Privacy Notice for Our Service Users

[View our Privacy Statement and Cookies instead]

WHO WE ARE:

Blackpool Teaching Hospitals NHS Foundation Trust (the Trust) provides a range of health-related services across a regional health economy catchment area that spans Lancashire and South Cumbria. To do this, the Trust needs to collect and use personal information about you; this makes the Trust a ‘Data Controller’.

As a Data Controller, the Trust is committed to providing you with clear and accessible information about our obligations; including how and why we process your information, and your rights in relation to this. These rights apply to living individuals who are identifiable from the data, often referred to as data subjects.

WHAT’S HAPPENING:

The legislation that governs how we look after personal data has recently changed.

The Data Protection Act 1998[1](DPA) came into force around 20 years ago, and until recently it governed how the personal data[2] that we process[3] is managed; this means activities such as collection, recording, organisation, storage, adaptation, alteration, retrieval, use, consultation, transmission, sharing and erasure. This was the case up until 25th May 2018.

Developments in technology have changed how information about individuals, including our patients and staff (‘data subjects’[4]), is used. As such, the DPA had become outdated and no longer reflected these technological developments or the needs of data subjects. On 25th May 2018, the General Data Protection Regulation[5] (GDPR) replaced the DPA, aiming to standardise the data protection requirements placed upon organisations operating within the European Union (EU) and organisations providing services to EU citizens.

The Data Protection Bill (DPB) will work alongside the GDPR, and will ensure that the terms of GDPR are adopted in the UK after Brexit. It is understood that the DPB will become the UK’s new data protection legislation and will most likely be known as the Data Protection Act 2018 (DPA18) after the UK leaves the EU.

For each section below, click the blue “Show details” button to read more.

WHAT WE COLLECT, WHY AND HOW IT’S USED: 

We collect and hold personal information about you when you use or come into contact with our services. This information may be held electronically (in our computer systems) and/or in paper form, depending on the service(s) you have accessed.

Healthcare

To support the provision of your healthcare, we collect:

  • Basic details about you, such as your name, address, date of birth, next of kin and GP.
  • A record of dates when we’ve had contact with you. For example, attendances at an outpatient clinic, a visit to the A&E department, or a stay in hospital.
  • Clinical notes made by our doctors and other healthcare professionals during these contacts detailing presenting symptoms, allergies, medication, diagnosis and treatment, along with any chronic (long-lasting) health conditions, such as diabetes or asthma.
  • Results of investigations that may have been undertaken, like blood tests, x-rays and scans.
  • Information from other health professionals that have been involved in your care or that have asked us to be involved in your care, for example, your GP.
  • Lifestyle information that may be clinically relevant, such as whether or not you smoke.
  • Your ethnicity, as this can be linked to certain medical conditions.
  • Your religious beliefs, as this may affect how you wish to be treated in certain circumstances.
  • There may also be information from other people involved in your care, such as a relative or someone who helps to care for you.

This information is used to:

In the first instance, the doctors and other healthcare professionals create and keep a detailed record of your clinical care to provide a continuous record about your past and current health, because this helps to guide and manage the care you receive.

We aim to provide you with high-quality, safe care. We may also use the information we collect and hold about you to help us to run and improve the services we provide, along with those of the wider NHS. For example, to help us to:

  • Provide you with the best possible care.
  • Inform decisions that we make about your care.
  • Ensure that your treatment is safe and effective.
  • Work effectively with others who may be involved in your care, e.g. your GP.
  • Review the care we have given to our patients, helping us to ensure that it is of the highest possible standard.
  • Report on how effective our services are/have been.
  • Investigate complaints, legal claims and untoward incidents.
  • Look after the health of the general public.
  • Plan services to meet patient needs in the future
  • Support clinical audit, which helps us to monitor and improve patient care and outcomes via systematic review of care against explicit criteria. Where indicated, changes are implemented and further monitoring is used to confirm that we have improved our healthcare delivery
  • Ensure that the funds allocated to our Trust are used properly and provide value for money.
  • Educate and train healthcare professionals.
  • Undertake research (the local Research Ethics Committee will be asked to review research requests).
  • Prepare statistics on our performance.

You can find out more about our individual services on our website. Many of our services also provide leaflets to explain more about the care and treatment they provide.

