
Your personal information is very important to you and to us at University Hospitals of Derby and Burton NHS Foundation Trust. We recognise the importance of protecting personal and confidential information and are committed to ensuring that your privacy is protected.
The way your information is collected, used and retained has changed substantially over recent years with the development of new technologies. The laws that govern the use of personal data have also changed to encompass these developments. The General Data Protection Regulation (GDPR) became law on the 25 May 2018, and at the same time the new UK Data Protection Bill was introduced, which replaced the previous Data Protection Act of 1998.
For non-urgent enquiries, please email uhdb.dataprotectionofficer@nhs.net
For urgent enquiries, please contact a member of the Information Governance team (see below) on the mobile number provided.
Head of Information Governance / Data Protection Officer
Telephone: 07500 052642
Information Governance Coordinator
Telephone: 07384 914130
Postal address
Information Governance
Level 3 M&G
Royal Derby Hospital
Uttoxeter Road
Derby
DE22 3NE
For Subject Access Requests, please email uhdb.subjectaccess@nhs.net
This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It has been produced to supplement our current privacy notices which can be found lower on this page.
This notice has been significantly updated in 2022 after a change to the law. The Covid-19 and Coronavirus Testing privacy notices were first written when the emergency response began in 2020.
Organisations that existed in 2020 have also changed. NHSX merged with NHS England and Improvement and NHS Digital. Public Health England is now the UK Health Security Agency.
Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health.
A notice about the national Covid19 testing program can be found here: access GOV.UK website for Coronavirus (COVID-19) testing privacy information (opens in new window) >
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency was used during the first two years of Covid19. These were withdrawn on 30 June 2022. You can read more about them here: access GOV.UK website for Coronavirus (COVID-19): notification to organisations to share information (opens in new window) >
The continuing use of personal or confidential data about Covid19 rests on other lawful bases.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
If you require to see archived versions of the Covid-19 privacy notice, please contact uhdb.dataprotectionofficer@nhs.net.
University Hospitals of Derby and Burton NHS Foundation Trust recognises the importance of protecting personal and confidential information and is committed to ensuring that your privacy is protected.
The law determines how organisations can use personal information. This is covered within the General Data Protection Regulation (GDPR), UK Data Protection Law, the Human Rights Act, Common Law Duty of Confidentiality and other Health Service legislation.
In accordance with NHS guidance, the Trust has in place a:
The General Data Protection Regulation requires the Trust to appoint a Data Protection Officer to facilitate compliance with the data protection legislation/requirements, act as an intermediary between relevant stakeholders and be the first point of contact for supervisory authorities.
The Data Protection Officer for UHDB can be contacted: uhdb.dataprotectionofficer@nhs.net
All NHS organisations and everyone who works for the NHS or in partnership with them have a legal duty to keep information confidential and take great care with the security of information and records.
Staff have a legal responsibility to maintain confidentiality and security of all the personal information we hold and ensure compliance with the Data Protection Law, the Caldicott Principles, the NHS Code of Confidentiality and the Human Rights Act.
The Trust is the Data Controller for the data it holds. All information and information systems within the Trust are stored on our secure network with appropriate security controls, which includes access controls, cyber security and assessments against all aspects of data security.
Data Protection Impact Assessments (DPIAs) are completed for all new projects or changes to the way we process personal data to ensure that all potential risks have been considered and addressed appropriately. These are signed off by the Senior Information Risk Owner and Caldicott Guardian before the project or change can continue. Details of DPIAs completed can be obtained from the Trust’s Information Governance Team using the contact details below.
Training
Staff are trained to understand their responsibilities regarding the security and confidentiality of patient information and that access is on a strictly need to know basis.They must update this mandatory training on an annual basis.
Audit trails
Records are available to show who accessed what information. Routine/random audits take place to ensure access in appropriate. Any inappropriate access identified will be dealt with through the Trusts’ Disciplinary Process.
The Information Commissioner’s Office maintains a public register of organisations that process personal identifiable data.
The Trust’s registration number is Z8575998.
Security cameras are installed at various locations within this Trust to prevent and detect crime and for the protection of staff, visitors and patients and their property. Our security staff are also equipped with body worn cameras which are only activated if they need to record a violent or aggressive incident. Signage about CCTV is posted around the entrances and will be visible on all officers carrying body worn cameras.
We will retain your information in line with the Department of Health Retention Schedule. Read more about the Information Governance Alliance (IGA) (opens in new window) >
UHDB is compliant with the National Data Opt-out Policy. To find out more about the National Data Opt-out, please visit the NHS Digital website (opens in new window) >
The Trust holds a range of information about each patient including:
By providing the Trust with contact details, patients are consenting to the Trust using these details as a means of communicating about care, i.e. letter, text, voice-mail or email communication.
To help us keep accurate information about you please tell us if your personal details change so that we can update them. If you need to update your details, please inform the clinic or ward staff during your next visit, or contact your consultant’s secretary.
We also process pseudonymised national Hospital Episode Statistics (HES) data obtained from NHS Digital about individuals from across the country.
We also have duties under common law, Information provided in confidence will therefore only be used for the purpose it was obtained or consented to by the patient.
Information is held to provide appropriate care and treatment, whether privately funded or NHS funded. Our staff, including doctors, nurses, and other healthcare professionals, use your information to:
NHS organisations are expected to participate and support health and care research. University Hospitals of Derby & Burton is research active, and your information may be used to support this. Please visit our Research webpages for more information (opens in new window) >
Data protection law requires us to have a ‘lawful basis’ for using people’s data.
