Privacy Notice for Our Service Users

[View our Privacy Statement and Cookies instead]

Privacy Notice  – COVID 19

Blackpool Teaching Hospitals is committed to protecting your personal information. In the fight against this global pandemic we are currently working with all of our partners in Health and Social Care to ensure information is shared with the right people at the right time to ensure you receive the best possible care.

Data Protection rules will not hinder the sharing of personal information during these unprecedented times and we will continue to process information in accordance with national law and GDPR.

The processing of personal information is necessary for reasons of planning and providing health and social care to our patients and it is of substantial public interest in relation to  public health and specifically to support the control of an epidemic. For more detailed information regarding the lawful basis to undertake these activities please see the links below:

WHO WE ARE:

Blackpool Teaching Hospitals NHS Foundation Trust (the Trust) provides a range of health-related services across a regional health economy catchment area that spans Lancashire and South Cumbria. To do this, the Trust needs to collect and use personal information about you; this makes the Trust a ‘Data Controller’.

As a Data Controller, the Trust is committed to providing you with clear and accessible information about our obligations; including how and why we process your information, and your rights in relation to this. These rights apply to living individuals who are identifiable from the data, often referred to as data subjects.

WHAT’S HAPPENING:

Developments in technology have changed how information about individuals, including our patients and staff (‘data subjects’[1]), is used. As such, the DPA had become outdated and no longer reflected these technological developments or the needs of data subjects.

The Data Protection Act 2018[2] (DPA) came into effect on 25th May 2018 and has replaced the Data Protection Act 1998. It sits alongside the General Data Protection Regulation (GDPR) and tailors how the GDPR applies in the UK, for example providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.

Following the UK’s departure from the EU, GDPR as a European Regulation will continue to apply in UK law until the end of the transition period. After this period has ended, GDPR will from part of UK law under the European Union (Withdrawal) Act 2018[3] with some technical changes to make it work effectively in a UK context.

The GDPR governs how we look after personal data and gives more control to individuals on how organisations process their information.

View the Child Friendly version of the Privacy Notice

For each section below, click the blue ‘Show details’ button to read more.

WHAT WE COLLECT, WHY AND HOW IT’S USED: 

We collect and hold personal information about you when you use or come into contact with our services. This information may be held electronically (in our computer systems) and/or in paper form, depending on the service(s) you have accessed.

Healthcare

To support the provision of your healthcare, we collect:

  • Basic details about you, such as your name, address, date of birth, next of kin and GP.
  • Additional Contact information such as telephone number (home and/or mobile) and email address – where you have provided it to enable us to communicate with you by email and text.
  • A record of dates when we’ve had contact with you. For example, attendances at an outpatient clinic, a visit to the A&E department, or a stay in hospital.
  • Clinical notes made by our doctors and other healthcare professionals during these contacts detailing presenting symptoms, allergies, medication, diagnosis and treatment, along with any chronic (long-lasting) health conditions, such as diabetes or asthma.
  • Results of investigations that may have been undertaken, like blood tests, x-rays and scans.
  • Information from other health professionals that have been involved in your care or that have asked us to be involved in your care, for example, your GP.
  • Lifestyle information that may be clinically relevant, such as whether or not you smoke.
  • Your ethnicity, as this can be linked to certain medical conditions.
  • Your religious beliefs, as this may affect how you wish to be treated in certain circumstances.
  • There may also be information from other people involved in your care, such as a relative or someone who helps to care for you.
  • Personal data about other people who are involved in, or may have an impact on your health and social care, for example relatives, friends, people you live with, people who attend hospital with you and people who visit you in hospital.

This information is used to:

In the first instance, the doctors and other healthcare professionals create and keep a detailed record of your clinical care to provide a continuous record about your past and current health, because this helps to guide and manage the care you receive.

