Privacy Notice for Our Service Users

We collect and hold personal information about you when you use or come into contact with our services. This information may be held electronically (in our computer systems) and/or in paper form, depending on the service(s) you have accessed.

Healthcare

To support the provision of your healthcare, we collect:

• Basic details about you, such as your name, address, date of birth, next of kin and GP.
• Additional Contact information such as telephone number (home and/or mobile) and email address – where you have provided it to enable us to communicate with you by email and text.
• A record of dates when we’ve had contact with you. For example, attendances at an outpatient clinic, a visit to the A&E department, or a stay in hospital.
• Clinical notes made by our doctors and other healthcare professionals during these contacts detailing presenting symptoms, allergies, medication, diagnosis and treatment, along with any chronic (long-lasting) health conditions, such as diabetes or asthma.
• Results of investigations that may have been undertaken, like blood tests, x-rays and scans.
• Information from other health professionals that have been involved in your care or that have asked us to be involved in your care, for example, your GP.
• Lifestyle information that may be clinically relevant, such as whether or not you smoke.
• Your ethnicity, as this can be linked to certain medical conditions.
• Your religious beliefs, as this may affect how you wish to be treated in certain circumstances.
• There may also be information from other people involved in your care, such as a relative or someone who helps to care for you.
• Personal data about other people who are involved in, or may have an impact on your health and social care, for example relatives, friends, people you live with, people who attend hospital with you and people who visit you in hospital.

This information is used to:

In the first instance, the doctors and other healthcare professionals create and keep a detailed record of your clinical care to provide a continuous record about your past and current health, because this helps to guide and manage the care you receive.

Sometimes, as part of the care package that is offered to you by our Trust, we undertake routine reviews and/or screening of results. As part of a routine review or screening, we may complete any of the following actions:

• Contact your Clinical Care team at the Trust who might be managing any pre-existing conditions.
• Contact your GP, if the request originated from them.
• Occasionally we may contact you or your nominated representative directly.

We aim to provide you with high-quality, safe care. We may also use the information we collect and hold about you to help us to run and improve the services we provide, along with those of the wider NHS. For example, to help us to:

• Provide you with the best possible care.
• Inform decisions that we make about your care.
• Ensure that your treatment is safe and effective.
• Work effectively with others who may be involved in your care, e.g. your GP.
• Review the care we have given to our patients, helping us to ensure that it is of the highest possible standard.
• Report on how effective our services are/have been.
• Investigate complaints, legal claims and untoward incidents.
• Look after the health of the general public.
• Plan services to meet patient needs in the future
• Support clinical audit, which helps us to monitor and improve patient care and outcomes via systematic review of care against explicit criteria. Where indicated, changes are implemented and further monitoring is used to confirm that we have improved our healthcare delivery
• Ensure that the funds allocated to our Trust are used properly and provide value for money.
• Educate and train healthcare professionals.
• Undertake research (the local Research Ethics Committee will be asked to review research requests).
• Prepare statistics on our performance.

You can find out more about our individual services on our website. Many of our services also provide leaflets to explain more about the care and treatment they provide.

SMS Texting and Call Recording

When you attend the Trust for an appointment or procedure you may be asked to confirm that we are holding a correct contact number (home and/or mobile) for you. Where provided to us, this may be used to send you, via text messages and/or automated calls, reminders of upcoming appointments and on occasion to provide you with the option to confirm or cancel your attendance.

By providing these details to us, we can assist the delivery of care to our patients by ensuring best use of the time available for appointments and procedures at the Trust.

When you contact the Trust by telephone, calls are routinely recorded for the following purposes:

• To prevent crime, misuse and to protect staff.
• To ensure that our staff are complying with Trust policies and procedures.
• To ensure quality control.
• For training, monitoring and service improvement.

Digital Technology

The Trust uses a combination of working practices and technologies to ensure that we are able to offer you the best possible care. Advances in technology mean that we are now utilising digital technology to complement our ‘in-Trust’ care to you and, any digital technology implemented within the Trust is assessed to ensure it provides the necessary security assurances.

