General privacy notice
This is how we collect and use your personal information.
It applies to all the information we collect about you when you come to us for care or treatment.
Parts of this notice also apply to you if you:
- visit our hospitals or clinics
- use our digital services
- apply for a job
Why we collect your personal information
The Care Act 2014 requires us to keep records of your care and treatment that you receive.
We collect your personal information to:
- provide you with the right care and treatment
- meet our statutory and regulatory obligations.
We need accurate and up-to-date information about you to:
- give you the best possible care or treatment
- make decisions, with you, about your care and treatment
- work safely and effectively
All the data we collect about you, including information about your care, are saved safely and securely in our records.
Your records are available to our clinicians to view when you:
- are referred to us
- have an appointment receive care or treatment
We may use your information to make our services better for everyone through research and planning.
This usage is sometimes referred to as secondary purposes.
Normally when we share or use data for planning or research purposes your personal information is removed (anonymised) so you can not be identified from any information provided.
Your anonymised data helps us to:
- assess our quality and performance
- investigate complaints, incidents, or claims
- collect data about public health, for example by monitoring infectious diseases
- make best use of NHS funding and other public money
- audit our accounts
- train and educate our staff
- run and manage research and development
Types of information we collect
The type of information we collect from you includes:
- your name
- date of birth
- address and postcode
- your telephone number and email address,
- relevant details about:
- your next of kin, and other family members
- carers who look after you
Information about your care
- treatments and procedures
- any advice given at referrals
- outpatient appointments or home visits
- information about the medicines you’re taking, such as:
- the type and dose
- side effects
- your allergies, or any reactions you may have
- tests and test results:
- blood or other tests
- scans or imaging tests such as x-rays, MRIs, or ultrasound scans
Your feedback about your care and experiences
(Sometimes referred to as special category information)
- your nationality and ethnicity or race
- your religious or philosophical beliefs
- your sexual orientation, sex, or gender
- your physical and mental health
- genetic data
- information that can be used to recognise you (biometric data) such as:
- iris patterns
- the shape of your face or your features
- criminal offences, cautions, or convictions
How we collect your personal information
We collect information about you if:
- we see you in clinic, in hospital, or in your own home
- someone refers you to us (or you refer yourself)
- you fill in an online or paper form
- contact us for information
- you give us feedback
- use one of our online services (such as our website or online visiting)
- you apply for a job with us
We will always process your personal information lawfully and fairly. We are governed by the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR).
Under DPA 2018, we need a legal basis to process (or use) your information.
Using data for direct patient care
We do not always rely on your prior consent to use your information because there are rules in articles six and nine of DPA 2018 that allows us to process your information:
Article 6 (1) (e)
Allows us to use your personal data as it is necessary to perform tasks in the public interest of our official functions, where a task has a clear basis in law.
Article 9 (2) (h)
Allows us to use your sensitive data for the provision of health, social care, or treatment, or the management of health or social care systems and services under the Health and Social Care Act (2015)
Using data for secondary purposes
We need your express permission to collect personal data from you for non-direct healthcare purposes.
Article 6 (1) (a)
Only allows us to process your personal data if you have given explicit consent.
Article 9 (2) (a)
Only allows us to process special category data if you have given explicit consent.
Where we share your information
We may share your information with other healthcare professionals and organisations.
This may include, but is not limited to:
- Healthcare professionals from other services
- Your friends, family, or careers including:
- Anyone with the authority to act as your power of attorney
- Someone who can give consent on your behalf
- Other healthcare providers including:
- Other NHS trusts
- Your GP
- Private care providers
- Emergency services, NHS 111, and ambulance services
- Clinical commissioning groups (CCGs)
- Multi agency safeguarding hubs (MASH)
- Regulatory and safety bodies:
- Care Quality Commission (CQC)
- Public Health England (PHE)
- NHS England
- Information Commissioner’s Office (ICO)
- Social services and local authorities
- Education providers, your school, college, or university
- Services we contract, including:
- Translation and interpretation services
- Legal services
- Our charity, or charities that support or fund further care
- Bulk mailing and text message providers
Sharing information with the police
We may also share information with the police and other law enforcement agencies where we need to:
- protect the public
- trace a missing person
- prosecute or help apprehend someone for a crime
- protect a vulnerable child or adult through safeguarding processes
- provide information about you following a court order
- investigate fraud
National data opt-out service
We may share your confidential personal information with clinical research bodies.
Each clinical research body has to get approval from the NHS Health Research Authority’s Confidentiality Advisory Group (CAG) to request and use your information.
If you’re happy for us to share your information, you don’t need to do anything.
However, if you don't want your information to be used for research purposes, you can opt out.
- visit nhs.uk
- call 0300 303 5678
We’ll record your decision in your files, so your information won’t be shared for other purposes unless we’re legally obliged to do so.
You can change your mind at any time.
Cross-border data transfers
We don’t routinely send data out of the UK.
However, if we ever need to transfer your personal data to an organisation based overseas, we will tell you first.
To keep your data safe, we will consider if we can make the transfer without including your personal information.
Calls and video recording
Everyone has the right to access care and treatment without fear of violence or abuse, including our staff.
We may record your calls for the purposes of:
- quality and training
- the prevention and discovery of crime, including staff abuse.
As per your subject access rights, you’re entitled to a copy of the recordings.
CCTV and body warn cameras
We use CCTV and body warn cameras to prevent and detect crime.
You’ll see signs and posters in the areas we use CCTV.
As per your subject access rights, you’re entitled to request recordings of yourself subject to exemptions.
You are not entitled to data that includes third party information.
How we stay in touch with you
We can stay keep you up-to-date about your care or treatment in various ways:
- by phone
- by post
- by text message
- by email
You can choose how you’d like to be contacted, and we’ll record your preference. Not all methods will be available for all purposes.
Please keep your contact details up-to-date.
Data protection by design
We carry out data impact assessments (DPIA) when planning new systems and processes that involve:
- the use of your personal data
- a change in the way we process your personal data
Our information security and data protection policies are in place to protect your privacy and confidentiality.
Our networks and digital storage are encrypted to stop unauthorised access, hacks, cracks, and loss.
Access to our systems is restricted to roles who have specific duties and responsibilities to use these systems and we regularly undertake system audits to ensure our controls are fit for purpose.
Any third parties we use to support our services with access to your data, will be defined as a data processor, and are legally and contractually bound to operate in a safe and secure manner.
We keep all data in accordance with our health records policy and retention schedule.
These documents conform to the Record Management Code of Practice 2020
Typically, the retention periods are:
- 20 years from the closure date for health records
- 8 years from date of death for patients in mental healthcare settings
- Child records are kept until either their 25th or 26th birthday, depending on their age at the end of their treatment