Your information

Your information

We process personal information for a number of reasons. This page contains details of what information we might process about you, who we might share it with and what legal basis we have for its processing. 

Under the General Data Protection Regulation (GDPR), East Midlands Ambulance Service NHS Trust (EMAS) is the Data Controller for any personal information it processes. Our contact address is East Midlands Ambulance Service NHS Trust, Trust HQ, 1 Horizon Place, Mellors Way, Nottingham NG8 6PY.

The Data Protection Officer is Janette Kirk, Head of Information Governance. Janette can be contacted at 

Data Protection Policy

Personal information is information about a living person such as name, address, date of birth and National Insurance number that can identify hat person. 

There is also personal information that is considered to be more sensitive (known as special category data) under the General Data Protection Regulation (GDPR). This includes details of race, ethnic origin, political opinion, religious beliefs, sex life, sexual orientation, trade union membership, health data and biometric and genetic data.

In order to process personal information, we must make sure we comply with a specific section of the GDPR, (Article 6); however, when we  process the sensitive information, we must also comply with another section of the law (Article 9). Further information can be found in the 'what legal basis do we have for processing personal information'section.

We have a Data Protection Policy in place and this provides further information.

We will use information you have provided for the following purposes:

  • To support your health and care
  • For invoice validation for example, if a service has been provided to you that is being paid for by another organisation
  • To identify services that will benefit you and your health and care

We will share your information with other NHS and social care organisations to support your care and treatment. For example, if you call 999 and we take you to hospital, we will pass on your information to the nurse or doctor there so they can see what treatment or medicines we may have given.  We also have a legal obligation to share with Coroners in certain circumstances.  As we are unable to remove or blank out any of the details, this information may include other individuals personal information that may be included in a 'disclosure bundle' prepared by the coroner.

There are other circumstances where we will share your information with other third parties. However, we will ensure that there is a legal reason for doing so and that the correct processes have been followed before we do so. This sharing will be supported by an information sharing agreement that will be signed by the relevant organisations. This agreement will provide details about why the information is being shared, making sure that it is legal, what information is being shared and how it will be protected.  If we are introducing a new service or system, we will conduct a Data Protection Impact Assessment which will identify any areas of concern before any sharing is carried out.  This allows us to put steps in place to protect your information.  We keep a log of all assessments completed which can be made available on request.

If we are sharing your information for research purposes, we will ask for your consent to do this. Even if you do consent, you are allowed to withdraw this consent at any time if you change your mind.

We will always try to remove any information that may identify you if it is not necessary. Statistical information often only requires anonymised data and this will always be used whenever possible.

We can also share your personal information with law enforcement agencies, such as the police or Her Majesty's Revenue and Customs.  Disclosures to these would be made under certain laws that we must comply with.

We are also legally required to share your information to support the National Fraud Initiative (NFI).  To view a copy of the NFI Privacy notice, please click here.

Your personal information may be transferred outside of the UK, for example if a cloud service is hosted in the United States. If it is transferred, this will be done so under a contract. This will state that it will need to given the same level of protection as the GDPR provides to information remaining within the UK and European Union.

We will never share or sell your personal information for marketing purposes including with marketing, insurance companies, etc.  

In the GDPR, Article 6, we are able to process your personal information if one of the following conditions have been met:

a)    Consent – you have given clear consent (this can be withdrawn at any time).

b)    Contract – the processing is necessary for a contract we have with you.

c)    Legal obligation – the processing is necessary to comply with the law.

d)    Vital interests – the processing is necessary to protect someone’s life.

e)    Public task – the processing is necessary to perform a task in the public interest or for official functions that have a clear basis in law. In short, this would be for our core business - providing emergency and urgent care.

f)    Legitimate interests – this can only be used by public authorities, like the NHS, if it is not part of the core business but there is a legitimate reason to process the information. This would have to be clearly documented.

In order to process your sensitive information, we would have to meet one of the following conditions (Article 9 of the GDPR) as well as one of those stated above. These are:

a)    You have given your explicit consent (this can be withdrawn at any time).

b)    Processing is necessary for the purposes of carrying out obligations in the area of employment and social security law.

c)    Processing is necessary to protect the vital interests of an individual or another person where the individual is physically or legally incapable of giving consent.

d)    Processing is carried out in the course of the legitimate activities of not for profit organisations with a political religious or trade union interest.

e)    Processing relates to personal data which has been made public by the data subject.

f)    Processing is necessary for the establishment, exercise or defence of legal claims.

g)    Processing is necessary for the reasons of substantial public interest.

h)    Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, the provision of health or social care treatment or the management of health or social care systems.

I)    Processing is necessary for reasons of public interest in the area of public health.

j)    Processing is necessary for archiving purposes in the public interest.

The vast majority of sensitive information is processed in accordance with (h).

Data Protection Rights Procedure

Under the General Data Protection Regulation (GDPR), individuals have specific rights. These allow you to:

  • request a copy of any personal information we hold about you
  • request that your information is corrected if you think it is wrong
  • request us to stop processing your information if you think it is no longer necessary to do so
  • request us to stop processing your information until it is corrected
  • be informed about the collection and use of personal information
  • request that personal information about you is erased (or forgotten)
  • have your personal data transferred to another service (if technology is compatible)
  • object to the processing of your personal information
  • object to processing that is done purely by automated means - no manual intervention has been involved.

Not all of these rights are automatic as there may be a legitimate reason why we cannot meet your request, for example we cannot erase your medical record. If we are unable to meet your request, we will let you know the reason for this.

Read our Data Protection Rights Procedure.

The length of time we are required to keep your personal information for is often dictated by law. This includes your health records. We follow the guidance in the Records Management Code of Practice for Health and Social Care. You can view this code of practice by clicking on the following link: Records Management Code of Practice



If you wish to ask a question about a data protection issue or if you have any concerns about how we process your information, you can contact the Data Protection Officer at:

Data Protection Officer

Information Governance and Compliance Team

East Midlands Ambulance Service NHS Trust

Nottinghamshire Divisional Headquarters

Beechdale Road

Nottingham NG8 3LL

If you would like to contact us to request your personal information or to invoke any of the other rights you have under the General Data Protection Regulation (GDPR), you can contact us as at or on 0115 884 5000.

If you are not satisfied with the way we have handled your personal information after you have complained, you can contact the national regulator, the Information Commissioner's Office, at:

The Office of the Information Commissioner

Wycliffe House

Water Lane






There are lots of organisations that can provide more information about confidentiality and personal information. The Information Commissioner's Office (ICO) is the English supervisory authority and oversees compliance with the GDPR (amongst other legislation). The link to their website is ICO

More general information and guidance has been developed by NHS Digital

Read the complete GDPR.

Contact us or on 0115 884 5000