We aim to provide you with high-quality, safe care. We may also use the information we collect and hold about you to help us to run and improve the services we provide, along with those of the wider NHS. For example, to help us to:

  • Provide you with the best possible care.
  • Inform decisions that we make about your care.
  • Ensure that your treatment is safe and effective.
  • Work effectively with others who may be involved in your care, e.g. your GP.
  • Review the care we have given to our patients, helping us to ensure that it is of the highest possible standard.
  • Report on how effective our services are/have been.
  • Investigate complaints, legal claims and untoward incidents.
  • Look after the health of the general public.
  • Plan services to meet patient needs in the future
  • Support clinical audit, which helps us to monitor and improve patient care and outcomes via systematic review of care against explicit criteria. Where indicated, changes are implemented and further monitoring is used to confirm that we have improved our healthcare delivery
  • Ensure that the funds allocated to our Trust are used properly and provide value for money.
  • Educate and train healthcare professionals.
  • Undertake research (the local Research Ethics Committee will be asked to review research requests).
  • Prepare statistics on our performance.

You can find out more about our individual services on our website. Many of our services also provide leaflets to explain more about the care and treatment they provide.

SMS Texting and Call Recording

When you attend the Trust for an appointment or procedure you may be asked to confirm that we are holding a correct contact number (home and/or mobile) for you. Where provided to us, this may be used to send you, via text messages and/or automated calls, reminders of upcoming appointments and on occasion to provide you with the option to confirm or cancel your attendance.

By providing these details to us, we can assist the delivery of care to our patients by ensuring best use of the time available for appointments and procedures at the Trust.

When you contact the Trust by telephone, calls are routinely recorded for the following purposes:

  • To prevent crime, misuse and to protect staff
  • To ensure that our staff are complying to Trust policies and procedures
  • To ensure quality control
  • For training, monitoring and service improvement.

Research

The Trust is a centre of clinical and research excellence providing quality up to date care.  We are actively involved in undertaking research to help improve the care and treatment of our patients.  We believe that research matters and saves lives – today’s research is tomorrow’s care.

A member of your healthcare team may review your patient record and discuss current clinical trials and research studies with you. If this happens, the study will be explained to you in detail and you will be given a patient information sheet. You will have the chance to ask questions and speak with family and friends about taking part, and will be given time to make your decision. If you agree to take part in a study, you will be asked to sign a consent form and will be given a copy to keep.  Personal data (data that can identify you) may be shared (dependant on the study, and if so, you will be informed) with external research organisations, such as other NHS organisations, universities, charities and commercial companies exclusively for scientific research purposes.

Images and Audio

The Trust uses surveillance equipment in the form of Closed Circuit Television (CCTV), Body Worn Video (BWV) and Automatic Number Plate Recognition (ANPR) across the Trust footprint. The images (and audio from BWV) are used to help:

  • Increase personal safety and reduce the fear of crime.
  • Support the Police and the LSMS (designated NHS Local Security Management Specialist) in a bid to deter, detect and prevent crime.
  • Assist in identifying, apprehending and prosecuting offenders.
  • Protect the Trust buildings and other assets.
  • Protect members of the public, patients, staff and private property.
  • Assist in traffic management.
  • Assist in the management of health and safety.
  • Assist in the investigation of civil claims.
  • Assist in disciplinary investigations.
  • Monitor patient safety during clinical procedures.

Please note BWV is worn and used only by the Hospital Safety Team Officers (HSTO) who have been trained in its use and application. The equipment will only be activated if the HSTO believes that an incident is occurring or is about to occur. In addition to the above, BWV also aims to:

  • Support a reduction in the number of incidents of violence and aggression.
  • Support an increase in the number of prosecutions for violence and/or disorder.
  • Mitigate any malicious complaints against security staff.

ANPR is used in some of our car parks to facilitate staff access but will, by its nature, capture all number plates as vehicles enter and leave premises.

SHARING YOUR INFORMATION:

 

Direct Care Purposes

We share information with a number of organisations[4], and these same organisations may share information with us; for example, when your GP refers you to one of our healthcare professionals for care or treatment.

Everyone working within the NHS has a legal duty to keep information about you secure and confidential. Similarly, anyone who receives information from us has a legal duty to keep it secure and confidential. This is included in our staff contracts of employment. If you have any questions about who your information is being shared with, please do not hesitate to ask the health professional in charge of your care.

We share information with partner organisations so that you may receive the best possible care, such as:

  • General Practitioners – Your GP.
  • Other NHS Trusts – Hospitals that are involved in your care.
  • Ambulance Services.

