Back to Main Website
Disclosure Log
Contact Details

Fair Processing Notice - General (Patients)

Information relating to a living, identifiable information i.e. information which is about you and identifies you is your personal data.

The Data Protection Act (DPA), superceded in May 2018 by the UK General Data Protection Regulations and the Data Protection Act (2018), requires that the Trust processes personal data fairly and lawfully. The requirement to process personal data fairly and lawfully is set out in the first data protection principle and is one of six such principles at the heart of data protection. The main purpose of these principles is to protect the interests of the individuals whose personal data is being processed. They apply to everything we do with personal data, except where we are entitled to an exemption. For more information, please visit the Information Commissioner`s Office.

Organisations such as Stockport NHS Foundation Trust (the Trust) are ‘data controllers’ for the purposes of the DPA because we process personal data. ‘Processing’ means anything that is done to the data including just holding them in a file or computer system.

The DPA gives individuals (known as data subjects) a number of rights in relation to their personal data and sets out rules that must be followed by data controllers when they process personal data. As a data controller the Trust must ensure it complies with the DPA.

The DPA contains six principles of good information handling. The Trust must ensure that your personal data are processed in accordance with these principles unless the DPA states it does not have to.

These principles are outlined below:

  1. Personal data must be processed fairly and lawfully.
  2. Information must be processed for specified, xplicit and legitimate reason(s)
  3. Personal data must be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
  4. Personal data must be accurate and kept up-to-date.
  5. Personal data processed for any purpose(s) must not be kept for longer than is necessary for that purpose.
  6. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Data subjects have a number of rights under the DPA. These include:

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. 

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. 

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. 

Your right to object to processing

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. 

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. 

Further information on your rights is available on the Data Protection section of our website.

The Information Commissioner is an independent regulator who provides advice and guidance about the DPA and ensures data controllers comply with it.

The Information Commissioner’s Office (ICO) can investigate complaints about alleged contraventions of the DPA and where necessary, can order data controllers to take specific action or even prosecute them if they are not complying with the DPA.

From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt.

The ICO publishes a register of those organisations who have paid the appropriate fee and you can search the register of fee payers here

For more information about data protection within the Trust please contact the Data Protection Officer at

If you require independent advice and guidance about the DPA in general, please contact the ICO or visit its website.

If you want to make a subject access request (SAR) to the Trust for copies of the personal data it processes about you, please see the section called Accessing your personal data  and complete and return the SAR Form.

Further information about how the Trust processes patient information can be found in the Patient Information Leaflet