The Christie NHS Foundation Trust Privacy Notice

This privacy notice tells you what you can expect us to do with your personal information when you contact us or use our services.

You can find more detailed information about how we use your information for the following specific purposes here:

Our contact details

Name: The Christie NHS Foundation Trust

Address: Wilmslow Road, Manchester, M20 4BX

Contact us direct: Contact The Christie

We are the controller for information we hold about you. As a controller we must decide why and how your information is used and shared, in line with legal and ethical expectations.

Data Protection Officer contact details

Our Data Protection Officer is Louise Westcott and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at:

How do we get information and why do we have it?

The Christie NHS Foundation Trust is one of many organisations working in the health and care system in the UK to deliver and improve care for patients and the wider public. To understand more about the wider use of patient data, including how and why patient information is used, the safeguards and how decisions are made, we recommend you look at the Understanding Patient Data website.

The personal information we collect here at The Christie is provided directly from you for one of the following reasons:

  • you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
  • you have decided to participate in research, study or trials in support of cancer awareness and continued searches for new treatments
  • you have sought funding for continuing health care or personal health budget support
  • you have applied for a job with us or work for us or a paid or voluntary basis
  • you have signed up to our newsletter/patient participation group
  • you have made a complaint
  • you have participated in one of our cancer training programmes run by our School of Oncology or Gateway C teams
  • to enable you to be a proactive member or governor of our Trust, or
  • you have visited our website

We also receive personal information about you indirectly from others, in the following scenarios:

  • from other health and care organisations involved in your care so that we can provide you with care
  • from family members or carers to support your care
  • education centre providers – to support your participation in our delivery of education
  • employment agencies, where job have been applied for through those routes

Where your treatments or care is directly linked to one of our partner organisations:

Personal information

Personal data is information that relates to you as an identified or identifiable individual. What identifies you as an individual could be as simple as a name or a Hospital number or could include other identifiers such as an IP address or a cookie identifier, or other factors.

If it is possible to identify you directly from information, we are processing, then that information may be personal data.

We currently collect and use the following personal information:

  • personal identifiers and contacts (for example, name and contact details including email address and mobile phone number, date of birth, NHS number)
  • photographic identity (photo ID) (for example, photographs of staff for ID badges or our website)
  • contact we have with you e.g. hospital admissions, outpatient/ clinical appointments and home visits
  • notes and reports by health and care professionals about your health
  • details and records about our treatment and care
  • results of X-rays, scans and tests
  • relevant information about people that care for you and know you well (often known as next of kin)
  • basic details about accompanying people, such as children, partners, carers, relatives

More sensitive information

The UK GDPR gives extra protection to more sensitive information known as ‘special category data’. Information concerning health and care falls into this category and needs to be treated with greater care.

We process the following more sensitive data (including special category data):

  • data concerning physical or mental health (for example, details about your appointments or diagnosis)
  • data revealing racial or ethnic origin
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation
  • genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
  • biometric data (where used for identification purposes)
  • data revealing religious or philosophical beliefs
  • data revealing trade union membership
  • Prevent, detect and prosecute fraud and other crime

We may share information with the following types of organisations:

  • third-party data processors (such as IT systems suppliers)
  • planners of health and care services (such as Integrated Care Boards)
  • hospital and community care teams where your care transfer across health organisations, public or private
  • hospice and care homes
  • NHS England in support of Cancer Registries

In some circumstances we are legally obliged to share information. This includes:

  • when required by NHS England to develop national IT and data services
  • when registering births and deaths
  • when reporting some infectious diseases
  • when a court orders us to do so
  • where a public inquiry requires the information

We will also share information if the public good outweighs your right to confidentiality. This could include:

  • where a serious crime has been committed
  • where there are serious risks to the public or staff
  • to protect children or vulnerable adults

We also share information for secondary uses such as some audit and service evaluation pieces. You can read more about this on the NHS England page about clinical audits.

You have a right to choose that we do not share your identifiable information with others when that data is to be used for secondary purposes. To register that right, you need to “opt out”, individuals can visit the official National Data Opt-Out website or by calling the helpline 0300 303 5678. The website  has details of the options to select what types of data they want to opt out of sharing. The service applies to confidential patient information held within the NHS in England.