You may be receiving care from other service providers as well as the NHS; for example, social care services. We may need to share some information about you with them so we can all work together for your benefit. We will do this when they have a genuine need for it as part of your care, or we have your permission. Therefore, we may also share your information with:

  • Social Care Services.
  • Education Services.
  • Local Authorities; and,
  • Voluntary and private sector providers working with the NHS.

Indirect Care Purposes

There are strict regulations around how your information may be used for purposes other than your direct health care. As a Trust we may also use information we hold about you to:

  • Review the care we provide to ensure we are delivering care to the highest quality.
  • Ensure our services can meet patient needs in the future.
  • Investigate patient queries, complaints and legal claims.
  • Ensure the hospital receives payment for the care you receive.
  • Prepare statistics regarding our NHS performance
  • Help train and educate healthcare professionals

For these purposes we must be able to allocate a basis in law for the processing, otherwise it must not take place. Please see the sections on ‘Lawful Processing’ and ‘National Data Opt Out’.

Confidentiality

 The Trust is mindful of its duties under the Common Law Duty of Confidentiality (CLDC) in relation to health information. To comply with this, it is important that we make you aware of who your information is being shared with, and that you can say ‘no’:

  • ‘The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent’[5].
  • ‘In practice, this means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient/client’[6].

Occasionally, we may need to disclose information about you to third parties without your permission, for example:

  • There are particular circumstances which can set aside the CLDC. To do this, we need to apply for a ‘Section 251’ under the National Health Service Act 2006[7]. Data protection requirements will still be met.[8]
  • We may be required to provide information to assist in the investigation of a serious crime.
  • We may need to help protect your or another person’s vital interests (protect someone’s life).

Images and Audio

In most circumstances, it will be acceptable to disclose images to law enforcement agencies if failure to do so would be likely to prejudice the prevention and detection of crime.

CONSEQUENCES OF FAILING TO PROVIDE DATA: 

We need information about you to support the provision of your healthcare; the information you provide to us helps us to understand any conditions that you may have. If you do not want to provide us with information, or do not want us to share it, then that is your choice, but please be aware that this could seriously affect the care we are able to provide. If you have concerns about telling us something or us sharing something about you (for example, if we want to refer you to another service), please talk to the healthcare professional in charge of your care, and hopefully we will be able to allay any concerns that you have.

INTERNATIONAL TRANSFERS:

The Trust will ensure that any international transfers of confidential patient information will only be undertaken in accordance with the GDPR and with countries that can ensure an adequate level of protection for the rights and freedoms of our patients. Where applicable your consent will be sought.

HOW LONG DO WE KEEP YOUR INFORMATION?

 

The length of time we keep your information depends on what sort of information it is. We use the guidance provided in the Records Management Code of Practice for Health and Social Care 2016 to support our actions in relation to records management, including retention periods. The Code is based on current legal requirements and professional best practice. We retain our records for at least the minimum stated required retention period.

Healthcare

Healthcare information is retained for a minimum period of 8 years following discharge or last attendance at the Trust.

Research

If you have chosen to take part in a research study, the retention period for the associated records will depend on the study and this will be explained as part of the joining process.

Images and Audio

Images and audio are retained for a minimum of 31 days, but may be retained for longer than the designated period if needed for an active investigation or legal proceeding.

LAWFUL PROCESSING: 

We are only allowed to process your information if we have a legal basis[9] to do so.

To provide you with healthcare, we process information such as your name, address, and date of birth; this is your ‘personal data’. To process your personal data, we must meet one of the criteria in Article 6 of the GDPR. The Trust is a public authority tasked with providing healthcare services in the public interest, and it is this role which gives the Trust its legal basis to process personal data under Article 6:

  • 6(1)e – ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.[10]

Some information, such as health data, is described as ‘special category’[11] data, and its processing is prohibited unless we are able to meet one of the additional criteria[12] in Article 9 of the GDPR. This is a list of all the ‘special categories of personal data’:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Biometric data (for the purpose of uniquely identifying a natural person);
  • Health; and,
  • Sex life or sexual orientation.

