We take your confidentiality and privacy rights very seriously. This notice explains how we collect, process, transfer and store your personal information. It forms part of our duty of accountability and transparency under the General Data Protection Regulation (GDPR) and Data Protection Act (2018) (DPA).
We’re registered with the Information Commissioner’s Office. Our registration number is ZA333232.
The Data Protection Act (2018) you are classed as a data subject.
Your rights, as a data subject, are set out in chapter three of GDPR in five sections:
- transparency and modalities – rights ensuring data subjects are informed about how personal data is being used
- You have a right to be kept informed about how your personal information is being used.
- information and access - rights ensuring data subjects can see what personal data is being held about them
- You have a right to be able to see your information that we hold.
- Rectification and erasure - rights ensuring data subjects can correct or permanently remove personal data held about them
- You have a right to correct, or permanently remove, your information.
- Right to object and automated decision-making - rights ensuring data subjects can object to how personal data about them is processed (e.g. marketing)
- You have a right to decide how your information is used (for example, marketing purposes)
- Restrictions – special exemptions allow the above rights to be limited for justified purposes, these include health research – but conditions and safeguards apply.
- Sometimes, we can use your information without your consent. For example, we can use your information for health research, but we have to do so safely and legally.
Your right to confidentiality
Your right to confidentiality does not cover all circumstances. There may be times when we must share your information with other organisations.
We don’t need your consent if:
- we’re concerned that you are putting yourself at risk of serious harm
- we’re concerned that you are putting another person at risk of serious harm
- we’re concerned that you are putting a child at risk of harm
- we've been instructed to do so by a court
- the information is needed for the investigation of a serious crime
- you are subject to the Mental Health Act (1983) we may need to inform your nearest relative, even if you object
- if you have an infectious disease and we have to inform Public Health England
Sometimes, we can use your information without your consent. For example, we can use your information for health research, but we have to do so safely and legally.
How we meet the principles of the Data Protection Act (2018)
We will always process your personal information lawfully and fairly by;
a) Only using your information when we have a lawful reason to do so. We have to let you know how we intend to use your information, and make you aware of your rights.
Under the General Data Protection Regulations (GDRP), we need a legal basis to process (or use) your information.
We do not always rely on consent to use your information because there are rules in articles six and nine of GDPR that allows us to process your information based on:
“…a task carried out in the public interest or in the exercise of official authority vested in the Controller” i.e. the Health and Social Care Act (2015)
This means we can lawfully use your personal information to care for you without your consent. You always have the right to say “no”. At any time, you can:
- refuse to give us your consent to use your information
- withdraw consent you’ve given us to use your information
However, if we cannot use your information your care may be affected and your treatment delayed. Before you decide, talk to the person in charge of your care.
b) Only collecting and using your information to care for you and give you treatment. We will not use your information for anything else that is not considered, by law, to be for this purpose.
c) Only using the personal information that will be deemed relevant and necessary to care for you or give you treatment.
d) Keeping your information accurate and up to date when using it and, if we find errors or omissions, we will correct your information as soon as we can.
e) Only keeping your information in a way that it will identify you for as long as we are legally required to, while ensuring your rights are protected.
f) Keeping your personal information safe when it is being used, shared and stored.
COVID-19 and your personal information
This notice describes how we will use and share your personal information to protect you and others during the COVID-19 outbreak.
It supplements our main Privacy Notice which can be found on this page.
Use of data
The NHS is facing significant pressures due to the COVID-19 outbreak. Patient information is essential to care for people, to support health and social care services, and to protect public health.
Information is vital in researching, tracking and managing the outbreak.
Existing law, which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency, is being used to respond to the COVID-19 outbreak.
Using this law the Secretary of State for Health and Social Care has allowed the following organisations to share confidential patient information:
- NHS Digital
- NHS England and Improvement
- Healthcare organisations such as Public Health England
- Local authorities
Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak, unless there is another legal basis to use the data.
Due to the public interest in sharing information opt-outs will not generally apply to the data used to support the COVID-19 outbreak. This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests while we focus our efforts on responding to the outbreak.
To help look after your health and care needs we may share your confidential patient information, including health and care records, with clinical and non-clinical staff in other health and care providers. This might include GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
During this period of emergency we may also offer you a patient consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with organisations engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations to support the COVID-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently.
Further information about how data is supporting the COVID-19 response and read more in NHSX's frequently asked questions about this law.
