name and address, is removed before being sent to the hospital.
For our organ transplant services, it is essential that NHSBT shares and receives data from the Transplant Centre to support your care. This information is shared securely between NHS professionals.
The Organ Donation and Transplantation website provides more information on the UK and international transplant registries and how these are used.
NHSBT will only share your data outside the organisation if there is a legal reason to do so, in which case you will usually be informed of this disclosure.
NHSBT works with third parties to provide services to support our work, like telecommunications, ICT support and communications. All companies that have access to NHSBT data go through a series of strict data protection and privacy checks, and are held to the same high standard of data protection and regulation as NHSBT under the General Data Protection Regulation.
You can request to know which organisations your data has been shared with by making a subject access request to Customer Services.
How long we keep your data
NHSBT will hold your data for the time period stated in the Blood Safety & Quality Regulations 2005, Tissue and Cells Quality and Safety Regulations 2007, the Organ Quality and Safety Regulations 2012 and the Records Management Code of Practice for Health and Social Care. These set out minimum retention periods. For example, for blood donation we must retain records for a period of not less than 30 years for the identification of each single blood donation, and each single blood unit and its components (including blood and blood components that are imported into the European Community) and to ensure full traceability to the point of delivery to a hospital.
All organ transplant records are also retained for a minimum period of 30 years. NHSBT can retain records for longer than the minimum period so long as there is a justifiable reason. Your information will always be stored securely with access restricted to only those staff with appropriate and justifiable reason to access them.
You can request a copy of your data free of charge by emailing Customer Services.
Your right to access and control how your data is used
You have a right to be informed about how your data is used. It is the intention of this page to give you an overview of how NHSBT uses your data. However, everyone’s journey through NHSBT services is different and you can obtain more information or ask specific questions about your data by contacting customer services or the Data Protection Officer.
You also have a right to:
- request a copy of the information we hold about you
- update or amend the information we hold about you if it is wrong
- change your communication or marketing preferences at any time
- erasure (also called the right to be forgotten)
- restrict how your data is processed
- raise a concern or complaint about the way in which your information is being used
Please note that applications to apply the right of erasure will be considered by NHSBT on a case-by-case basis due to our obligations under the Human Tissues Act and Blood Safety and Quality Regulations 2005.
The Data Protection Officer
Under GDPR, all NHS organisations are legally required to appoint a Data Protection Officer (DPO). The DPO for NHSBT is Katrina Smith, who is responsible for making sure that all practices and processes within NHSBT are designed to support people’s privacy and data rights, and make sure data protection is represented at a board level.
You can contact the Data Protection Officer if you have any questions or concerns about your privacy rights within NHSBT.
The Information Commissioner's Office (ICO)
The ICO are the UK’s independent authority created to uphold information rights in the public interest, promote openness in public bodies and data privacy for individuals. The ICO provide free and independent advice to citizens on their privacy rights.
You can contact the ICO for advice or log a complaint via:
- Website: www.ico.org.uk
- Helpline :0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers). If you're calling from outside the UK, you may not be able to use the 03 number, so please call +44 1625 545 700.
- Welsh speaking service: 029 2067 8400.
- Rydym yn croesawu galwadau yn Gymraeg ar: 029 2067 8400.
- Normal opening hours are Monday to Friday between 9am and 5pm.
Information Commissioner's Office
The website and cookies
Cookies may also be used to help speed up your future activities on our websites. For example, a site can recognise that you have provided personal information to us and refrain from requesting the same information a second time.
We hold cookie information for 30 days before the cookie expires.
For further information on 'cookies' please consult the ‘help’ section of your browser.
Our cookie information page also provides more information.