Data Protection

Data Protection image

Home » Contact us » Data Protection

Data Protection (Information Governance)

We are committed to ensuring the personal information we hold is processed in line with data protection regulations, legislations and national guidance including, but not limited to, the General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018.

We measure our compliance using the NHS Digital Data Security and Protection Toolkit. A self-assessment on line tool for which we provide evidence of our compliance. All staff are required to complete mandatory data protection and security training.

We have policies and procedures in place which our staff (including, agency, temporary and volunteers) have a legal obligation to comply with.  

Data Protection Impact Assessments

As required by UK GDPR we conduct DPIAs, which help us to identify any risks which may occur from the implementation of new IT systems and processing of personal information. To view a list of DPIAs recently undertaken, please click here.

Information Sharing

All organisations that have access to NHS patient data and systems must use the Data Security and Protection Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

As a partner of the Bedfordshire Luton and Milton Keynes Health and Care Partnership, we are signed up to the overarching Information Sharing Agreement (ISA) to support the sharing of patient & service user information for the purpose of direct care.

Later this year this agreement will be replaced with the Shared Health and Care Record. For more information about the Shared Heath and Care Record, please visit

Subject Access & Access to Health Records Requests

UK GDPR gives you (or your authorised representative e.g. somebody who has Power of Attorney to deal with your affairs) the right to request and be provided with a copy of the information we hold about you. This is known as ‘the right of access’, also more commonly known as a Subject Access Request (SAR).

Some individuals may also have the right (under the Access to Health Records (Deceased) Act), to request and be provided with information we hold about a deceased individual. However, strict exemptions do apply.

To submit a request please print and complete the form below and send it to us as instructed in the form. Following receipt of your form we will do all we can to provide you with the requested information within 30 calendar days.

Subject Access & Access to Health Records Request form

If you are unable to print the form, please email our IG Department who will be happy to assist you

Fair Processing Notice

Our Fair Processing Notice (sometimes referred to as a Privacy Notice) provides details about the information we collect and hold, what we do with it, how we look after it, who we might share it with and your rights.

It covers information we collect directly from you or receive from other individuals or organisations and which organisations process it on our behalf.

View our Fair Processing Notice.

Information that has been held previously by NHS Bedfordshire, Luton and Milton Keynes Clinical Commissioning Group is transferring to the new NHS Bedfordshire, Luton and Milton Keynes Integrated Care Board on 1 July 2022. The new ICB will become the new data controller. Any questions about the use of data (including patient data) by the new ICB should be directed to