Information Governance

Date of issue: July 2022

This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It has been produced to supplement our current privacy notices which can be found lower on this page.

This notice has been significantly updated in 2022 after a change to the law. The Covid-19 and Coronavirus Testing privacy notices were first written when the emergency response began in 2020.

Organisations that existed in 2020 have also changed. NHSX merged with NHS England and Improvement and NHS Digital. Public Health England is now the UK Health Security Agency.

Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health.

A notice about the national Covid19 testing program can be found here: access GOV.UK website for Coronavirus (COVID-19) testing privacy information (opens in new window) >

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency was used during the first two years of Covid19. These were withdrawn on 30 June 2022. You can read more about them here: access GOV.UK website for Coronavirus (COVID-19): notification to organisations to share information (opens in new window) >

The continuing use of personal or confidential data about Covid19 rests on other lawful bases.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

If you require to see archived versions of the Covid-19 privacy notice, please contact  uhdb.dataprotectionofficer@nhs.net.

University Hospitals of Derby and Burton NHS Foundation Trust recognises the importance of protecting personal and confidential information and is committed to ensuring that your privacy is protected. 

The law determines how organisations can use personal information.  This is covered within the General Data Protection Regulation (GDPR), UK Data Protection Law, the Human Rights Act, Common Law Duty of Confidentiality and other Health Service legislation.

In accordance with NHS guidance, the Trust has in place a:
 

• Caldicott Guardian: an executive director who is responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. 
   

• Senior Information Risk Owner: an executive director with overall responsibility for information risk within the Trust. 

The General Data Protection Regulation requires the Trust to appoint a Data Protection Officer to facilitate compliance with the data protection legislation/requirements, act as an intermediary between relevant stakeholders and be the first point of contact for supervisory authorities.

The Data Protection Officer for UHDB Trust is: 

The Data Protection Officer for UHDB can be contacted: uhdb.dataprotectionofficer@nhs.net

This privacy notice is intended to inform you about:

• the type of information we hold and how we use and manage that information

• how we ensure that the confidentiality of personal/sensitive information is maintained

• how and why we may share information with other NHS organisations and non-NHS organisations  

Definition of personal and sensitive data: 

• Personal data is information about an identifiable living person such as name, address, telephone number, date of birth, email address, online identifiers, and credit card/bank details.  This includes, but is not limited to, written correspondence, emails, photographs, audio recordings and video recordings.

• Sensitive data is special categories of personal data, i.e. data concerning health, ethnic origin, race, political opinion, religious beliefs, biometric and genetic data. 

How we protect your data and ensure confidentiality of information is maintained

All NHS organisations and everyone who works for the NHS or in partnership with them have a legal duty to keep information confidential and take great care with the security of information and records. 

Staff have a legal responsibility to maintain confidentiality and security of all the personal information we hold and ensure compliance with the Data Protection Law, the Caldicott Principles, the NHS Code of Confidentiality and the Human Rights Act.

The Trust is the Data Controller for the data it holds.  All information and information systems within the Trust are stored on our secure network with appropriate security controls, which includes access controls, cyber security and assessments against all aspects of data security.  

Data Protection Impact Assessments (DPIAs) are completed for all new projects or changes to the way we process personal data to ensure that all potential risks have been considered and addressed appropriately.   These are signed off by the Senior Information Risk Owner and Caldicott Guardian before the project or change can continue.  Details of DPIAs completed can be obtained from the Trust’s Information Governance Team using the contact details below.

Training

Staff are trained to understand their responsibilities regarding the security and confidentiality of patient information and that access is on a strictly need to know basis.They must update this mandatory training on an annual basis.

Audit trails

Records are available to show who accessed what information.  Routine/random audits take place to ensure access in appropriate.  Any inappropriate access identified will be dealt with through the Trusts’ Disciplinary Process.

The Information Commissioner’s Office maintains a public register of organisations that process personal identifiable data.  
The Trust’s registration number is Z8575998.

CCTV

Security cameras are installed at various locations within this Trust to prevent and detect crime and for the protection of staff, visitors and patients and their property.  Our security staff are also equipped with body worn cameras which are only activated if they need to record a violent or aggressive incident.  Signage about CCTV is posted around the entrances and will be visible on all officers carrying body worn cameras.

