This document sets out the way we collect, use, store and share your information and the legal reasons supporting this. The European Union General Data Protection Regulation (GDPR) replaced the Data Protection Act on 25 May 2018 and there is a new UK Data Protection Bill which mirrors GDPR. This this notice tells you about our obligations and your rights under the new legislation.
Confidentiality affects everyone: We collect, store and use large amounts of personal data every day, such as medical or personal records which may be paper-based or held on a computer. We take our duty to protect your personal information and confidentiality very seriously and work hard to ensure it is held securely and only accessed on a need to know basis.
What kind of information does the Trust hold about you?
We hold the following information about you:
- Name, address, date of birth, next of kin, GP practice
- Telephone, mobile phone, email address
- Contacts we have had with you such as appointments or clinic visits
- Details of diagnosis and treatment
- Results of x-rays, scans and laboratory tests
- Allergies and health conditions
- Information from people who care for you and know you well such as health or social care professionals, relatives or carers.
Why we collect information about you
We need accurate and up to date information about you so that we can give you the best possible care and make sure we contact you at the right address and phone number. We will check your details with you when you visit and please let us know of any changes, for example, to your address or phone number or GP practice.
Your mobile phone number is an important part of your health record and the way we communicate with you. We will use this to send you text message reminders a few days before your appointment. Most of our patients appreciate these reminders and we know that it reduces the number of missed appointments but if you do not wish to receive text messages let us know when you next attend the hospital.
How we keep your records confidential
Information you give to us in confidence will only be used for the purposes described below and to which you agreed, unless there are other circumstances covered by the law.
We comply with the NHS Confidentiality Code of Conduct. All our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
All manual and computerised records are stored in secure environments with access strictly controlled.
If someone other than you (e.g. relative or friend) contacts us to find out about your care or treatment we will not be able to talk to them unless we have your permission (apart from parents/guardians of children who are recorded as next of kin).
How we use your personal information
Your records are used to direct, manage and deliver your care so that:
- Clinical staff involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.
- Clinical staff have the information they need to assess and improve the quality and type of care you receive.
- Administrative staff supporting your care can sort out your appointments, deal with queries, produce letters etc.
- Relevant information is available if you see another doctor, or are referred to a specialist or another part of the NHS or social care.
We also use information we hold about you to:
- Review the care we provide to ensure it is of the highest standard and quality
- Do patient satisfaction surveys about the services and care you had so we can improve the way we deliver healthcare to you and other patients, for example, the Friends and Family Test
- Inform you of resources or help to support your continuing care
- Ensure our services can meet patient needs in the future
- Investigate patient queries, complaints and legal claims
- Ensure the hospital receives payment for the care you receive
- Prepare statistics on NHS performance
- Audit NHS accounts and services
- Undertake heath research and development (with your consent – you may choose whether or not to be involved)
- Help train and educate healthcare professionals
We will not contact you with marketing material.
When do we share information about you?
Direct care purposes:
We will share information about you with other health and social care professionals directly involved in your care so that you may receive the best quality care. For example:
- Every time you attend the hospital as a patient, we will send your GP a summary of any diagnoses, test results or treatment given
- If you receive care at different hospitals in the West Midlands, clinicians delivering your care may be able to view all your images, not just the ones taken at this hospital, using the Regional Sharing Information Platform (See RISP under Useful inks below)
- We sometimes use private or voluntary providers to deliver care with us or on our behalf. We will tell you when we are doing this and will put in strict controls and agreements about how we share information with these providers. For example:
- Our Orthotics Service is delivered on the ROH site by Blatchford
- UHB hospital provides clinical laboratory services e.g. blood tests and other diagnostic services e.g. nerve conduction studies
You may be receiving care from other services as well as the NHS and we may need to share some of the information we hold about you with them so we can all work together for your benefit. We will only do this when they have a genuine need for it or we have your permission. Subject to strict agreements about how it will be used we may share your information with:
- Social Care Services
- Education Services
- Local Authorities
We will not give your information to third parties without your permission. If you object to us sharing information please let your clinician know. However there are some exceptional circumstances when we have to share information such as when either your or somebody else’s health and safety is at risk; or the law requires us to pass on information for example, certain infectious diseases, child or adult safeguarding, formal court order, or where a serious crime has been committed.
Indirect Care Purposes:
We may also be asked by other statutory bodies to share basic information about you, such as your name and address, but not sensitive information from your health records. This would normally be to assist them to carry out their statutory duties.
Nationally, from 25 May 2018 NHS Digital is implementing a new system to give patients more control over how their confidential patient information is used allowing them to choose if their data can be used nationally for research and planning. See Useful Links below for more information.
Your right to object to recording or sharing information
If you feel that you are being asked for information you would prefer not to have recorded, or have concerns about how it is used or shared, please let your clinician know and we will record this in your records so that all staff involved in your care are aware of your decision. Please be aware that if you make this choice, it may make it difficult to give you treatment so talk this through with your clinician so that they can let you know of any potential impact. You can also change your mind at any time about a disclosure decision.
Your right to rectification.
This means if you think any information we hold about you is inaccurate please let us know. If your clinician is concerned that by changing your information it could cause you or our staff harm we may not change the information but we will document your objection in your records.
Your right to see your information
You have the right to see or have copies of your information – this is called a Subject Access Request. There is no charge for this and we must respond to you within one month. You must provide evidence of your identity when you make a request. See contact details below.
How long do we retain your records?
All our records are destroyed in accordance with NHS guidelines on retention and we do not keep your records for longer than necessary. All records are destroyed confidentially once their retention period has been met and the Trust has made the decision that the records are no longer required.
The Legal Bit
Under the General Data Protection Regulations the ‘Lawful Basis’ to process and use your information is:
- Article 6(1)(e): “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
- Article 9(a)(h): “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”
You may have heard of a new right called the right to erasure i.e. to be forgotten. However this doesn’t apply to health data as we are using the above as the legal basis.
We have an additional requirement under the Common Law Duty of Confidentiality to keep your personal information confidential and to obtain your consent to use and share it. This includes implied consent i.e. when your GP sends us a referral it is implied that we can use and store that information. We also will get your consent to use your information for purposes other than healthcare e.g. research.
The hospital is the Data Controller responsible for keeping your information confidential and is registered with the Information Commissioner - Ref. No. Z8937486
- Data Protection Officer: Simon Grainger-Lloyd- Associate Director of Governance/Company Secretary.
- Caldicott Guardian: Matt Revell - Medical Director. Has particular responsibility for protecting patient confidentiality and ensuring we share patients’ information securely and legally.
- Senior Information Risk Owner (SIRO): Steve Washbourne - Director of Finance. Accountable for the management of all our information systems and the data they hold. The SIRO also makes sure that any associated risks or incidents are documented and investigated appropriately.
- Information Governance Manager: Janette Carveth. Day to day responsibility for ensuring security and confidentiality of patient information
- If you are unsatisfied with the way the Trust has handled or shared your personal information you have the right to complain to the Information Commissioners Office: https://ico.org.uk/ 0303 123 1113
- National Opt Out: https://digital.nhs.uk/national-data-opt-out
- Here is a really useful site about how the NHS uses your information which we recommend you read if you are thinking of opting out https://understandingpatientdata.org.uk/about-us
- Regional Information Sharing Platform (RISP): http://regional-image-sharing-platform.org.uk/
- Records Management Retention Guidelines https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016