Information Governance

Date of issue: 8 April 2020

NHSX continues to work closely with the National Data Guardian (NDG) and Information Commissioner's Office (ICO) to ensure a high level of transparency for patients/service users during this emergency period.

This privacy notice has been produced to supplement our current privacy notices to cover COVID-19.

This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It supplements our main Privacy Notice which is stated below on this page.

The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.

Read about the Coronavirus (COVID-19): notification to organisations to share information (opens in new window) >

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video- conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public, and monitoring and managing the outbreak.

Read about how data is supporting the COVID-19 response (opens in new window) >

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy, A&E capacity data, as well as data provided by patients themselves.

All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

University Hospitals of Derby and Burton NHS Foundation Trust recognises the importance of protecting personal and confidential information and is committed to ensuring that your privacy is protected. 

The law determines how organisations can use personal information.  This is covered within the General Data Protection Regulation (GDPR), UK Data Protection Law, the Human Rights Act, Common Law Duty of Confidentiality and other Health Service legislation.

In accordance with NHS guidance, the Trust has in place a:

• Caldicott Guardian: an executive director who is responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. 
   

• Senior Information Risk Owner: an executive director with overall responsibility for information risk within the Trust. 

The General Data Protection Regulation requires the Trust to appoint a Data Protection Officer to facilitate compliance with the data protection legislation/requirements, act as an intermediary between relevant stakeholders and be the first point of contact for supervisory authorities.

The Data Protection Officer for UHDB Trust is: 

Anne Woodhouse
Head of Information Governance & Data Protection Officer 
Email  uhdb.dataprotectionofficer@nhs.net 

This privacy notice is intended to inform you about:

• the type of information we hold and how we use and manage that information

• how we ensure that the confidentiality of personal/sensitive information is maintained

• how and why we may share information with other NHS organisations and non-NHS organisations  

Definition of personal and sensitive data: 

• Personal data is information about an identifiable living person such as name, address, telephone number, date of birth, email address, online identifiers, and credit card/bank details.  This includes, but is not limited to, written correspondence, emails, photographs, audio recordings and video recordings.

• Sensitive data is special categories of personal data, i.e. data concerning health, ethnic origin, race, political opinion, religious beliefs, biometric and genetic data. 

How we protect your data and ensure confidentiality of information is maintained

All NHS organisations and everyone who works for the NHS or in partnership with them have a legal duty to keep information confidential and take great care with the security of information and records. 

Staff have a legal responsibility to maintain confidentiality and security of all the personal information we hold and ensure compliance with the Data Protection Law, the Caldicott Principles, the NHS Code of Confidentiality and the Human Rights Act.

The Trust is the Data Controller for the data it holds.  All information and information systems within the Trust are stored on our secure network with appropriate security controls, which includes access controls, cyber security and assessments against all aspects of data security.  

Data Protection Impact Assessments (DPIAs) are completed for all new projects or changes to the way we process personal data to ensure that all potential risks have been considered and addressed appropriately.   These are signed off by the Senior Information Risk Owner and Caldicott Guardian before the project or change can continue.  Details of DPIAs completed can be obtained from the Trust’s Information Governance Team using the contact details below.

Training

Staff are trained to understand their responsibilities regarding the security and confidentiality of patient information and that access is on a strictly need to know basis.They must update this mandatory training on an annual basis.

Audit trails

Records are available to show who accessed what information.  Routine/random audits take place to ensure access in appropriate.  Any inappropriate access identified will be dealt with through the Trusts’ Disciplinary Process.

The Information Commissioner’s Office maintains a public register of organisations that process personal identifiable data.  
The Trust’s registration number is Z8575998.

CCTV

Security cameras are installed at various locations within this Trust to prevent and detect crime and for the protection of staff, visitors and patients and their property.  Our security staff are also equipped with body worn cameras which are only activated if they need to record a violent or aggressive incident.  Signage about CCTV is posted around the entrances and will be visible on all officers carrying body worn cameras.

Retention of your data

We will retain your information in line with the Department of Health Retention Schedule. 