The types of information we collect
We keep records about your health and the care and treatment you receive. Most of your information is stored electronically on secure computer systems, which includes:
- basic details such as:
- NHS number
- date of birth
- phone number
- and email address (where you’ve provided an email address and allowed us to communicate with you by email)
- the contact details of your next of kin
- notes and reports about your treatment, and the care or support you need and receive
- your diagnoses and test results
- relevant information from other professionals, relatives or those who care for you or know you well
- any time you see us – either a visit at home, in a clinic, or when you stay with us
- information about your medication, procedures, and treatments, and side effects you have and your allergies
- the feedback you give us about your care
Why we collect your information
We collect and record information about you so we can give you the right care and treatment. It’s important we:
- have enough information to help you make the right decision about your care
- are able to learn from your experience, and improve care for everyone
- are able to investigate your complaints or concerns.
We ask for your contact information so we can:
- let you know when your next appointment is by writing to you, sending you an SMS text message, or calling you
- send you SMS text messages to remind you that your next appointment is soon
You can opt-out of receiving SMS text notifications at any time by texting STOP to one of your appointment notifications. We will make sure that you continue to receive letters in the post.
We will also collect information from you that is not related to your care when you sign up for something on our website or in person. For more information, read Why we collect information through our website.
You can access your information if you:
- see a different healthcare professional
- move to another area or need to use another service
Who we share your information with
We may share your information with a range of public and private companies (including charities) to:
- give you the right care at the right time, in the right place
- use for research or audits
- measure performance against national standards.
We will only share your information if:
- we have your consent to do so
- it’s in your best interest
- the welfare of others is involved.
You always have the right to say “no”. At any time, you can:
- refuse to give us your consent to share your information
- withdraw consent you’ve given us to share your information.
However, if we cannot share your information:
- your care may be affected
- your treatment may be delayed
So before you decide, we’d recommend you talk to the person in charge of your care.
Your information from your patient record will only be used to benefit your care. We’ll never share your information for insurance or marketing purposes.
Data sharing agreements
A data sharing agreement is a contract between us and another organisation that clearly shows:
• what data is being shared • how the data can be used • where the data is being stored or held
Often, when we share your information we take out anything that can identify you as a person. If that is not the case, we’ll ask for your consent.
List of organisations
We may share your information with other organisations so you get the right care at the right time.
- your GP surgery
- other health and social care organisations including private companies who may care for you
- local authorities, including social services
We may also share your data with other organisations who are not directly involved with your care, but need to know certain information about you. For example:
- education services
- public health bodies
- police and law enforcement
We’re required by law to share certain information with authorities. For example:
- registry of births and deaths
- the Health Protection Agency
- the Driver and Vehicle Licensing Agency (DVLA)
- the Department of Work and Pensions (DWP)
And we may share your information for research and audits.
- An audit is when we look at the care we’ve given a certain group of patients against current standards of care. We audit our care to make sure it meets national standards.
- Research is where we test a new procedure or type of care with a group of patients. We do research to improve care for now and in the future.
Specific information sharing agreements
We have to share certain information with NHS Digital, on behalf of NHS England, to:
- plan services
- demonstrate that we are giving our community high quality care
- show we’re meeting national standards
We may share information about your care and the information you give us through the National Patient Survey Programme (NPSP).
The NPSP helps the wider NHS plan services by gathering your views about your care. We may give an approved contractor your information so they can contact you about your care.
You can tell us not to share your data with NHS Digital. Saying “no” will not affect your care. Visit NHS Digital’s website to find out more or to opt out.
Data controller console
The data controller console is a website that makes it easier for NHS organisations in London to track and update the status of information sharing agreements.
How we keep your information safe
However we keep, use, or share your information – in electronic or paper form – we have a legal duty to keep your information safe.
Our staff, partners, and suppliers have the same legal responsibility, too.
Our staff and on-site contractors are given information governance training so they know their responsibilities to you:
- Any data breach is taken seriously and
- reported to the Information Commissioner’s Office
- disciplinary action taken, including up to dismissal
- Our information systems are designed, planned and implemented with a focus on security
Data protection impact assessments
Whenever we do something new with your data, we have to understand if there are any risks involved.
By law, we have to complete a data protection impact assessment which:
- helps us find any security risks
- identifies the legal basis for the collection, use, and sharing of your information.
We assess the risk right at the beginning of a project. If we need to buy something new, our assessment takes place before we go out to tender.
All assessments are sent to our Data Protection Officer for approval, and if approval is given, we go ahead with our project.