Retention of your data

We will retain your information in line with the Department of Health Retention Schedule. Read more about the Information Governance Alliance (IGA) (opens in new window) >
 

National Data Opt Out

UHDB is compliant with the National Data Opt-out Policy. To find out more about the National Data Opt-out, please visit the NHS Digital website (opens in new window) >
 

Contact us for further information:

• Post: Information Governance, Level 3 M&G, Royal Derby Hospital, Uttoxeter Road, Derby DE22 3NE 
• Email: uhdb.dataprotectionofficer@nhs.net
• Telephone:  01332 788645

The types of patient information

The Trust holds a range of information about each patient including:

• Personal identifiers: name, date of birth, NHS number
• Personal characteristics: ethnicity, gender
• Contact details: address, telephone number, email address
• Next of kin details
• Details of:
  • referrals, clinic appointments and admissions,
  • health diagnosis and treatment plans, and
  • investigations including scans, x-rays, pathology tests

By providing the Trust with contact details, patients are consenting to the Trust using these details as a means of communicating about care, i.e. letter, text, voice-mail or email communication.

To help us keep accurate information about you please tell us if your personal details change so that we can update them. If you need to update your details, please inform the clinic or ward staff during your next visit, or contact your consultant’s secretary.

We also process pseudonymised national Hospital Episode Statistics (HES) data obtained from NHS Digital about individuals from across the country.

We also have duties under common law, Information provided in confidence will therefore only be used for the purpose it was obtained or consented to by the patient.

Why we use this information

Information is held to provide appropriate care and treatment, whether privately funded or NHS funded. Our staff, including doctors, nurses, and other healthcare professionals, use your information to:

• Assess your health and make decisions about ongoing care, treatment, and health protection.
• Ensure that your care is safe and effective.
• Effectively work with other professionals who are providing your care.

NHS organisations are expected to participate and support health and care research. University Hospitals of Derby & Burton is research active, and your information may be used to support this. Please visit our Research webpages for more information (opens in new window) >

Patient information may also be used to help us to:

• Carry out clinical audit
• Make sure our services meet patient’s needs in the future
• To obtain feedback about your experience, through our Friends & Family questionnaire in order make changes/improve services
• Investigate concerns, complaints, claims or untoward incidents
• Provide statistics on NHS performance and activity
• Train and educate our staff (you have the right to choose whether to be involved personally)
• Receive payment for the care we provide.
• Conduct health research and development

Lawful basis

Data protection law requires us to have a ‘lawful basis’ for using people’s data.

The lawful basis for processing patient data is UK GDPR Article 6.1(e) Public Task - processing is necessary for us to perform a task in the public interest or for official functions. For private patients we also use Article 6.1(b) Necessary for the performance of a contract. For processing special category data the condition is Article 9.2(h) - processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment.

The lawful basis for processing HES data is Article 6.1(e) for the performance of a task carried out in the public interest and special category data Article 9.2(g) processing is necessary for reasons of substantial public interest.

For statistics and research data the lawful basis is Article 9.2(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes in accordance with Article 89(1) and DPA Schedule 1 part 1(4).

Read more about patient information and health and care research (opens in new window) >
 

Sharing your information

Your information may be shared with other organisations or individuals depending on your circumstances:

• GPs, other NHS health & social care staff or private sector providers for the purpose of providing direct care. These teams may include healthcare professionals (doctors, nurses, pharmacists, physiotherapists, and occupational therapists), administrative support staff, pathology staff and radiology staff. This enables relevant discussions as ‘a team’ for the benefit of the patient’s care, across care settings.
• Department of Health for the purposes of planning, managing, and auditing healthcare services
• National disease, treatment, or genetic registries, such as the National Disease Registration Service (opens in new window) > 

Health law sets out a duty for information to be shared where it facilitates care for an individual and it is legal to do so. Confidential information is shared with other health professionals who are involved in the direct care of a patient. You may receive care from other organisations. We may need to share your information with social services, education services, local authorities, voluntary sector providers (with your consent) to help with the management/support of your care and work together for your benefit. We will only pass on information if there is a genuine need.

