- What is a privacy notice?
- The information we hold about you
- Keeping your information safe and accurate
- Supporting your direct care
- Supporting other medical purposes
- Your right to refuse - the National Data Opt-Out
- What your objection covers
- Other rights
- If you are a carer ...
- If you are a parent ...
- SMS for appointments
- Raising a concern
- Further Information
What is a privacy notice?
A Privacy Notice is a statement by the Trust to patients, visitors, carers, and the public that describes how we collect, use, retain and disclose personal information that we hold about you. This privacy notice is part of our commitment to ensure that we process your personal information fairly and lawfully. This notice also explains what rights you have to control how we use your information.
The Data Protection Act and General Data Protection Regulation (GDPR) controls how your personal information is used by organisations. Under the Act, the Trust is defined as a ‘data controller’ of personal information that we hold. We collect information to help us provide and manage healthcare for our patients.
In order for the Trust to be able to process your information lawfully, we are obliged to satisfy a condition under Article 6 and, where special category data (sensitive information) is being processed, under Article 9 of the GDPR. The following legal bases will apply: 6(1)(e) ‘for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’; and: 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional’.
The trust is registered with the Information Commissioner’s Office (registration number ZA030561).
The information we hold about you
We keep records about your health and any treatment and care you receive from us. This helps to ensure that you receive the best possible care from us. The information we collect normally includes:
- Name, address, date of birth, NHS number and next of kin details,
- Contacts we have had with you, such as appointments and/or home visits,
- Information about your health, such as details of diagnosis, health conditions, allergies and the treatment and care you have received,
- Relevant information from other health and social care professionals in order to support the care you receive from us.
The trust also records CCTV images for the prevention and detection of crime.
Keeping your information safe and accurate
We always keep your information securely, and have strict rules about who can access it and how it can be used. We do our best to keep it accurate and up-to-date, so we will often check it with you when you attend one of our hospitals.
This leaflet describes the circumstances in which we may share your information with other organisations.
We have a legal duty to keep information about you confidential. We expect all our partner organisations to apply the same strict security to your records as we do, and we make sure appropriate safeguards are in place before sharing any information.
We will only share your information in strict accordance with the law, and we never use or sell it for commercial purposes.
Supporting your direct care
The Trust uses your personal information to provide healthcare to you and for purposes directly related to that healthcare (such as booking and managing appointments).
Your information may be used for clinical audit, where the team involved in your care and those working to support them will check the quality and outcomes of the treatment provided.
If you receive care from other health & social care professionals, we may share with them the information we hold about you to improve your care. In some cases, such as where we deliver a service jointly with other healthcare provider organisations, we will share information about all patients receiving that service. The department where you are being treated will be able to tell you if this applies for the particular type of care you are receiving.
Supporting other medical purposes
The Trust may use information about you, and the care you have received, to improve the healthcare we provide to all patients. This includes medical research, monitoring and improving our services, and for other medical purposes where we believe there is a public benefit. If your information would be shared outside the team that provided care to you, or those working to support them, we would first anonymise it so that you cannot be identified.
In order to improve services we also participate in national schemes, such as patient surveys to gain feedback from patients about their experience at the Trust. These are completed voluntarily and we may, on occasion, contact you to discuss the feedback you provided if you supplied contact details. For some surveys, the Trust employs third party services to collect and process the data. The Trust only appoints processors who can provide sufficient guarantees that the requirements of the GDPR are met and that the rights of patients are protected.
The Trust carries out audits of care, which also collect data from NHS organisations all over the country. We can normally only do this if there is a lawful basis provided by the Secretary of State for Health or the Health Research Authority, or else with your explicit consent. The department where you are being treated will be able to tell you about any national schemes for the particular type of care you are receiving.
We also use your information to ensure we are paid correctly for the services that we have delivered.
