Data sharing Q&A

What do we mean by 'data'?

Data is any information about you or your health. It can mean your name, your date of birth, NHS number or your address. It can also mean your blood test results or results of any other tests carried out such as a scan or your medical history.

How do we use your data?

When you come to hospital we ask you for information about yourself. Clinicians, such as doctors and nurses, need to find out as much as possible about your health so they can provide the best treatment for you. This information is recorded and used in many different ways. It allows us to contact you if we need to, and it allows us to make an accurate diagnosis and give you appropriate treatment.

Why do we share your data?

In order to provide you with appropriate treatment we need to share your data with a range of organisations who are experts in their field. For example, like most other trusts, we keep your patient records in a variety of computer systems which may be run by a third party organisation. We have a data-sharing agreement with the third party organisation which sets out the rules for how your data can be shared and used.

We always want the world’s best technology and equipment to help us deliver world class care. That’s why we work with other organisations, the world-leaders in their fields.

Who we share your data with

We share data with other healthcare organisations such as GPs or other hospital trusts in order to ensure continuity of care. We also share data with a number of different expert organisations. The data is only ever shared on a ‘need to know’ basis which means that the data is shared only with those who need to see it in order to provide you with appropriate care. We currently have a number of data sharing agreements with organisations which provide a range of different services for the trust and enable us to provide the best quality care. This includes IT organisations, those which process blood test results or provide clinical alerts which help staff make quick diagnoses and the company that provides the trust email system.

What rules do we follow?

The Data Protection Act and General Data Protection Regulation control how your personal information is used by organisations, businesses or the government.

Under the Act the Royal Free London NHS Foundation Trust is defined as a ‘data controller’ of personal information, which means we are responsible for the data. We collect information to help us provide and manage healthcare to our patients and the organisations we share data with are known as the data processors. 

The trust is registered with the Information Commissioners Office (ICO), which regulates how information is shared (registration number Z6460180). There is more information about the ICO below.

At the trust there is a Caldicott Guardian, a data protection officer and a senior information risk owner who all have a responsibility to ensure patient data is kept safe and only shared with those who need to see it.

Who is the Caldicott Guardian?

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information-sharing. Each NHS organisation is required to have a Caldicott Guardian. The name Caldicott is taken from Dame Fiona Caldicott, who was appointed the national data guardian in 2014 – a health data watchdog.

At the Royal Free London the Caldicott Guardian is Dr Kilian Hynes. If you have any concerns about your data you can contact him by email:

Who is the data protection officer?

The data protection officer is a designated person within an organisation who is responsible for ensuring that the organisation complies with the Data Protection Act 1998 regulations.

Who is the senior information risk owner (SIRO)?

The SIRO is responsible for the overall information risk policy and risk assessment process ensuring we have a robust incident reporting process for information risks. The SIRO reports to the trust board.

What is a data or information sharing agreement?

A data sharing agreement is a signed agreement which sets out the rules for sharing data. The agreement is between the data controller (The Royal Free London) and another data controller or a data processor – the third party organisation who uses the data to help us provide care.

How do we share data with the data processor?

The majority of the time data is shared electronically using industry standard security techniques. Occasionally there is paper based sharing such as post or secure courier.

Can I ask for data not to be shared?

Unless we can share your data with a range of expert providers we are unable to deliver planned healthcare to you safely. As a consequence we do not generally allow patients to opt out of the data sharing agreements we have unless in exceptional circumstances.

What happens when we make a mistake?

If we disclose your data to someone who is not authorised this could be reported to the Information Commissioner’s Office (ICO), which is a national regulator for information. The ICO will investigate any claim that there has been a breach of the data protection rules. There are a number of different actions that can be taken if such a breach occurs, including issuing a fine and enforcement notices.

The trust has an obligation to report any breaches of data protection rules to the ICO itself.

Download more information here.