Download the NHS Health & Social Care retention schedule [xls]

Contact us for further information:

• Post: Information Governance, Level 3 M&G, Royal Derby Hospital, Uttoxeter Road, Derby DE22 3NE 
• Email:  uhdb.dataprotectionofficer@nhs.net
• Telephone:  01332 788645

The type of patient information the Trust holds and processes

• Person Identifiable data – name, date of birth, NHS number
• Contact details – address, telephone number, email address

By providing the Trust with their contact details, patients are consenting to the Trust using these details as a means of communicating with them about their care, i.e. letter, text, voice-mail or email communication.

• Next of kin details
• Details of referrals, clinic appointments and admissions
• Details of health diagnosis and treatment plans
• Details of investigations – scans, x-rays, pathology tests

The law requires us to identify a ‘lawful basis’ for processing your data.  The lawful basis for the above processing is Article (e) Public Task - the processing is necessary for us to perform a task in the public interest or for official functions, and special category data Article 9(h) - processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment.

We also process:

• Pseudonymised national Hospital Episode Statistics (HES) data obtained from NHS Digital about individuals from across the country.The lawful basis for processing HES data is article 6 (1)e – for the performance of a task carried out in the public interest or in the exercise of official authority and special category data Article 9(2)g - processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

In order to assist us with keeping accurate information about you please tell us if your personal details change – address, telephone number, next of kin etc. so that we can update you details.   If you need to update your details please inform the clinic or ward staff during your next visit.

Information is held for the purposes of providing appropriate care and treatment.  The Trust keeps records about your care and treatment provided in order to ensure that patients receive the best possible care.  Information provided in confidence will only be used for the purpose it was obtained or consented to by the patient.

NHS organisations are expected to participate and support health and care research.  University Hospitals of Derby & Burton is a research active trust and your information may be used to support this.  Please visit our Research pages on our internet site for more information.

Your records are used by doctors, nurses and other healthcare professionals to:

• Assess your health and make decisions about ongoing care and treatment.
• Ensure that your care is safe and effective
• Effectively work with other professionals who are providing your care.

Your information may also be used to help us to:

• Carry out clinical audit
• Make sure our services meet patient’s needs in the future
• To obtain feedback about your experience, through our Friends & Family questionnaire in order make changes/improve services
• Investigate concerns, complaints, claims or untoward incidents
• Provide statistics on NHS performance and activity
• Train and educate our staff (you have the right to choose whether or not to be involved personally)
• Receive payment for the care we provide.
• Conduct health research and development

Article 9 (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

• DPA Schedule 1 part 1(4) and GDPR Recital 51 processing special category data in the public interest for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health and for archiving purposes or statistical purposes, scientific or historical research purposes or statistical purposes.

Read more about Patient information and health and care research (opens in new window) >

Your information may be shared with a range of organisations or individuals depending on your circumstances:

• GPs, other NHS health & social care staff or private sector providers for the purpose of providing direct care. These teams may include healthcare professionals (doctors, nurses, pharmacists, physiotherapists, and occupational therapists), administrative support staff, pathology staff and radiology staff.  This enables relevant discussions as ‘a team’ for the benefit of the patient’s care, across care settings.
• Department of Health for the purposes of planning, managing and auditing healthcare services
• National generic registries, i.e. UK Association of Cancer Registries

The Health and Social (Safety and Quality) Act 2015 sets out a duty for information to be shared where it facilitates care for an individual and it is legal to do so.  Confidential information is shared with other health professionals who are involved in the direct care of a patient.

You may receive care from other organisations.  We may need to share your information with social services, education services, local authorities, voluntary sector providers (with your consent) in order to help with the management/support of your care and work together for your benefit.  We will only pass on information if there is a genuine need.

There may be times when we need to share your information without your consent when required to do so by law, i.e.:

• Organisations with statutory investigative powers – i.e. Care Quality Commission, GMC, Health Service Ombudsman.

• when there is a risk of harm to you or others,
• where we believe the reasons for sharing are so important that they override our obligation to confidentiality (i.e. to support the investigation of a serious crime)
• where we have been instructed to do so by a court
• where we are legally required to do so in order to control infectious diseases.

Where patient information is shared with non-NHS organisations or for reasons other than direct care, an information sharing agreement will be drawn up to ensure that information is shared in a way that complies with all relevant legislation.

Our guiding principle is that we are holding your information in strict confidence.

