Transforming compliance and transparency at Nottingham University Hospitals with CoreStream GRC

About Nottingham University Hospitals NHS Trust

As one of the largest NHS Trusts in the UK, NUH receives thousands of data access and freedom of information (FOI) requests every year.

For a public body, incorrect handling of data requests could mean more than inefficiency; it could erode trust. So when their legacy system for Subject Access Requests (SARs) and FOIs became a challenge, they knew something had to change.

• Employees: 19,000
• Hospitals: 4
• SARs processed annually: 10,000

Challenge

Limited systems, visibility, and increasing demand

“Historically, there was a mixture of requests received via paper forms and sometimes email, a large proportion was received through the post, and there was a need to standardize, centralize and digitalize. It was certainly a challenge due to the increasing volume.” said Marc Wilson, Head of Information Security & Data Protection Officer.

Marc’s role is to support the Trust in meeting its legal obligations under the Data Protection Act, particularly around individuals’ rights of access. With thousands of requests per year and a 30-day response window, the Trust’s historical process and system made it difficult to keep up.

“Our previous system had challenges in relation to its user interface and being user friendly. We were looking for a solution with a more intuitive and streamlined interface.  Additionally, as a team we’d lose hours scanning and logging as part of the manual process,” added Andrew Tait, Data Protection & Security Support Specialist, who handled SARs daily.

FOIs, unfortunately, were a similar challenge.

“It was literally a spreadsheet and email chains,” Andrew shared. “If someone was off work, we struggled to locate where requests were in the process. It created confusion and audit challenges.”

A clear vision: end the manual processes and bring transparency

NUH didn’t just want a new system—they needed control, visibility, and efficiency. The team defined their top three must-haves:

• Robust reporting for both team and senior management
• Structured task management for SARs and FOIs
• A single view of every case and action across the Trust

The NHS team were using CoreStream GRC’s Information Asset Management module and decided to expand their investment by customizing the solution further to meet their unique requirements/processes for SARs and FOIs management.

Solution

CoreStream GRC as a central hub for data protection

Working closely with CoreStream GRC’s team, particularly their account manager Sophie, the Trust rolled out a highly customized solution tailored to their needs.

“CoreStream GRC gives us the entire picture, we know where to focus now, this is helping prioritize and future plan,” said Marc.

The benefits were immediate for the NHS Trust:

• Automations replaced manual tasks: “We went from 5-10 minutes for 1 task to just 5 clicks—less than a minute – we counted!” Andrew said.
• Massive time savings: “I’d say each user saves 3 to 5 hours a week. Probably more, but is of course difficult to quantify and articulate” added Andrew.
• Full audit trail: “People’s responsibilities are clear. It’s clear now for everyone to see at which part of the process requests are” said Andrew.
• Strategic clarity: “I’ve used the data to understand trends and plan ahead alongside reviewing resources – It’s powerful and enables us to plan resource needed to continue to improve” Marc explained.
• Simplified training and onboarding: Andrew created 2–3 minute training videos and reported new users are up to speed in under 15 minutes thanks to CoreStream GRC’s intuitive design.
• Improved communication: “We used to spend Wednesday mornings chasing FOI leads manually. Now it’s all automated, we’ve got our Wednesday mornings back,” said Andrew.

Real impact: from challenges to full control for the NHS Trust

Before CoreStream GRC, nobody had answers. Now everything is logged, tracked, and actionable.

“Before, record keeping and filing was a challenge due to the volume. Now, the system is digitalized and standardized, giving us more accessibility and visibility” – Andrew Tait. “The data from CoreStream has been crucial. It’s helped us plan ahead and resource with confidence.” – Marc Wilson

CoreStream GRC has become a strategic enabler for NUH, not just a system. It made processes auditable, and empowered the team, from frontline users like Andrew and FOI leads, to senior leadership like Marc, to spend less time chasing data and more time using it.

A trusted partnership in privacy management

CoreStream GRC’s approach isn’t just product-first—it’s partnership-led.

“Sophie’s [account manager] been really, really good. She understands our pain points, our volumes, and why we need something different. We’ve built a solution that works for us, but it’s transferable, not bespoke. That makes it more powerful for everyone.” – Marc Wilson

Conclusion: see everything, improve customer service

CoreStream GRC gave Nottingham University Hospitals NHS Trust something they never had before: complete, end-to-end visibility across SARs and FOIs. In doing so, they didn’t just develop and streamline—they transformed. They reclaimed hours of work each week, gained strategic oversight, and ensured no request slips through the cracks. It will enable the Trust to now take forward this tool and address the increasing demand in the future. As well as continue to improve the service to those it serves.

“I’d rather see the whole picture, even if that can often feel daunting and CoreStream GRC has allowed us to have this. It’s great and we can now openly work to plan ahead and identify areas to continue to improve the service we provide.” – Marc Wilson

About CoreStream GRC

The flexible, no-code solution for GRC success

CoreStream GRC is a dynamic, flexible platform that revolutionizes governance, risk, and compliance (GRC) management. Built to be scalable and intuitive, CoreStream GRC empowers organizations to design and implement their ideal GRC solution with ease, supported by a team of experts who truly understand the demands of the public sector.

CoreStream is a trusted partner to numerous NHS Trusts across the UK, helping teams stay compliant with privacy regulations while streamlining high-volume processes like SARs and FOIs. From Nottingham University Hospitals NHS Trust to NHS Health Education England and many others, our clients rely on CoreStream GRC to bring structure, automation, and transparency to their data management and compliance workflows.

With a user-friendly, no-code interface and customizable features, CoreStream GRC is the ideal solution for public sector organizations seeking clarity, accountability, and real results—without the complexity of traditional software.

Want to see the GRC platform in action?

Follow Sophie Lis, our Director of Compliance and Information Governance on LinkedIn here to catch her weekly privacy posts.