Research

The Trust is a centre of clinical and research excellence providing quality up to date care.  We are actively involved in undertaking research to help improve the care and treatment of our patients.  We believe that research matters and saves lives – today’s research is tomorrow’s care.

A member of your healthcare team may review your patient record and discuss current clinical trials and research studies with you. If this happens, the study will be explained to you in detail and you will be given a patient information sheet. You will have the chance to ask questions and speak with family and friends about taking part, and will be given time to make your decision. If you agree to take part in a study, you will be asked to sign a consent form and will be given a copy to keep.  Personal data (data that can identify you) may be shared (dependant on the study, and if so, you will be informed) with external research organisations, such as other NHS organisations, universities, charities and commercial companies exclusively for scientific research purposes.”

Images and Audio

The Trust uses surveillance equipment in the form of Closed Circuit Television (CCTV), Body Worn Video (BWV) and Automatic Number Plate Recognition (ANPR) across the Trust footprint. The images (and audio from BWV) are used to help:

  • Increase personal safety and reduce the fear of crime.
  • Support the Police and the LSMS (designated NHS Local Security Management Specialist) in a bid to deter, detect and prevent crime.
  • Assist in identifying, apprehending and prosecuting offenders.
  • Protect the Trust buildings and other assets.
  • Protect members of the public, patients, staff and private property.
  • Assist in traffic management.
  • Assist in the management of health and safety.
  • Assist in the investigation of civil claims.
  • Assist in disciplinary investigations.
  • Monitor patient safety during clinical procedures.

Please note BWV is worn and used only by the Hospital Safety Team Officers (HSTO) who have been trained in its use and application. The equipment will only be activated if the HSTO believes that an incident is occurring or is about to occur. In addition to the above, BWV also aims to:

  • Support a reduction in the number of incidents of violence and aggression.
  • Support an increase in the number of prosecutions for violence and/or disorder.
  • Mitigate any malicious complaints against security staff.

ANPR is used in some of our car parks to facilitate staff access but will, by its nature, capture all number plates as vehicles enter and leave premises.

SHARING YOUR INFORMATION:

 

We share information with a number of organisations, and these same organisations may share information with us; for example, when your GP refers you to one of our healthcare professionals for care or treatment.

Healthcare

Everyone working within the NHS has a legal duty to keep information about you secure and confidential. Similarly, anyone who receives information from us has a legal duty to keep it secure and confidential. This is included in our staff contracts of employment. If you have any questions about who your information is being shared with, please do not hesitate to ask the health professional in charge of your care.

We share information with partner organisations such as:

  • General Practitioners – Your GP.
  • Other NHS Trusts – Hospitals that are involved in your care.

You may be receiving care from other service providers as well as the NHS; for example, social care services. We may need to share some information about you with them so we can all work together for your benefit. We will do this when they have a genuine need for it as part of your care, or we have your permission. Therefore, we may also share your information with:

  • Social Care Services;
  • Education Services;
  • Local Authorities; and,
  • Voluntary and private sector providers working with the NHS.

Confidentiality

The Trust is mindful of its duties under the Common Law Duty of Confidentiality (CLDC) in relation to health information. To comply with this, it is important that we make you aware of who your information is being shared with, and that you can say ‘no’:

  • ‘The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent’.[6]
  • ‘In practice, this means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient/client’.[7]

Occasionally, we may need to disclose information about you to third parties without your permission, for example:

  • There are particular circumstances which can set aside the CLDC. To do this, we need to apply for a ‘Section 251’ under the National Health Service Act 2006[8]. Data protection requirements will still be met.[9]
  • We may be required to provide information to assist in the investigation of a serious crime.
  • We may need to help protect your or another person’s vital interests (protect someone’s life).

 Images and Audio

 In most circumstances, it will be acceptable to disclose images to law enforcement agencies if failure to do so would be likely to prejudice the prevention and detection of crime.

CONSEQUENCES OF FAILING TO PROVIDE DATA: 

We need information about you to support the provision of your healthcare; the information you provide to us helps us to understand any conditions that you may have. If you do not want to provide us with information, or do not want us to share it, then that is your choice, but please be aware that this could seriously affect the care we are able to provide. If you have concerns about telling us something or us sharing something about you (for example, if we want to refer you to another service), please talk to the healthcare professional in charge of your care, and hopefully we will be able to allay any concerns that you have.