Your information rights under General Data Protection Regulations (GDPR)/UK Data Protection Law

You have the right to confidentiality under Data Protection Law, the Human Rights Act 1998 and the Common Law Duty of Confidentiality.

• The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice and patient leaflets.
• The right of access - for details about how to access your personal data, please visit the medical records page >
• The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us so that we are able to contact the person who entered the information.  We will correct factual mistakes and provide you with a copy of the corrected information.   

If you are not happy with an opinion or comment that has been recorded, we will add your own comments to the record so they can be viewed alongside any information you believe to be incorrect.

• The right to erasure – this is also known as your ‘right to be forgotten’, where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed.

Your health record is retained in accordance with NHS national guidance, and because of our legal obligation to keep health records, it is extremely rare that we destroy or delete records earlier than the recommended retention period.  However, if you believe you have compelling grounds for having all or part of your record erased you should contact our Data Protection Officer.

The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.
 

• The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue relating to your health record that requires us to restrict processing, we will investigate your concerns. Please note it will not be possible to restrict processing while you are receiving care and treatment at the hospital. 
• The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process.  At present we do not process any personal data that meets this requirement.
• The right to object – this is your right to object to the hospital processing your health data because of your particular situation.  Because of our obligation to keep health records it is extremely rare that we would stop processing your data if you wish to continue to be treated by the hospital. If you believe you have compelling grounds for the hospital to stop processing your data you should contact our Data Protection Officer.
   

The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.
 

• Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. While the hospital may use systems to determine how well a patient is, it does not replace our staff’s clinical judgements when making decisions about your care.
   

Retention of your data

We will retain your information in line with the Information Governance Alliance (IGA).

Read more about the Information Governance Alliance (IGA) (opens in new window) >

If you wish to discuss any other issues regarding your data or have cause for complaint the contact details are:

• Post - Information Governance, Level 3 M&G, Royal Derby Hospital, Uttoxeter Road, Derby DE22 3NE,
• Email - anne.woodhouse1@nhs.net
• Telephone – 01332 788645

If you are still unhappy with the outcome of your enquiry you can write to:  The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF - Telephone: 01625 545700.

This privacy notice explains what personal information we collect about you, what we use it for, who we would share it with and the reasons why.                                                                                                           

What information we hold about you

• Identity details – name, date of birth, NHS number
• Contact details – address, telephone number, email address
• Next of kin details
• Details of any visits to our hospitals – A&E visits, clinic appointments, in-patient stays
• Details of health diagnosis and treatment plans
• Details of any tests and their results – scans, x-rays, blood tests
• Details about people involved in your care

By providing us with your contact details, you are agreeing for us to use these ways to communicate with you about your care.

 

Why do we keep information about you

It is important for us to have a complete picture of you to make sure you get the right care and treatment to meet your needs.  Your information is updated, managed and accessed only by the staff involved in your care.

Each time you come to see us we will record information about that visit – things you tell us, things we tell you, any tests or medication.  This allows us to look back at what we have done for you to make sure you are getting the best treatment.  We record information electronically and on paper.  This information together is called your Health Record.  Anyone involved in your care can see what has been collected, this way we can all make the right decisions about your care.  You have the right to access the information we hold on you.

 

What we use your information for                                  

Your records are used by doctors, nurses and other healthcare professionals to:

• Assess your health
• Make decisions about what care and treatment you need
• Work with other health professionals involved in your care
• Book your appointments and also send out reminders to your parents/carers

 

Your information may also be used to help us to:

• Make sure our services meet patient’s needs in the future
• To obtain feedback about your experience, through our Friends & Family questionnaire in order make changes/improve services
• Investigate concerns and complaints

 

Who we share your information with

We will share the information we record about you with your Family Doctor in order to keep them up to date on what we are doing for you.  We will provide your parents/guardians with a copy of the letters sent to your doctor about your care.  We will share it with other health professionals involved in your care.  We might share it with your school if we think it is important for them to know.  We will only pass on information if there is a genuine need.

There may be times when we need to share your information without your consent when required to do so by law, i.e. when there is a risk of harm to you or others, where we have been instructed to do so by a court, where we are legally required to do so in order to control infectious diseases.

 

How long we keep your personal information for

We keep your information in line with the Department of Health Retention requirements. All hospitals must keep the information until the Child’s 26th birthday.  After this we will destroy the information if it is not required for your ongoing care.