If you are happy for your data to be extracted and used for purposes described in this Privacy Notice, then you will not need to do anything.

Please note you can change your mind on this at any time. The Trust will always respect your decision unless we are not legally obliged to do so.

  • some cancer registries (not all are mandatory)

You have a right to choose that your data is not collected by national registering. To register that right, you need to read and register on the NHS.uk website.

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality. These purposes will include to comply with the law and for public interest reasons. It is important to note, as your data would be de-identified the ability to opt out does not apply, to this form of sharing.

Our data is hosted in here in the UK and is only available to our staff and technical support staff in the UK.

As we procure technical software and solutions to assist in provision of treatment or other justified purpose, there may be occasion when such services are provisioned overseas.  In these circumstances a full privacy impact assessment is undertaken and back with full Contract clauses.

The Trust collects information about you if you are an overseas patient to comply with our legal obligations, which is to ensure that the Trust receives payment for any services it may provide and also to undertake processing that will allow us to verify if you are entitled to free NHS care. Our obligations are explained in the Department of Health and Social Care Guidance on implementing the overseas visitor charging regulations.

Whilst the majority of our information is received from you when you come into contact with the Trust, we also receive information from other organisations or individuals, such as when you are referred for treatment or in response to questions relating to your eligibility for free NHS care.

Specific purposes of processing data for overseas patients include:

  • Establish identity and entitlement to free NHS Discount
  • Ensure the information we hold about you is valid and up to date
  • Record NHS debtors to the Department of Health and Social Care
  • Determine your immigration status using Home Office services
  • Prevent, detect and prosecute fraud and other crime
  • Provide translation and interpreter services
  • Deal with the safety, security, health and wellbeing or someone associated with the patient
  • Respond to an alert or warning which we are legally obliged to act on

Where it is necessary for discharging our obligations in this area, your personal information may be sent to the Home Office. The information provided may be used and retained by the Home Office for its own purposes, which include enforcing immigration controls overseas, at the ports of entry and within the UK. The Home Office may also share this information with other law enforcement and authorised debt recovery agencies for purposes including national security, investigation and prosecution of crime and collection of fines and civil penalties.

If we process overseas patients’ information for other purposes that are not described above, we will seek their consent to do so before we process it.

The Christie NHS Foundation Trust is a registered Data Controller with the Information Commissioner’s Office (ICO) and our registration number is Z7091213.

All health and social care providers, including The Christie NHS Foundation Trust, have a statutory duty under section 251B of the Health and Social Care Act 2012 to share patient information for their direct care. This duty is subject to both the common law duty of confidence (See 'Common Law Duty of Confidentiality' below) and applicable data protection legislation, namely the Data Protection Act (DPA) 2018 and the UK General Data Protection Regulations (UK GDPR).

Personal data

Personal data is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The processing of personal data is covered by Article 6 of the GDPR.

We will process personal identifiable information (Article 6) and also special category of personal data (Article 9) (including racial and ethnic origin, offences and alleged offences, criminal proceedings, outcomes and sentences, trade union membership (staff), physical or mental health details, religious or similar beliefs, sexual life. The lawful basis under Article 6 is dependent on the legitimate use we have to process different types of data.

Consent (Article (1)(a))

Lawful Basis for Processing

Article 6(1)(a) ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’.

Purpose of Processing

The Trust processes personal data on the basis of consent for services including, but not limited to; medical studies, managing Governance and Members data, research and development. Where consent is the lawful basis for processing your personal data, the processing will be for the purposes of indirect care only. Pertinently it must be stated that the withholding of your consent will not impact on the direct care provided by the Trust.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of your consent:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • The right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
  • The right to object: You have the right to object to the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact: the-christie.dpo@nhs.net

Contract (Article (1)(b))

Lawful Basis for Processing

Article 6(1)(b) ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Purpose of Processing

The Trust processes personal data on the basis of contractual obligations for services including, but not limited to; background checks, payments, procurement, staff employment and all other processes related to entering and performing contractual obligations. Pertinently it must be stated that where some or all of the personal data requested is withheld, the Trust may be unable to enter into and perform a contract as per its contractual obligations.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of contractual obligations:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • The right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
  • The right to object: You have the right to object to the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net

Legal Obligation (Article (1)(c))

Lawful Basis for Processing

Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.