Shared Care Records

Organisations providing care are increasingly working together to ensure patients receive the most appropriate treatment at the earliest opportunity. This is particularly important following the coronavirus pandemic where waiting lists are high, and patients may be able to be seen more quickly in a different organisation. To support this, we may share your information with, or receive information from, another organisation to determine if you can receive treatment more quickly. If quicker or more appropriate treatment is possible then you will be contacted with further information on the options available to you. Please be assured that this information is being shared for direct care purposes only and all organisations will treat your information confidentially.

The Trust is also a member of the East Midlands Radiology Consortium (EMRAD) which aims to deliver timely and expert radiology services to patients across the East Midlands, regardless of where they are being treated.

Visit the East Midlands Imaging Network (known as EMRAD) website (opens in new window) >

To support the sharing of information to provide you with the best treatment, different regions have Shared Care Records. This means details about your needs, and how you receive care, will be shared with partner organisations involved in your care. Performance information is depersonalised and shared with our commissioners (those who pay for the care you receive) for the purpose of capacity management. This information sharing is in addition to information sharing required to support the provision of safe care, and is about managing the resources of health and social care colleagues, to work better together. The approach is to enable connection of teams across traditional organisational boundaries, and enable the delivery of part of the NHS Long Term plan: access NHS website for NHS Long Term plan (opens in new window) >

Depending on where you live and receive care, the Trust shares with the Staffordshire or Derbyshire shared care record. More information about Derbyshire can be found here: Access Joined Up Care Derbyshire website (opens in new window) >. More information about Staffordshire can be found here: Access Staffordshire ICS Website (opens in new window) >

Can I object to sharing?

Shared Care Records are designed to share information between professionals quickly to improve the quality and efficiency of your care. By withdrawing, you understand that you will not benefit from these improvements. You can also change your mind at any time about whether you wish to share your record. If you wish to opt out of the automatic sharing of your health record from this Trust to Shared Care Records:

• for One Staffordshire please visit Staffordshire and Stoke-on-Trent Integrated Care System website (opens in new window) > 
  or
• for the Derbyshire Shared Care Record, please contact Charles Frakes, DSCR Privacy Officer, at Crhft.enquiries.dscr@nhs.net or complete Derbyshire Shared Care Record - Object to Sharing online application (opens in new window) >

For purposes beyond your care, you can ‘opt out’ from sharing. The Trust is compliant with the National Data Opt-out Policy. To find out more about the National Data Opt-out, please visit the NHS Digital website (opens in new window) >

There may be times when we need to share your information without your consent and regardless of your National Data Opt-out status when required to do so by law, i.e.

• Organisations with statutory investigative powers – i.e. Care Quality Commission, GMC, Health Service Ombudsman.
• when there is a risk of harm to you or others,
• where we believe the reasons for sharing are so important that they override our obligation to confidentiality (i.e. to support the investigation of a serious crime)
• where we have been instructed to do so by a court
• where we are legally required to do so to control infectious diseases.

How we use your information

Our Trust uses patient information in various formats. Some information is used in printed form, for example identity labels, drug charts, pathology test order forms. Other information is used electronically, for example on smartphones, tablet computers, laptops, or special devices like scanners.

The Trust uses computerised processing of electronic patient data. Processed information can be shared with clinical stakeholders, subject to our Information Governance Policy and controls. This processing is limited to:

a)   Improving clinical and personal records to ensure the information held is accurate

b)   Ensuring the data held reflects the reason for attendance, admission, or employment

c)   Maintaining up to date records for information relevant to an individual’s personal, clinical and employment guidelines and circumstances in practice at that time

d)   Secure data mining and where required, cleansing for research and statistical purposes to improve data quality, and is actioned for mutual benefit for the individual and the Trust

 

How long we keep your information for

We will retain your information for at least as long as required by the NHS Records Retention Schedule. In general health records must be stored for 8 years, but for some types of information the period is shorter or longer than this.

Storage space on Trust sites is limited so paper records are sent to offsite secure archiving facilities.