We also regularly undertake data flow mapping exercises, where we note:
- what the information is
- where the information is stored
- how the information is shared (if at all)
For more information about our data protection impact assessments, email our Information Governance Team
Our Caldicott Guardian
The person who is responsible for making sure we comply with the Caldicott Principles is known as a Caldicott Guardian. They make sure we:
- justify the purpose of sharing your information
- don’t use identifiable information unless it is necessary…
- …if it is necessary, we use the minimum amount of information
- make sure only people who need to know have access to your information
- are aware of our responsibilities
- understand and comply with the law
- share information when it’s in your best interest.
Our Caldicott Guardian is Dr Charles Cayley.
How long we keep your information
Your records are subject to the Records Management Code of Practice for Health and Social Care Act (2016) (or the Code).
The Code sets out best practice guidance on how long we should keep your information before we are able to review and securely dispose of it.
Your right to see your information
You have the legal right to see the information we hold about you. You can also request access to see a deceased person’s information we hold, if you have a legal right to do so.
- Your right to see your information is outlined in the Data Protection Act (2018). We do not charge you for access to your records.
- Requesting access to a deceased person’s records is outlined in the Access to Health Records Act (1990)
We cannot give you access to information that:
- has been provided about you by someone else if they haven’t given permission for you to see it
- relates to criminal offences
- is used to detect or prevent crime
- could cause physical or emotional harm to you or someone else.
Remember, accessing information that you are not entitled to is a criminal offence.
How we use your information for research and planning
Research is how we test new procedures or type of care with a group of patients. We do research to improve care for now and in the future.
Usually, research is completely voluntary. Remember, you can always say “no” to research and it won’t affect your care.
An audit is when we look at the care we’ve given a certain group of patients. We audit our care to make sure it is safe, effective, and meets national standards.
When we share information about you for audit purposes, we remove any data that could identify you. All access to the information is strictly controlled.
Consent to treatment
We will ask for your consent before you have any treatment, test, or examination. We’ll always explain to you what’s going to happen, and give you the choice to go ahead.
You consent has to be:
- voluntary – it’s your decision
- informed – we have to give you all the information, including what will happen if the treatment, test, or procedure doesn’t take place.
You can give consent in two ways:
- by saying yes (or no if you do not consent)
- by signing a consent form
Suppliers (including subcontractors and individuals associated with our suppliers and subcontractors)
We collect and process personal data about our suppliers including:
- subcontractors and
- people associated with our suppliers and subcontractors.
We collect information to:
- manage our contracts and relationships with our suppliers
- to receive services from our suppliers
- develop our services – for example, we may work with a supplier to improve our care
- to provide professional services or education to our clients
- help us manage our digital systems, including our websites, clinical systems, and applications
We use, protect, and safeguard our supplier’s information in the same way outlined in this agreement.
We also have:
- security procedures in place to protect information which involve detecting, investigating and resolving security threats,
- personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails.
- policies and procedures in place to monitor the quality of our services and manage risks in relation to our suppliers,
- we collect and hold personal data as part of our supplier contracting procedures.
- we monitor the services we use for quality purposes, which may involve processing personal data.
Security and CCTV
We operate CCTV cameras to help improve safety for our staff, patients, and visitors, and to prevent crime.
All CCTV footage is held in accordance with our privacy statement.
If you’d like to request access to CCTV footage, you need to submit a subject access request. Remember to include the:
Why we collect information through our website
We collect data through our website through forms, cookies, and tracking software.
We use forms to collect information about you for in accordance with the above. We will:
- only ask you for information that our teams need to fulfil your request
- never share your information for marketing or insurance purposes
We use Google Analytics, a web analytics service provided by Google, Inc. Our analytics help us improve:
- the information we publish
- our website’s performance
- your experience of our site
You can opt out of Google Analytics by installing an add-on to your browser.
Our social media policy outlines the way we expect you to behave online while talking to us, and other members of our community.
Above all, we ask you remain civil, and not to say or do something that could cause offense or upset.
You’re advised to verify the authenticity of our profiles before sharing any information with us:
We will never ask for your passwords, and we do not run any services that require you to log on with your social media profile. We will never ask you for personal information.
Our website may feature social sharing buttons that help you share web content to your social media account. You:
- use our social sharing buttons at your own risk
- accept that using our social sharing buttons may publish web content on your social profile, feed, or page.
How to raise a concern
If you have a complaint about the way your data has been handled, you can:
- Email our Data Protection Officer
- Email our Deputy Senior Information Risk Owner
- Email our Caldicott Guardian
Alternatively, you can report a concern directly to the Information Commissioner’s Office.