Data Protection

Data Protection image

Home » Contact us » Data Protection

Data Protection (Information Governance)

We are committed to ensuring the personal information we hold is processed in line with data protection regulations, legislations and national guidance including, but not limited to, the General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018.

We measure our compliance using the NHS Digital Data Security and Protection Toolkit. A self-assessment on line tool for which we provide evidence of our compliance.

All staff are required to complete mandatory data protection and security training.

We have policies and procedures in place which our staff (including, agency, temporary and volunteers) have a legal obligation to comply with.  

Information Governance Framework and Strategy

Records Management and Information Lifecycle Policy

Subject Access Requests & Access to Health Records Policy

Data Protection Policy

Important note: Information that has been held previously by NHS Bedfordshire, Luton and Milton Keynes Clinical Commissioning Group is transferring to the new NHS Bedfordshire, Luton and Milton Keynes Integrated Care Board on 1 July 2022. The new ICB will become the new data controller. Any questions about the use of data (including patient data) by the new ICB should be directed to

Data Protection Impact Assessments

As required by UK GDPR we conduct DPIAs, which help us to identify any risks which may occur from the implementation of new IT systems and processing of personal information. To view a list of DPIAs recently undertaken, please click here.

Information Sharing

All organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

As a partner of the Bedfordshire Luton and Milton Keynes Health and Care Partnership, we are signed up to the overarching Information Sharing Agreement (ISA) to support the sharing of patient & service user information for the purpose of direct care.

Later this year this agreement will be replaced with the Shared Health and Care Record.

For more information about the Shared Heath and Care Record, please visit

Accessing my records

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 give individuals (“Data Subjects”) rights to accessing information held about them held by organisations (“Data Controllers”). GDPR places obligations on data controllers to handle and manage information in a specific way. GDPR relates specifically to information relating to living individuals.

The Access to Health Records Act 1990 (AHRA) deals with the disclosure of deceased persons’ health records. Under the AHRA when a person dies, their personal representative, executor, administrator, or anyone having a claim resulting from the death, has a right to apply for access to the deceased’s health records. Where the record indicates that the deceased person did not wish their information to be disclosed, this must remain so unless a court order is obtained. The deceased patient’s health record access is provided on the basis of the request under AHRA as common law of confidentiality remains after a person is deceased.

Who has the right of access?

This right of access is mainly for the patient him/herself. This gives you the reassurance that your records are not accessed inappropriately.

There are certain circumstances where someone else may have the right to access your medical records:

  • Where you have given someone else permission to access your records and have given your consent in writing.
  • Where you are not in a position to give consent and are not capable of managing your own affairs – in which case the person responsible for managing your affairs will normally have the right of access.
  • In the case of a child, the parent(s) will normally have the right of access although this is at the discretion of the organisational holding the record.
  • Following your death, then your personal representative or the person managing your affairs will normally have the right of access to relevant parts of your health record.
  • There are also certain other rights of access laid down in law, where a legitimate request has been made as part of a criminal investigation. Information will normally only be provided with the consent of the individual concerned, but there are certain exceptions to this.

Applying to access your records

All requests for personal information must be in writing, this form aims to make the process easier for you if you want to make a request for information that the ICB holds about you, or a deceased individual then please complete our Access to Health records form. Requests can also be made verbally but we may require population of this form also to gather further information about you and the information you are requesting.

Under GDPR, this is called a Subject Access Request (SAR). Under the AHRA this form can also be used to request information about a deceased patient’s records.

For us to release records we need to have proof of ID and assure ourselves of the legitimacy of the request. The ICB is not obliged to comply with a request unless we are supplied with such information as we may reasonably require satisfying ourselves of the identity of the requestor. There is no fee to pay for a first request. Subsequent requests may carry a charge.

If you wish to ask us for confirmation of whether we process data about you or access your personal data, then please complete the following form Subject Access & Access to Health Records Request form and contact:

If you are unable to print the form, please email our IG Department who will be happy to assist you

To submit a request please complete the form and send it to us as instructed in the form. Following receipt of your form we will do all we can to provide you with the requested information within 30 calendar days. An extension may well be required if the request is complex in nature.

Privacy Notice

Our Privacy Notice (sometimes referred to as a Fair Processing Notice) provides details about the information we collect and hold, what we do with it, how we look after it, who we might share it with and your rights.

It covers information we collect directly from you or receive from other individuals or organisations and which organisations process it on our behalf.

View our Privacy Notice.

Data Protection Team

If you would like to discuss any information on this webpage or within our Privacy notice, please contact our IG team at blmkicb.ig@nhs.netor via telephone on 07810 858088