The ways in which digital technology may be used as part of your care may include, but is not limited to:

• ‘Virtual’ Patient to Clinician Consultations, using video technology.
• Digital meetings held within the Trust for the purpose of discussing your care pathway, for example a Clinician to Clinician discussion, or a Multi-Disciplinary Meeting (MDT), attended by different Trust departments and/or our external partners (see ‘Sharing your Information’)
• Digitally held patient record for all or part of your stay with us.
• Ensuring that your medical information is digitally available at the ‘Point of Care’ to those who need it to complete your treatment
• Patient participation in digital education sessions or classes for training or information purposes.
• Virtual tours of Trust departments.
• Participation in digitally held meetings or forums
• Collection of your digital contact details such as an Email Address or Mobile Telephone Number to facilitate a digital way of undertaking any aspect of your care (see ‘What We Collect, Why and How It Is Used’)

The Trust realises that not everyone will be able to access or be comfortable with the digital technology that we can offer. If this reflects your circumstances and you are offered digital technology as part of your care package, for example a Virtual Consultation, please let your Clinician know. Your treatment will continue using a non-digital pathway and the level of care we offer you will not be affected in any way.

If any aspect of your care pathway is undertaken digitally, this will be fully documented in your patient record.

Research

The Trust is a centre of clinical and research excellence providing quality up to date care.  We are actively involved in undertaking research to help improve the care and treatment of our patients.  We believe that research matters and saves lives – today’s research is tomorrow’s care.

A member of your healthcare team may review your patient record and discuss current clinical trials and research studies with you. If this happens, the study will be explained to you in detail and you will be given a patient information sheet. You will have the chance to ask questions and speak with family and friends about taking part, and will be given time to make your decision. If you agree to take part in a study, you will be asked to sign a consent form and will be given a copy to keep.  Personal data (data that can identify you) may be shared (dependant on the study, and if so, you will be informed) with external research organisations, such as other NHS organisations, universities, charities and commercial companies exclusively for scientific research purposes.

Surveys

We may occasionally ask for feedback in relation to your care or treatment by sending a survey to your home address. In all cases they will have a covering letter from either the Chief Executive of the Trust or other Senior Director. This letter will be sent directly from us or from a trusted partner organisation. We use the information from these surveys to influence the care and treatment that we provide and will not share the information we collect for any other purpose.

These surveys are voluntary, and anonymous. Please be assured that your future care and treatment at our hospitals will not be affected as a result of you completing these surveys or not.

The Trust is legally obliged to carry out an annual review of our patient’s healthcare experiences and to do this, some surveys are managed directly by external organisations such as NHS England, Public Health England, or NHS Digital. These surveys may be sent directly to your home address without your prior knowledge or consent. To enable them to do this, the survey provider must apply to the NHS Health Research Authority (HRA) for special permission. If the HRA feels that the aims of the survey are in the public interest, it will allow them to proceed under a special notice called a Section 251.

Whilst we value your feedback, we understand you may wish to opt out of these surveys. Surveys both at the Trust and those managed at a national level will normally operate their own opt out policy. If you prefer not to receive Trust surveys, please inform a member of staff who will inform the Patient Experience team. If you want to opt out of a nationally managed survey, you can contact the provider directly and there will usually be opt out information on the survey you have received, alternatively our staff will be able to help you find the information you need.

You may choose to opt out at a National level (please see the section on ‘National Data Opt Out’ under ‘Lawful Processing’). However, if you choose to stop your confidential patient information being used for research and planning, your data might still be used in some situations:

• When required by law

If there’s a legal requirement to provide it, such as a court order.

• When you have given consent

If you have given your consent, such as for a medical research study.

• When there is an overriding public interest

In an emergency or in a situation when the safety of others is most important. For example, to help manage contagious diseases like coronavirus and stop them spreading.

• When information that can identify you is removed

Information about your health care or treatment might still be used in research and planning if the information that can identify you is removed first.

• When there is a specific exclusion

Your confidential patient information can still be used in a small number of situations. For example, for official national statistics like a population census.