Your legal rights about your information

You have the legal right to confidentiality and a range of other rights under the Data Protection Act 2018.

• The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice and patient leaflets.
• The right of access – many of our patients can view their information via a Patient Portal. If you are eligible for this, you will receive a message about registering with Patient Knows Best (PKB). Only if you choose to register with this service will the Trust upload your health information to the portal. It is your choice how much information you can access via PKB; information is not shared more widely. Visit Online Patient Portal page >. Other information can be requested from the Medical Records Department. Visit Medical Records page >.
• The right to rectification – this is your right to have your data corrected if it is inaccurate or incomplete. You will need to tell us what you believe to be incorrect and we will  then check with the person who recorded the information. We will correct factual mistakes and provide you with a copy of the corrected information. If you are not happy with an opinion or comment that has been recorded, we will add your own comments to the record so they can be viewed alongside any information you believe to be incorrect.
• The right to erasure – you have a ‘right to be forgotten’ where the Trust will delete your data, but this only applies where there is no compelling reason to continue processing your data. Your health record is retained in accordance with NHS national guidance, and because of our legal obligation to keep health records, it is extremely rare that we destroy or delete records earlier than the recommended retention period. However, if you believe you have compelling grounds for having all or part of your record erased you should contact our Data Protection Officer. The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.
• The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue relating to your health record that requires us to restrict processing, we will investigate your concerns. Please note it will not be possible to restrict processing while you are receiving care and treatment at the hospital.
• The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process. At present we do not process any personal data that meets this requirement.
• The right to object – this is your right to object to the hospital processing your health data because of your situation. Because of our obligation to keep health records it is extremely rare that we stop processing data if patients wish to continue to be treated by the Trust. If you believe you have compelling grounds for us to stop processing your data, you should contact our Data Protection Officer. The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.
• Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. While the hospital may use systems to determine how well a patient is, it does not replace our staff’s clinical judgements when making decisions about your care.

Questions or complaints

If you wish to discuss any other issues regarding your data wish to make a complaint please contact our Data Protection Officer via:

• Post - Information Governance, Level 3 M&G, Royal Derby Hospital, Uttoxeter Road, Derby DE22 3NE
• Email - uhdb.dataprotectionofficer@nhs.net
• Telephone – 01332 788645

If you are still unhappy with the outcome of your enquiry you can write to: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF - Telephone: 01625 545700

Here we explain what information we have about you and what we use it for.

What information we have about you

• Name, date of birth, ID numbers
• Home address, telephone number, email address
• Family details
• About your visits to our hospitals
• About your health and treatment
• Details tests, scans, x-rays, etc
• Who your doctors and nurses are
• What you say or write about your care

We will use your address and telephone number to contact you or your family about your care.

We keep information until patients are at least 26 years old. We might keep the information for longer than this if we still need it to care for you. The Department for Health sets rules about how long we keep information for.

Why we keep information about you

We need a complete picture of you to make sure you get the best care for you.  Your information is only used by people caring for you.

Your information is used by doctors and nurses to:

• Know about your health
• Decide what care and treatment you need
• Work together to care for you
• Book appointments and send out reminders

Each time you come to see us we record information about that visit – things you tell us, things we tell you, any tests or medication.  This allows us to look back and see what we have done for you to make sure you are getting the best treatment. 

We also use information to:

• Make sure our services meet patient’s needs
• Find out what you think about your care so we can make our services better
• Look into concerns and complaints

Who we share your information with

We will write to your Family Doctor to let them know about your health and what we are doing for you.  We will provide your family member with a copy of these letters. We will share it with other people involved in your care who need to know.  We might share it with your school if we think it is important for them to know.

Sometimes we have to share information about a patient because the law tells us to. For example, when someone might be harmed, when a judge in a court tells us to, or if there is a special law about a disease.

Contact details

If you have questions about how we use your information, you are unhappy, or you think your information may be incorrect you can talk to your doctor. You can also contact the Data Protection Officer:

• Post: Information Governance, Level 3 M&G, Royal Derby Hospital, Uttoxeter Road, Derby DE22 3NE
• Email: uhdb.dataprotectionofficer@nhs.net
• Telephone: 01332 788 645

If you are still unhappy about how we use your information you can write to:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 01625 545 700

During the course of its employment activities, University Hospitals of Derby and Burton NHS Foundation Trust collects, stores and processes personal information about prospective, current and former staff.