 

Contact details

If you are unhappy with the way we use your information or think some of the information may be incorrect please discuss this with the doctor involved in your care, or contact the Trust Data Protection Officer:

• Post - Information Governance, Level 3 M&G, Royal Derby Hospital, Uttoxeter Road, Derby DE22 3NE
• Email: uhdb.dataprotectionofficer@nhs.net
• Telephone: 01332 788 645

If you are still unhappy with the outcome of your enquiry you can write to:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 01625 545 700

During the course of its employment activities, University Hospitals of Derby and Burton NHS Foundation Trust collects, stores and processes personal information about prospective, current and former staff.

This privacy notice includes applicants, employees (and former employees), workers (including agency, casual, honorary and contracted staff), volunteers, trainees and those carrying out work experience. 

We recognise the need to treat our staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. 

What types of personal/sensitive data we hold 

In order to carry out our activities and obligations as an employer we handle data in relation to: 

• Personal demographics (including gender, race, ethnicity, sexual orientation, religion) 
• Contact details such as names, addresses, telephone numbers and Emergency contact(s) 
• Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks) 
• Bank details 
• Pension details 
• Medical information including physical health or mental health conditions (occupational health information)
• Information relating to health and safety 
• Trade union membership 
• Offences (including alleged offences), criminal proceedings, outcomes and sentences 
• Employment Tribunal applications, complaints, accidents, and incident details

Our staff are trained to handle your information correctly and protect your confidentiality and privacy.  We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected or sold for direct marketing purposes. 

Purpose of processing data:

• Staff administration and management (including payroll and performance) 
• Pensions administration 
• Business management and planning 
• Accounting and Auditing 
• Accounts and records 
• Crime prevention and prosecution of offenders 
• Education 
• Health administration and services 
• Sharing and matching of personal information for national fraud initiative 

We have a legal basis to process this as part of your contract of employment (either permanent, temporary or working arrangements) or as part of our recruitment processes following data protection and employment legislation. 

Sharing your information

There are a number of reasons why we share information. This can be due to: 

• Our obligations to comply with legislation
• Our duty to comply any Court Orders which may be imposed

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Use of Third Party Companies 

To enable effective staff administration University Hospitals of Derby and Burton NHS Foundation Trust may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer.

Employee Records: Contracts Administration (NHS Business Services Authority) 

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

NHS Streamlining

Details may be transferred from this Trust to other NHS Trusts to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS Organisation to another NHS Organisation.  The personal data that is shared includes: name, address, date of birth, national insurance number, completed training and registration details.

Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.  

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation. 

Your information rights under General Data Protection Regulations (GDPR)/UK Data Protection Law: 

• The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice and patient leaflets.
• The right of access - for details about how to access your personal data, please visit the medical records page >
• The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us so that we are able to contact the person who entered the information.  We will correct factual mistakes and provide you with a copy of the corrected information.   
• The right to erasure – this is also known as your ‘right to be forgotten’, where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed. 
• The Trust is required to retain your employment record in order to carry out activities and obligations as an employer and therefore cannot delete the record until it reaches the required DoHSC retention period.
• The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue that requires us to restrict processing, we will investigate your concerns. 
• The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process.  At present we do not process any personal data that meets this requirement. 
• The right to object – this is your right to object the processing of your data because of your particular situation.  Because of our obligation as an employer it is extremely rare that we would stop processing your data whilst you are still employed by this Trust. If you believe you have compelling grounds for us to stop processing your data you should contact our Data Protection Officer.
• Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. While the hospital may use automated systems to determine how well a patient is, it does not use automated decision making for the purpose of managing employment.

Retention of your data

We will retain your information in line with the Department of Health and Social Care Retention Schedule. If you have cause to complaint please contact the Human Resource Department. If you wish to discuss any other issues regarding your data the contact details are:

Anne Woodhouse
Information Governance
Level 3 M&G
Royal Derby Hospital
Uttoxeter Road
Derby
DE22 3NE

Email:  uhdb.dataprotectionofficer@nhs.net 

Telephone:  01332 788645 

 

If you are still unhappy with the outcome of your enquiry you can write to: 

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 01625 545700