INTERNATIONAL TRANSFERS:

Any international transfers of patient information will be undertaken in accordance with GDPR requirements, and your consent will be sought where applicable.

HOW LONG DO WE KEEP YOUR INFORMATION?

 

The length of time we keep your information depends on what sort of information it is. We use the guidance provided in the Records Management Code of Practice for Health and Social Care 2016 to support our actions in relation to records management, including retention periods. The Code is based on current legal requirements and professional best practice. We retain our records for at least the minimum stated required retention period.

Healthcare

Healthcare information is retained for a minimum period of 8 years following discharge or last attendance at the Trust.

Research

If you have chosen to take part in a research study, the retention period for the associated records will depend on the study and this will be explained as part of the joining process.

Images and Audio

Images and audio are retained for a minimum of 31 days, but may be retained for longer than the designated period if needed for an active investigation or legal proceeding.

LAWFUL PROCESSING: 

We are only allowed to process you information if we have a legal basis[10] to do so.

To provide you with healthcare, we process information such as your name, address, and date of birth. To process your personal data, we must meet one of the criteria in Article 6 of the GDPR. The Trust is a public authority tasked with providing healthcare services in the public interest, and it is this role which gives the Trust its legal basis to process personal data under Article 6:

  • ‘(P)rocessing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.[11]

Some information, such as health data, is described as ‘special category’[12] data, and its processing is prohibited unless we are able to meet one of the additional criteria[13] in Article 9 of the GDPR. This is a list of all the ‘special categories of personal data’:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Biometric data (for the purpose of uniquely identifying a natural person);
  • Health; and,
  • Sex life or sexual orientation.

The Trust meets this requirement because it’s our job to provide healthcare:

  • ‘(P)rocessing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.’[14]

Depending on the activity there are other legal gateways which can be applied, for example:

  • To support safeguarding children and vulnerable adults.
  • Article 6(1)(e) & Article 9(2)(b)
  • To protect an individual’s vital interests (protect someone’s life).
  • Article 6(1)(d) & Article 9(2)(c)
  • To support research.
  • Article 6(1)(e) & Article 9(2)(j)
  • To comply with a legal obligation.
  • Article 6(1)(c) & Article 9(2)(h)
  • Image recording (not for direct healthcare), e.g. CCTV, BWV, ANPR.
  • Article 6(1)(f)
  • There may be instances where we ask for your consent to process your information if another legal basis does not apply. If this is the case you can expect that your consent will be sought.
  • Article 6(1)(a) & Article 9(2)(a)

YOUR INFORMATION RIGHTS:

 

In general, GDPR provides the rights outlined below to individuals regarding their data, but how these apply in detail depends on:

  • The legal basis for processing the information.
  • The situation, known as ‘restrictions’. These are applied when it is seen as a necessary and proportionate measure in a democratic society to safeguard aspects such as, but not limited to:
    • National or public security;
    • Defence; and,
    • The prevention, investigation and detection of crime.

The rights are:

  • To be informed – We need to tell you about how we use your information. A range of communication methods are used to do this, including:
    • The internet, e.g. this Privacy Notice;
    • Discussion with your health professional;
    • Posters;
    • Leaflets; and,
    • Inclusion in correspondence.
  • To access your information – You can ask to view or have a copy of any information we hold about you.
  • To rectification – We will amend any errors in the information we hold about you if it is agreed to be inaccurate or incomplete. Please be aware that sometimes we may hold information that you do not agree with, but it is not adjudged to be incorrect, e.g. a clinical opinion recorded by a health professional. In such instances, we may (by mutual agreement) add a statement from you to your record regarding your concern, but not change the information.
  • To erasure – Also known as ‘the right to be forgotten’. This empowers individuals to have personal data about them erased where there is no overriding legal justification for its processing. As such, this is unlikely to apply to health records or staff records where there is strong legal justification for the records to be kept.
  • To restriction – You have the right to request that we stop processing your personal data on a temporary basis, without deleting it. This is mostly likely to apply while a request for rectification, erasure, or objection is being considered.
  • To portability – this enables individuals to obtain and reuse their personal data for their own purposes across different services i.e. copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies where processing is based on consent or as part of a contract and is carried out by automated means.
  • To object – This provides the right for you to object to us processing your data under certain circumstances. (Please also see the above section outlining the ‘Consequences of Failing to Provide Data’.)
  • To not be subject to a decision based solely on automated processing, including profiling – Our Trust does not use automated processing in this way; decisions about your care and treatment are made by our health professionals.
  • To be informed if a data breach occurs that is likely to result in a high risk to your rights and freedoms.