This privacy notice includes applicants, employees (and former employees), workers (including agency, casual, honorary and contracted staff), volunteers, trainees and those carrying out work experience. 

We recognise the need to treat our staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. 

What types of personal/sensitive data we hold 

In order to carry out our activities and obligations as an employer we handle data in relation to: 

• Personal demographics (including gender, race, ethnicity, sexual orientation, religion) 
• Contact details such as names, addresses, telephone numbers and Emergency contact(s) 
• Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks) 
• Bank details 
• Pension details 
• Medical information including physical health or mental health conditions (occupational health information)
• Information relating to health and safety 
• Trade union membership 
• Offences (including alleged offences), criminal proceedings, outcomes and sentences 
• Employment Tribunal applications, complaints, accidents, and incident details

Our staff are trained to handle your information correctly and protect your confidentiality and privacy.  We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected or sold for direct marketing purposes. 

Purpose of processing data:

• Staff administration and management (including payroll and performance) 
• Pensions administration 
• Business management and planning 
• Accounting and Auditing 
• Accounts and records 
• Crime prevention and prosecution of offenders 
• Education 
• Health administration and services 
• Sharing and matching of personal information for national fraud initiative 

We have a legal basis to process this as part of your contract of employment (either permanent, temporary or working arrangements) or as part of our recruitment processes following data protection and employment legislation. 

Sharing your information

There are a number of reasons why we share information. This can be due to: 

• Our obligations to comply with legislation
• Our duty to comply any Court Orders which may be imposed

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Use of Third Party Companies 

To enable effective staff administration University Hospitals of Derby and Burton NHS Foundation Trust may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer.

Employee Records: Contracts Administration (NHS Business Services Authority) 

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

NHS Streamlining

Details may be transferred from this Trust to other NHS Trusts to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS Organisation to another NHS Organisation.  The personal data that is shared includes: name, address, date of birth, national insurance number, completed training and registration details.

Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.  

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation. 

Your information rights under General Data Protection Regulations (GDPR)/UK Data Protection Law: 

• The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice and patient leaflets.
• The right of access - for details about how to access your personal data, please visit the medical records page >
• The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us so that we are able to contact the person who entered the information.  We will correct factual mistakes and provide you with a copy of the corrected information.   
• The right to erasure – this is also known as your ‘right to be forgotten’, where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed. 
• The Trust is required to retain your employment record in order to carry out activities and obligations as an employer and therefore cannot delete the record until it reaches the required DoHSC retention period.
• The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue that requires us to restrict processing, we will investigate your concerns. 
• The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process.  At present we do not process any personal data that meets this requirement. 
• The right to object – this is your right to object the processing of your data because of your particular situation.  Because of our obligation as an employer it is extremely rare that we would stop processing your data whilst you are still employed by this Trust. If you believe you have compelling grounds for us to stop processing your data you should contact our Data Protection Officer.
• Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. While the hospital may use automated systems to determine how well a patient is, it does not use automated decision making for the purpose of managing employment.

Code of Data Matching Practice

This organisation is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed on the GOV.UK website (opens in new window) >

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018.

Data matching by the Cabinet Office is subject to a Code of Practice. Visit GOV.UK website for further information (opens in new window) >

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information (opens in new window) >. For further information on data matching at this organisation please contact Daniel Mason on 07464 521746 or email daniel.mason15@nhs.net.

Retention of your data

We will retain your information in line with the Department of Health and Social Care Retention Schedule. If you have cause to complaint please contact the Human Resource Department. If you wish to discuss any other issues regarding your data the contact details are:

Information Governance
Level 3 M&G
Royal Derby Hospital
Uttoxeter Road
Derby
DE22 3NE

Email:  uhdb.dataprotectionofficer@nhs.net 

Telephone:  01332 788645 

If you are still unhappy with the outcome of your enquiry you can write to: 

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 01625 54570