Some surveys with a Section 251 approval are exempt from the National Data Opt Out.

You can opt out by using an online form, post or telephone. All of the information that you need to opt-out can be found on the website, ‘Your NHS Data Matters’.

Images and Audio

The Trust uses surveillance equipment in the form of Closed Circuit Television (CCTV), Body Worn Video (BWV) and Automatic Number Plate Recognition (ANPR) across the Trust footprint. The images (and audio from BWV) are used to help:

• Increase personal safety and reduce the fear of crime.
• Support the Police and the LSMS (designated NHS Local Security Management Specialist) in a bid to deter, detect and prevent crime.
• Assist in identifying, apprehending and prosecuting offenders.
• Protect the Trust buildings and other assets.
• Protect members of the public, patients, staff and private property.
• Assist in traffic management.
• Assist in the management of health and safety.
• Assist in the investigation of civil claims.
• Assist in disciplinary investigations.
• Monitor patient safety during clinical procedures.

Please note BWV is worn and used only by the Hospital Safety Team Officers (HSTO) who are trained in its use and application. The equipment will only be activated if the HSTO believes that an incident is occurring or is about to occur. In addition to the above, BWV also aims to:

• Support a reduction in the number of incidents of violence and aggression.
• Support an increase in the number of prosecutions for violence and/or disorder.
• Mitigate any malicious complaints against security staff.

ANPR is used in some of our car parks to facilitate staff access but will, by its nature, capture all number plates as vehicles enter and leave premises.

Direct Care Purposes

We share information with a number of organisations^[4], and these same organisations may share information with us; for example, when your GP refers you to one of our healthcare professionals for care or treatment.

Everyone working within the NHS has a legal duty to keep information about you secure and confidential. Similarly, anyone who receives information from us has a legal duty to keep it secure and confidential. This is included in our staff contracts of employment. If you have any questions about who your information is being shared with, please do not hesitate to ask the health professional in charge of your care.

We share information with partner organisations so that you may receive the best possible care, such as:

• General Practitioners – Your GP.
• Other NHS Trusts – Hospitals that are involved in your care.
• Ambulance Services.

You may be receiving care from other service providers as well as the NHS; for example, social care services. We may need to share some information about you with them so we can all work together for your benefit. We will do this when they have a genuine need for it as part of your care, or we have your permission. Therefore, we may also share your information with:

• Social Care Services.
• Education Services.
• Local Authorities; and,
• Voluntary and private sector providers working with the NHS.

Indirect Care Purposes

There are strict regulations around how your information may be used for purposes other than your direct health care. As a Trust we may also use information we hold about you to:

• Review the care we provide to ensure we are delivering care to the highest quality.
• Ensure our services can meet patient needs in the future.
• Investigate patient queries, complaints and legal claims.
• Ensure the hospital receives payment for the care you receive.
• Prepare statistics regarding our NHS performance.
• Help train and educate healthcare professionals.

For these purposes we must be able to allocate a basis in law for the processing, otherwise it must not take place. Please see the sections on ‘Lawful Processing’ and ‘National Data Opt Out’.

Confidentiality

 The Trust is mindful of its duties under the Common Law Duty of Confidentiality (CLDC) in relation to health information. To comply with this, it is important that we make you aware of who your information is being shared with, and that you can say ‘no’:

• ‘The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent’^[5].
• ‘In practice, this means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient/client’^[6].

Occasionally, we may need to disclose information about you to third parties without your permission, for example:

• There are particular circumstances which can set aside the CLDC. To do this, we need to apply for a ‘Section 251’ under the National Health Service Act 2006^[7]. Data protection requirements will still be met.^[8]
• We may be required to provide information to assist in the investigation of a serious crime.
• We may need to help protect your or another person’s vital interests (protect someone’s life).

Images and Audio

In most circumstances, it will be acceptable to disclose images to law enforcement agencies if failure to do so would be likely to prejudice the prevention and detection of crime.