The Trust meets this requirement because it’s our job to provide healthcare:

  • 9(2)h – ‘Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.’[13]

Depending on the activity there are other legal gateways which can be applied, for example:

  • To support safeguarding children and vulnerable adults.
  • Article 6(1)e & Article 9(2)b
  • To protect an individual’s vital interests (protect someone’s life).
  • Article 6(1)d & Article 9(2)c
  • To support research.
  • Article 6(1)e & Article 9(2)j
  • To comply with a legal obligation.
  • Article 6(1)c & Article 9(2)h
  • Image recording (not for direct healthcare), e.g. CCTV, BWV, ANPR.
  • Article 6(1)f
  • There may be instances where we ask for your consent to process your information if another legal basis does not apply. If this is the case you can expect that your consent will be sought.
  • Article 6(1)a & Article 9(2)a

National Data Opt-Out

Whenever you use a health or care service, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The national data opt-out allows you to choose whether or not your confidential patient information is used for purposes beyond your direct care for instance to help with:

  • Improving the quality and standards of care provided.
  • Research into the development of new treatments.
  • Preventing illness and diseases.
  • Monitoring safety.
  • Planning services.

Confidential patient information is when two types of information from your health records are joined together such as:

  • Something that can identify you;
  • Something about your health care or treatment

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You can choose to opt-out and can also make a choice for someone else, like your children if they are under the age of 13. Your choice will only apply to the health and care system in England.

How do I opt-out?

If you decide to opt out, your choice is applied to your NHS number by NHS Digital. This is not something that we can do for you here at the Trust.

You can opt out by using an online form, post or telephone. All of the information that you need to opt-out can be found on the website, ‘Your NHS Data Matters’ .

On this web page you will:

  • See what is meant by confidential patient information.
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
  • Find out more about the benefits of sharing data.
  • Understand more about who uses the data.
  • Find out how your data is protected.
  • Be able to access the system to view, set or change your opt-out setting.
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone.
  • See the situations where the opt-out will not apply.

You can also find out more about how patient information is used at:

You can change your mind about your choice at any time.

What is the Trust doing to uphold my choice?

The Trust has developed a process using the guidance offered by NHS Digital so that we can identify the circumstances in which your choice to opt-out must be upheld. This process has been written into a formal Trust Policy.

What if I do not want to opt-out?

If you’re happy with your confidential patient information being used for research and planning you do not need to do anything.

Please be assured that any choice you make will not impact your individual care provided to you by the Trust.

YOUR INFORMATION RIGHTS:

 

In general, GDPR provides the rights outlined below to individuals regarding their data, but how these apply in detail depends on:

  • The legal basis for processing the information.
  • The situation, known as ‘restrictions’. These are applied when it is seen as a necessary and proportionate measure in a democratic society to safeguard aspects such as, but not limited to:
    • National or public security;
    • Defence; and,
    • The prevention, investigation and detection of crime.

The rights are:

  • To be informed – We need to tell you about how we use your information. A range of communication methods are used to do this, including:
    • The internet, e.g. this Privacy Notice;
    • Discussion with your health professional;
    • Posters;
    • Leaflets; and,
    • Inclusion in correspondence.
  • To access your information – You can ask to view or have a copy of any information we hold about you.
  • To rectification – We will amend any errors in the information we hold about you if it is agreed to be inaccurate or incomplete. Please be aware that sometimes we may hold information that you do not agree with, but it is not adjudged to be incorrect, e.g. a clinical opinion recorded by a health professional. In such instances, we may (by mutual agreement) add a statement from you to your record regarding your concern, but not change the information.
  • To erasure – Also known as ‘the right to be forgotten’. This empowers individuals to have personal data about them erased where there is no overriding legal justification for its processing. As such, this is unlikely to apply to health records or staff records where there is strong legal justification for the records to be kept.
  • To restriction – You have the right to request that we stop processing your personal data on a temporary basis, without deleting it. This is mostly likely to apply while a request for rectification, erasure, or objection is being considered.
  • To portability – this enables individuals to obtain and reuse their personal data for their own purposes across different services i.e. copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies where processing is based on consent or as part of a contract and is carried out by automated means.
  • To object – This provides the right for you to object to us processing your data under certain circumstances. (Please also see the above section outlining the ‘Consequences of Failing to Provide Data’.)
  • To not be subject to a decision based solely on automated processing, including profiling – Our Trust does not use automated processing in this way; decisions about your care and treatment are made by our health professionals.
  • To be informed if a data breach occurs that is likely to result in a high risk to your rights and freedoms.