 Exercising Your Rights

 There are some umbrella provisions to describe what we do if you make a request to exercise your rights[15]:

  • We always check the identity of a person making a request before we act upon it. We need to establish that a request is genuine, either from you or your agreed representative.
  • We aim to act upon requests as soon as possible and usually within one month. Occasionally we may need more time, for example, if a request is complex. This can extend the response time by up to a further two months. If we need more time we will contact you as soon as possible and within month one to explain the reasons for the delay.
  • If you make your request by electronic means, we will aim to respond in the same way unless you request otherwise. Please be aware that this may not always be possible
  • We may refuse a request, not provide everything you have requested or not do everything that you have asked of us. If this happens we will:
    • Tell you as soon as possible and within one month.
    • Outline our reasons for not taking the action you have requested.
    • Explain how you can make a complaint if you are unhappy with our decision. We would always ask that you come back to us in the first instance, either informally or via our Trust’s complaints procedure, to try to resolve the situation. We will also provide you with information about how to complain to our supervisory authority, the Information Commissioner’s Office (ICO).
  • If we have disclosed your data to a third party (e.g. your GP) and we then rectify, restrict or erase your data[16], (if applicable) we will:
    • Inform the third party of the decision, unless it is impossible or would involve a disproportionate effort to do so (in which case we would explain the reasons).
    • Tell you to whom we disclosed your data.
  • We will normally undertake our duties regarding your rights without charging a fee but occasionally we may consider that it is appropriate to do so. If so, we will tell you as soon as possible, within one month, and before undertaking any related activity that has been requested.
  • If you want to exercise any of the rights described or would like any additional information please contact the Data Access Team; please see the ‘Contact Us’ section below.

CONTACT US

Your information and your rights are important to us, and our Data Access Team are here to help. If you wish to exercise any of your GDPR rights or would like further information, please contact the Data Access Team.

By post:
The Data Access Team
Blackpool Teaching Hospitals NHS Foundation Trust
c/o Home 15
Blackpool Victoria Hospital
Whinney Heys Road
Blackpool
Lancashire
FY3 8NR

By telephone: (01253) 953056
By email: bfwh.data.access@nhs.net

Our Trust has appointed a Data Protection Officer[17]. They are tasked with monitoring how the Trust protects and uses your information. The contact details for the DPO can be found below.

By post:
The Data Protection Officer
Blackpool Teaching Hospitals NHS Foundation Trust
c/o Home 15
Blackpool Victoria Hospital
Whinney Heys Road
Blackpool
Lancashire
FY3 8NR

By telephone: (01253) 953057
By email: bfwh.dataprotection.officer@nhs.net

REFERENCES:

Unless otherwise stated, all references relate to GDPR:

EU, General Data Protection Regulation, https://gdpr-info.eu/

[1] Crown, Data Protection Act (1998), https://www.legislation.gov.uk/ukpga/1998/29/contents

[2] Article 4(1)

[3] Article 4(2)

[4] Article 4(1)

[5] EU, General Data Protection Regulation, https://gdpr-info.eu/

[6] Department of Health (NI), The Common Law Duty of Confidentiality, https://www.health-ni.gov.uk/articles/common-law-duty-confidentiality

[7] As [6].

[8] Crown, National Health Service Act (2006), https://www.legislation.gov.uk/ukpga/2006/41/contents

[9] NHS Health Research Authority, Why is Confidential Patient Information Used? https://www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/why-confidential-patient-information-used/

[10] Articles 6 and 9

[11] Article 6(1)(e)

[12] Article 9(1)

[13] Article 9(2)

[14] Article 9(2)(h)

[15] For the entirety of ‘Exercising Your Rights’: Articles 12(1) to 12(8), Recitals 59 and 64

[16] Articles 16 to 19

[17] Articles 37 to 39, Recital 97