We need information about you to support the provision of your healthcare; the information you provide to us helps us to understand any conditions that you may have. If you do not want to provide us with information, or do not want us to share it, then that is your choice, but please be aware that this could seriously affect the care we are able to provide. If you have concerns about telling us something or us sharing something about you (for example, if we want to refer you to another service), please talk to the healthcare professional in charge of your care, and hopefully we will be able to allay any concerns that you have.

The Trust will ensure that any international transfers of confidential patient information will only be undertaken in accordance with the GDPR and with countries that can ensure an adequate level of protection for the rights and freedoms of our patients. Where applicable your consent will be sought.

The length of time we keep your information depends on what sort of information it is. We use the guidance provided in the Records Management Code of Practice for Health and Social Care 2016 to support our actions in relation to records management, including retention periods. The Code is based on current legal requirements and professional best practice. We retain our records for at least the minimum stated required retention period.

Healthcare

Healthcare information is retained for a minimum period of 8 years following discharge or last attendance at the Trust.

Research

If you have chosen to take part in a research study, the retention period for the associated records will depend on the study and this will be explained as part of the joining process.

Images and Audio

Images and audio are retained for a minimum of 31 days, but may be retained for longer than the designated period if needed for an active investigation or legal proceeding.

We are only allowed to process your information if we have a legal basis^[9] to do so.

To provide you with healthcare, we process information such as your name, address, and date of birth; this is your ‘personal data’. To process your personal data, we must meet one of the criteria in Article 6 of the GDPR. The Trust is a public authority tasked with providing healthcare services in the public interest, and it is this role which gives the Trust its legal basis to process personal data under Article 6:

• 6(1)e – ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’^[10]

Some information, such as health data, is described as ‘special category’^[11] data, and its processing is prohibited unless we are able to meet one of the additional criteria^[12] in Article 9 of the GDPR. This is a list of all the ‘special categories of personal data’:

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• Genetic data;
• Biometric data (for the purpose of uniquely identifying a natural person);
• Health; and,
• Sex life or sexual orientation.

The Trust meets this requirement because it’s our job to provide healthcare:

• 9(2)h – ‘Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.’^[13]

Depending on the activity there are other legal gateways which can be applied, for example:

• To support safeguarding children and vulnerable adults.
• Article 6(1)e & Article 9(2)b
• To protect an individual’s vital interests (protect someone’s life).
• Article 6(1)d & Article 9(2)c
• To support research.
• Article 6(1)e & Article 9(2)j
• To comply with a legal obligation.
• Article 6(1)c & Article 9(2)h
• Image recording (not for direct healthcare), e.g. CCTV, BWV, ANPR.
• Article 6(1)f
• There may be instances where we ask for your consent to process your information if another legal basis does not apply. If this is the case you can expect that your consent will be sought.
• Article 6(1)a & Article 9(2)a

National Data Opt-Out

Whenever you use a health or care service, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The national data opt-out allows you to choose whether or not your confidential patient information is used for purposes beyond your direct care for instance to help with:

• Improving the quality and standards of care provided.
• Research into the development of new treatments.
• Preventing illness and diseases.
• Monitoring safety.
• Planning services.

Confidential patient information is when two types of information from your health records are joined together such as:

• Something that can identify you;
• Something about your health care or treatment

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You can choose to opt-out and can also make a choice for someone else, like your children if they are under the age of 13. Your choice will only apply to the health and care system in England.

How do I opt-out?

If you decide to opt out, your choice is applied to your NHS number by NHS Digital. This is not something that we can do for you here at the Trust.

You can opt out by using an online form, post or telephone. All of the information that you need to opt-out can be found on the website, ‘Your NHS Data Matters’ .

On this web page you will:

• See what is meant by confidential patient information.
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
• Find out more about the benefits of sharing data.
• Understand more about who uses the data.
• Find out how your data is protected.
• Be able to access the system to view, set or change your opt-out setting.
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone.
• See the situations where the opt-out will not apply.

You can also find out more about how patient information is used at:

• https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
• https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

What is the Trust doing to uphold my choice?