Exercising Your Rights

There are some umbrella provisions to describe what we do if you make a request to exercise your rights[14]:

  • We always check the identity of a person making a request before we act upon it. We need to establish that a request is genuine, either from you or your agreed representative.
  • We aim to act upon requests as soon as possible and usually within one month. Occasionally we may need more time, for example, if a request is complex. This can extend the response time by up to a further two months. If we need more time we will contact you as soon as possible and within month one to explain the reasons for the delay.
  • If you make your request by electronic means, we will aim to respond in the same way unless you request otherwise. Please be aware that this may not always be possible
  • We may refuse a request, not provide everything you have requested or not do everything that you have asked of us. If this happens we will:
    • Tell you as soon as possible and within one month.
    • Outline our reasons for not taking the action you have requested.
    • Explain how you can make a complaint if you are unhappy with our decision. We would always ask that you come back to us in the first instance, either informally or via our Trust’s complaints procedure, to try to resolve the situation. We will also provide you with information about how to complain to our supervisory authority, the Information Commissioner’s Office (ICO).
  • If we have disclosed your data to a third party (e.g. your GP) and we then rectify, restrict or erase your data[15], (if applicable) we will:
    • Inform the third party of the decision, unless it is impossible or would involve a disproportionate effort to do so (in which case we would explain the reasons).
    • Tell you to whom we disclosed your data.
  • We will normally undertake our duties regarding your rights without charging a fee but occasionally we may consider that it is appropriate to do so. If so, we will tell you as soon as possible, within one month, and before undertaking any related activity that has been requested.
  • If you want to exercise any of the rights described or would like any additional information please contact the Data Access Team; please see the ‘Contact Us’ section below.

CONTACT US

Your information and your rights are important to us, and our Data Access Team are here to help. If you wish to exercise any of your GDPR rights or would like further information, please contact the Data Access Team.

By post:
The Data Access Team
Blackpool Teaching Hospitals NHS Foundation Trust
c/o Home 15
Blackpool Victoria Hospital
Whinney Heys Road
Blackpool
Lancashire
FY3 8NR

By email:
bfwh.data.access@nhs.net

By telephone:
(01253) 953056

Our Trust has appointed a Data Protection Officer (DPO)[16]. They are tasked with monitoring how the Trust protects and uses your information. The contact details for the DPO can be found below. 

By post:
The Data Protection Officer
Blackpool Teaching Hospitals NHS Foundation Trust
c/o Home 15
Blackpool Victoria Hospital
Whinney Heys Road
Blackpool
Lancashire
FY3 8NR

By email:
bfwh.dataprotection.officer@nhs.net

 By telephone:
(01253) 953057

REFERENCES:

Unless otherwise stated, all references relate to GDPR: EU, General Data Protection Regulation, https://gdpr-info.eu/

[1] Article 4(1)

[2] Crown, Data Protection Act (2018), https://www.legislation.gov.uk/ukpga/2018/12/contents

[3] Crown, European Union (Withdrawal) Act 2018 http://www.legislation.gov.uk/ukpga/2018/16/contents/enacted

[4] Trust High Level Data Flow Map https://www.bfwh.nhs.uk/our-services/hospital-services/information-governance/information-sharing-partners/

[5] Department of Health (NI), The Common Law Duty of Confidentiality, https://www.health-ni.gov.uk/articles/common-law-duty-confidentiality 

[6] As above

[7] Crown, National Health Service Act (2006), https://www.legislation.gov.uk/ukpga/2006/41/contents

[8] NHS Health Research Authority, Why is Confidential Patient Information Used? https://www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/why-confidential-patient-information-used/

[9] Article 5

[10] Article 6(1)e

[11] Article 9(1)

[12] Article 9(2)

[13] Article 9(2)(h)

[14] For the entirety of ‘Exercising Your Rights’: Articles 12(1) to 12(8), Recitals 59 and 64

[15] Articles 16 to 19

[16] Articles 37 to 39, Recital 97