Purpose of Processing

The Trust processes personal data on the basis of legal obligations for services including, but not limited to; legal proceedings, obtaining legal advice, assessment of potential fraud and establishing, exercising or defending legal rights. 

Health and Social Care Act 2008 – to carry out clinical audits and to take other quality improvement measures.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of legal obligations:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net

Vital Interests (Article (1)(d))

Lawful Basis for Processing

Article 6(1)(d) ‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’.

Purpose of Processing

The Trust processes personal data on the basis of vital interests only when it is deemed necessary to protect life. This basis for processing will only be utilised in situations of life and death, such as emergency health care, whereby you are unable to give consent yourself.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of your vital interests:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net

Public Task (1)(e))

Lawful Basis for Processing

Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

The Article 9 condition for direct care is:

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...' to carry out clinical audits and to take other quality improvement measures.

The Article 9 condition for research is:

Article 9(2)(j) …. Scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on union or member state law which shall be proportionate,… and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subjects.

Article 9 (2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy’.

Purpose of Processing

The Trust processes personal data on the basis of public task for services including, but not limited to; direct healthcare provision, issue of SMS/Email to data subjects, establishment of sub processors for delivery of elements of direct care, safeguarding, management of serious untoward incidents, National clinical audits, research and statistical analysis and reporting.

Your Rights

You have the following rights regarding your personal data which is processed under the lawful basis of public task:

  • The right to be informed
  • The right of access: You have the right to ask us for copies of your personal information (known as a subject access request).
  • The right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • The right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • The right to object: You have the right to object to the processing of your personal information in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have 1 month to respond to you.

If you would like to engage any of the aforementioned rights, please contact the-christie.dpo@nhs.net

The Trust has secure storage solutions on our Withington site and at our back up centre in Bath, both of which meet national security standards.

On occasions where data is processed on our behalf be a data processor, a full data risk assessment is completed, to ensure the supplier meets the same national security standards, supported with ongoing assessment that those standards remain valid.

Your information is securely stored for the minimum time periods set out in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will:

  • securely dispose of your information through secure confidential waste contracts or wiping hard drives to legal standards of WEEE destruction.
  • archive your information (historically significant service’s record may be archived with the local Archive Service, which is run by the Local Authority).
  • take another action (for example, retain anonymised copies of your data, longer than prescribed in the Records Management Code of Practice)

Under data protection law, you have rights including:

  • Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request). The process for this can be found on our health records page. The Trust is now able to give you direct access to your appointment and feedback information through our MyChristie-MyHealth portal and encourage you to register to help keep you appointment information to hand, on your phone.
  • Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. The Trust has processes to verify your data. This includes directly from you when you visit us. By using the MyChristie-MyHealth portal, you can let us know if you spot any errors in information we hold, or if you change your address or phone number. Having the most accurate and up-to-date information is important to both you and us, and helps us give the best possible care.
  • Your right to erasure - You have the right to ask us to erase your personal information in limited certain circumstances.
  • Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in limited certain circumstances.
  • Your right to object to processing - You have the right to object to the processing of your personal information in limited certain circumstances.
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us if you wish to make a request at:

Automated decision making

We may use your information to make automated decisions without human involvement, which could have substantial impact on a person, for example in staff recruitment or staff rostering. We may also use profiling, which refers to the use of personal data to predict things such as an individual’s health. 

Data usage beyond your individual care

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

If you have any concerns about our use of your personal information, you can make a complaint to us at:

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO; the UK regulatory body who monitor Data Protection compliance.

The ICO’s address is:    

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113 (local rate)

ICO website: https://www.ico.org.uk

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.

Date of last review

January 2025

These details are also available in a Child Friendly format:

Last updated: February 2025

© 2025 The Christie NHS Foundation Trust