The Trust has developed a process using the guidance offered by NHS Digital so that we can identify the circumstances in which your choice to opt-out must be upheld. This process has been written into a formal Trust Policy.

What if I do NOT want to opt-out?

If you’re happy with your confidential patient information being used for research and planning you do not need to do anything.

Please be assured that any choice you make will not impact your individual care provided to you by the Trust.

In general, GDPR provides the rights outlined below to individuals regarding their data, but how these apply in detail depends on:

• The legal basis for processing the information.
• The situation, known as ‘restrictions’. These are applied when it is seen as a necessary and proportionate measure in a democratic society to safeguard aspects such as, but not limited to:
  • National or public security;
  • Defence; and,
  • The prevention, investigation and detection of crime.

The rights are:

• To be informed – We need to tell you about how we use your information. A range of communication methods are used to do this, including:
  • The internet, e.g. this Privacy Notice;
  • Discussion with your health professional;
  • Posters;
  • Leaflets; and,
  • Inclusion in correspondence.
• To access your information – You can ask to view or have a copy of any information we hold about you.
• To rectification – We will amend any errors in the information we hold about you if it is agreed to be inaccurate or incomplete. Please be aware that sometimes we may hold information that you do not agree with, but it is not adjudged to be incorrect, e.g. a clinical opinion recorded by a health professional. In such instances, we may (by mutual agreement) add a statement from you to your record regarding your concern, but not change the information.
• To erasure – Also known as ‘the right to be forgotten’. This empowers individuals to have personal data about them erased where there is no overriding legal justification for its processing. As such, this is unlikely to apply to health records or staff records where there is strong legal justification for the records to be kept.
• To restriction – You have the right to request that we stop processing your personal data on a temporary basis, without deleting it. This is mostly likely to apply while a request for rectification, erasure, or objection is being considered.
• To portability – this enables individuals to obtain and reuse their personal data for their own purposes across different services i.e. copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies where processing is based on consent or as part of a contract and is carried out by automated means.
• To object – This provides the right for you to object to us processing your data under certain circumstances. (Please also see the above section outlining the ‘Consequences of Failing to Provide Data’.)
• To not be subject to a decision based solely on automated processing, including profiling – Our Trust does not use automated processing in this way; decisions about your care and treatment are made by our health professionals.
• To be informed if a data breach occurs that is likely to result in a high risk to your rights and freedoms.

Exercising Your Rights

There are some umbrella provisions to describe what we do if you make a request to exercise your rights^[14]:

• We always check the identity of a person making a request before we act upon it. We need to establish that a request is genuine, either from you or your agreed representative.
• We aim to act upon requests as soon as possible and usually within one month. Occasionally we may need more time, for example, if a request is complex. This can extend the response time by up to a further two months. If we need more time we will contact you as soon as possible and within month one to explain the reasons for the delay.
• If you make your request by electronic means, we will aim to respond in the same way unless you request otherwise. Please be aware that this may not always be possible
• We may refuse a request, not provide everything you have requested or not do everything that you have asked of us. If this happens we will:
  • Tell you as soon as possible and within one month.
  • Outline our reasons for not taking the action you have requested.
  • Explain how you can make a complaint if you are unhappy with our decision. We would always ask that you come back to us in the first instance, either informally or via our Trust’s complaints procedure, to try to resolve the situation. We will also provide you with information about how to complain to our supervisory authority, the Information Commissioner’s Office (ICO).
• If we have disclosed your data to a third party (e.g. your GP) and we then rectify, restrict or erase your data^[15], (if applicable) we will:
  • Inform the third party of the decision, unless it is impossible or would involve a disproportionate effort to do so (in which case we would explain the reasons).
  • Tell you to whom we disclosed your data.
• We will normally undertake our duties regarding your rights without charging a fee but occasionally we may consider that it is appropriate to do so. If so, we will tell you as soon as possible, within one month, and before undertaking any related activity that has been requested.
• If you want to exercise any of the rights described or would like any additional information please contact the Data Access Team; please see the ‘Contact Us’ section below.