This section explains why information is collected about you by Ashford and St. Peter’s Hospitals NHS Foundation Trust and the ways in which this information may be used.
You may also want to read the following:
- Accessing your Health Records
- Collecting information about your ethnic group
- FFT and GDPR
- Privacy Notice (A5 leaflet)
- Privacy Notice (A4 guide)
- Sharing Information
How we use your personal information to improve healthcare
- What is a privacy notice?
- The information we hold about you
- Keeping your information safe and accurate
- Supporting your direct care
- Supporting other medical purposes
- Your right to refuse
- Telling us about your objection
- What your objection covers
- Other rights
- If you are a carer …
- If you are a parent …
- SMS for appointments
- Raising a concern
What is a privacy notice?
A Privacy Notice is a statement by the Trust to patients, visitors, carers, and the public that describes how we collect, use, retain and disclose personal information that we hold about you. This privacy notice is part of our commitment to ensure that we process your personal information fairly and lawfully. This notice also explains what rights you have to control how we use your information.
The Data Protection Act and General Data Protection Regulation (GDPR) controls how your personal information is used by organisations. Under the Act, the Trust is defined as a ‘data controller’ of personal information that we hold. We collect information to help us provide and manage healthcare for our patients.
In order for the Trust to be able to process your information lawfully, we are obliged to satisfy a condition under Article 6 and, where special category data (sensitive information) is being processed, under Article 9 of the GDPR. The following legal bases will apply: 6(1)(e) ‘for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’; and: 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional’.
The trust is registered with the Information Commissioner’s Office (registration number ZA030561).
The information we hold about you
We keep records about your health and any treatment and care you receive from us. This helps to ensure that you receive the best possible care from us. The information we collect normally includes:
- Name, address, date of birth, NHS number and next of kin details,
- Contacts we have had with you, such as appointments and/or home visits,
- Information about your health, such as details of diagnosis, health conditions, allergies and the treatment and care you have received,
- Relevant information from other health and social care professionals in order to support the care you receive from us.
The trust also records CCTV images for the prevention and detection of crime.
Keeping your information safe and accurate
We always keep your information securely, and have strict rules about who can access it and how it can be used. We do our best to keep it accurate and up-to-date, so we will often check it with you when you attend one of our hospitals.
This leaflet describes the circumstances in which we may share your information with other organisations. We have a legal duty to keep information about you confidential. We expect all our partner organisations to apply the same strict security to your records as we do, and we make sure appropriate safeguards are in place before sharing any information.
We will only share your information in strict accordance with the law, and we never use or sell it for commercial purposes.
Supporting your direct care
The Trust uses your personal information to provide healthcare to you and for purposes directly related to that healthcare (such as booking and managing appointments).
Your information may be used for clinical audit, where the team involved in your care and those working to support them will check the quality and outcomes of the treatment provided.
If you receive care from other health & social care professionals, we may share with them the information we hold about you to improve your care. In some cases, such as where we deliver a service jointly with other healthcare provider organisations, we will share information about all patients receiving that service. The department where you are being treated will be able to tell you if this applies for the particular type of care you are receiving.
Supporting other medical purposes
The Trust may use information about you, and the care you have received, to improve the healthcare we provide to all patients. This includes medical research, monitoring and improving our services, and for other medical purposes where we believe there is a public benefit. If your information would be shared outside the team that provided care to you, or those working to support them, we would first anonymise it so that you cannot be identified.
In order to improve services we also participate in national schemes, such as patient surveys to gain feedback from patients about their experience at the Trust. These are completed voluntarily and we may, on occasion, contact you to discuss the feedback you provided if you supplied contact details. For some surveys, the Trust employs third party services to collect and process the data. The Trust only appoints processors who can provide sufficient guarantees that the requirements of the GDPR are met and that the rights of patients are protected.
The Trust carries out audits of care, which also collect data from NHS organisations all over the country. We can normally only do this if there is a lawful basis provided by the Secretary of State for Health or the Health Research Authority, or else with your explicit consent. The department where you are being treated will be able to tell you about any national schemes for the particular type of care you are receiving.
We also use your information to ensure we are paid correctly for the services that we have delivered.
Your right to refuse
We will always seek your consent to share your information with organisations for purposes other than your direct care. You have a right to object to the use of your information for any purpose other than your own direct care at any time. This is also referred to as ‘opting out’. We will explain fully the possible consequences for not giving your consent or withdrawing consent previously given as it could mean delays in you receiving care, the care that can be provided is limited and, in certain circumstances, it may not be possible to offer certain treatment options.
If you register an objection with us, we will exclude your information from all such other uses, or else anonymise it so that you cannot be identified. For example:
- The Trust regularly participates in national surveys (such as the A&E Survey), where some of our patients are invited to complete questionnaires. We would exclude your information completely from this type of survey
- The Trust is required to submit data on hospital attendances to a national database known as the Secondary Uses Service. We cannot exclude your data, but we would anonymise it so that you cannot be identified
Please note that in exceptional circumstances we may need to share information without your permission if:
- it is in the public interest – for example, there is a risk of death or serious harm
- there is a legal need to share it – for example, sharing information with appropriate agencies for child protection purposes
- a court order tells us that we must share it
- there is a legitimate enquiry from the police under the Data Protection Act for information related to a serious crime
Telling us about your objection
If you want to object to your information being used for any purpose other than your own direct care, you should speak to the health professional treating you. They will record your objection after checking that you understand this guidance.
If you care for somebody who lacks the capability to make their own decisions, or if you have parental responsibility for a child, you may be able to object on their behalf. Please read the information for carers and parents at the end of this leaflet.
What your objection covers
Your objection will only apply to the information held by Ashford & St Peter’s Hospitals NHS Foundation Trust for purposes which are not related to your own direct care.
The Trust is required by law to report certain information to other public authorities, including notifications of births, deaths, and infectious diseases.
If you want to opt out of other NHS organisations using your information for wider healthcare improvement purposes, you should speak to your GP practice.
You can always ask your health professional to show you the information that is available to them while they treat you. If you do not understand parts of it, they will be able to explain it.
The right of subject access applies to the individual patient, and can normally be exercised by somebody else only if the patient is incapable of making their own decisions. If you care for somebody who lacks the capability to make their own decisions, or if you have parental responsibility for a child, please read the additional guidance below.
If you are a carer …
If you have lasting power of attorney for health & welfare, you can make decisions on behalf of the patient. We will ask to see evidence of that power.
Otherwise, please speak to the health professional treating the patient. They will be able to make a decision based on the patient’s best interests, taking your views into account.
If you are a parent …
If you have parental responsibility for a child, you can only make decisions on their behalf until they are mature enough to understand and make an informed decision for themselves. We will normally try to seek independent consent from any child aged 12 or over, but the health professional treating them will always make a decision based on the individual child and their maturity.
In addition, you also have the right to request that the Trust corrects any personal information if it is found to be inaccurate or out of date, and also erase information if it is no longer necessary for the Trust to retain such data.
All patient records are destroyed in accordance with the Department of Health’s Records Management Code of Practice for Health and Social Care 2016, which sets out the appropriate length of time each type of NHS records is retained. All records are securely destroyed once their retention period has been met and the Trust has made the decision that the records are no longer required.
SMS for appointments
Raising a concern
Patients who have a concern about the way their records have been handled or shared should contact the Patient Advice & Liaison Service (PALS) (details below).
Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Trust has handled or shared their personal information.
You can also find out more about your rights on the website of the Information Commissioner’s Office - www.ico.org.uk.