Your right to refuse - the National Data Opt-Out
We will always seek your consent to share your information with organisations for purposes other than your direct care. You have a right to object to the use of your information for any purpose other than your own direct care at any time. This is also referred to as ‘opting out’. The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at: https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and: https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).
If you choose to register your choice to opt-out, we will exclude your information from all such other uses, or else anonymise it so that you cannot be identified. For example:
- The Trust regularly participates in national surveys (such as the A&E Survey), where some of our patients are invited to complete questionnaires. We would exclude your information completely from this type of survey
- The Trust is required to submit data on hospital attendances to a national database known as the Secondary Uses Service. We cannot exclude your data, but we would anonymise it so that you cannot be identified
Please note that in exceptional circumstances we may need to share information without your permission if:
- it is in the public interest – for example, there is a risk of death or serious harm
- there is a legal need to share it – for example, sharing information with appropriate agencies for child protection purposes
- a court order tells us that we must share it
- there is a legitimate enquiry from the police under the Data Protection Act for information related to a serious crime
What your objection covers
Your objection applies to all information held about you which is not related to your own direct care.
The Trust is required by law to report certain information to other public authorities, including notifications of births, deaths, and infectious diseases.
You can always ask your health professional to show you the information that is available to them while they treat you. If you do not understand parts of it, they will be able to explain it.
The right of subject access applies to the individual patient, and can normally be exercised by somebody else only if the patient is incapable of making their own decisions. If you care for somebody who lacks the capability to make their own decisions, or if you have parental responsibility for a child, please read the additional guidance below.
If you are a carer …
If you have lasting power of attorney for health & welfare, you can make decisions on behalf of the patient. We will ask to see evidence of that power.
Otherwise, please speak to the health professional treating the patient. They will be able to make a decision based on the patient’s best interests, taking your views into account.
If you are a parent …
If you have parental responsibility for a child, you can only make decisions on their behalf until they are mature enough to understand and make an informed decision for themselves. We will normally try to seek independent consent from any child aged 12 or over, but the health professional treating them will always make a decision based on the individual child and their maturity.
In addition, you also have the right to request that the Trust corrects any personal information if it is found to be inaccurate or out of date, and also erase information if it is no longer necessary for the Trust to retain such data.
All patient records are destroyed in accordance with the Department of Health’s Records Management Code of Practice for Health and Social Care 2016, which sets out the appropriate length of time each type of NHS records is retained. All records are securely destroyed once their retention period has been met and the Trust has made the decision that the records are no longer required.
SMS for appointments
To keep our patients informed about appointments and to cut down on DNAs, we send information out via SMS as appointment reminders for our patients. If you do not want to receive these alerts to your mobile phone, please let us know and we will remove you from this appointment service.
Raising a concern
Patients who have a concern about the way their records have been handled or shared should contact the Patient Advice & Liaison Service (PALS) (details below).
Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Trust has handled or shared their personal information (details below).
Under data protection legislation the Trust is required to have a Data Protection Officer (DPO) and it is their role to:
- Inform and advise the organisation and its employees about their obligations to comply with applicable data protection legislation;
- Support and monitor compliance with applicable data protection legislation;
- Be the first point of contact for individuals whose data is being processed.
The Trust’s Data Protection Officer is Jane Townsend; Information Governance Manager, and you can contact them by:
- Telephone – 01932 722 416
Further information regarding the role of the DPO and more about your rights can be found on the Information Commissioner’s Office website - www.ico.org.uk
Other people with related responsibilities:
In addition to the DPO, the Trust has in place the following people with related responsibilities:
- The Director of Finance & Information acts as Senior Information Risk Owner (SIRO) and they are accountable and responsible for information risk across the organisation. They have responsibility for ensuring the organisation complies with data protection legislation and that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.
- The Medical Director acts as Caldicott Guardian and they have responsibility for protecting the confidentiality of people’s health and care information and making sure it is used properly. All NHS organisations must have a Caldicott Guardian.
- Information Governance Team support the above roles in discharging their data related responsibilities.