The lawful basis for processing patient data is UK GDPR Article 6.1(e) Public Task - processing is necessary for us to perform a task in the public interest or for official functions. For private patients we also use Article 6.1(b) Necessary for the performance of a contract. For processing special category data the condition is Article 9.2(h) - processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment.
The lawful basis for processing HES data is Article 6.1(e) for the performance of a task carried out in the public interest and special category data Article 9.2(g) processing is necessary for reasons of substantial public interest.
For statistics and research data the lawful basis is Article 9.2(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes in accordance with Article 89(1) and DPA Schedule 1 part 1(4).
Read more about patient information and health and care research (opens in new window) >
Your information may be shared with other organisations or individuals depending on your circumstances:
Health law sets out a duty for information to be shared where it facilitates care for an individual and it is legal to do so. Confidential information is shared with other health professionals who are involved in the direct care of a patient. You may receive care from other organisations. We may need to share your information with social services, education services, local authorities, voluntary sector providers (with your consent) to help with the management/support of your care and work together for your benefit. We will only pass on information if there is a genuine need.
Organisations providing care are increasingly working together to ensure patients receive the most appropriate treatment at the earliest opportunity. This is particularly important following the coronavirus pandemic where waiting lists are high, and patients may be able to be seen more quickly in a different organisation. To support this, we may share your information with, or receive information from, another organisation to determine if you can receive treatment more quickly. If quicker or more appropriate treatment is possible then you will be contacted with further information on the options available to you. Please be assured that this information is being shared for direct care purposes only and all organisations will treat your information confidentially.
The Trust is also a member of the East Midlands Radiology Consortium (EMRAD) which aims to deliver timely and expert radiology services to patients across the East Midlands, regardless of where they are being treated.
Visit the East Midlands Imaging Network (known as EMRAD) website (opens in new window) >
To support the sharing of information to provide you with the best treatment, different regions have Shared Care Records. This means details about your needs, and how you receive care, will be shared with partner organisations involved in your care. Performance information is depersonalised and shared with our commissioners (those who pay for the care you receive) for the purpose of capacity management. This information sharing is in addition to information sharing required to support the provision of safe care, and is about managing the resources of health and social care colleagues, to work better together. The approach is to enable connection of teams across traditional organisational boundaries, and enable the delivery of part of the NHS Long Term plan: access NHS website for NHS Long Term plan (opens in new window) >
Depending on where you live and receive care, the Trust shares with the Staffordshire or Derbyshire shared care record. More information about Derbyshire can be found here: Access Joined Up Care Derbyshire website (opens in new window) >. More information about Staffordshire can be found here: Access Staffordshire ICS Website (opens in new window) >
Shared Care Records are designed to share information between professionals quickly to improve the quality and efficiency of your care. By withdrawing, you understand that you will not benefit from these improvements. You can also change your mind at any time about whether you wish to share your record. If you wish to opt out of the automatic sharing of your health record from this Trust to Shared Care Records:
For purposes beyond your care, you can ‘opt out’ from sharing. The Trust is compliant with the National Data Opt-out Policy. To find out more about the National Data Opt-out, please visit the NHS Digital website (opens in new window) >
There may be times when we need to share your information without your consent and regardless of your National Data Opt-out status when required to do so by law, i.e.
Our Trust uses patient information in various formats. Some information is used in printed form, for example identity labels, drug charts, pathology test order forms. Other information is used electronically, for example on smartphones, tablet computers, laptops, or special devices like scanners.
The Trust uses computerised processing of electronic patient data. Processed information can be shared with clinical stakeholders, subject to our Information Governance Policy and controls. This processing is limited to:
a) Improving clinical and personal records to ensure the information held is accurate
b) Ensuring the data held reflects the reason for attendance, admission, or employment
c) Maintaining up to date records for information relevant to an individual’s personal, clinical and employment guidelines and circumstances in practice at that time
d) Secure data mining and where required, cleansing for research and statistical purposes to improve data quality, and is actioned for mutual benefit for the individual and the Trust
We will retain your information for at least as long as required by the NHS Records Retention Schedule. In general health records must be stored for 8 years, but for some types of information the period is shorter or longer than this.
Storage space on Trust sites is limited so paper records are sent to offsite secure archiving facilities.
You have the legal right to confidentiality and a range of other rights under the Data Protection Act 2018.
If you wish to discuss any other issues regarding your data wish to make a complaint please contact our Data Protection Officer via:
If you are still unhappy with the outcome of your enquiry you can write to: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF - Telephone: 01625 545700
Here we explain what information we have about you and what we use it for.
We will use your address and telephone number to contact you or your family about your care.
We keep information until patients are at least 26 years old. We might keep the information for longer than this if we still need it to care for you. The Department for Health sets rules about how long we keep information for.
We need a complete picture of you to make sure you get the best care for you. Your information is only used by people caring for you.
Your information is used by doctors and nurses to:
Each time you come to see us we record information about that visit – things you tell us, things we tell you, any tests or medication. This allows us to look back and see what we have done for you to make sure you are getting the best treatment.
We also use information to:
We will write to your Family Doctor to let them know about your health and what we are doing for you. We will provide your family member with a copy of these letters. We will share it with other people involved in your care who need to know. We might share it with your school if we think it is important for them to know.
Sometimes we have to share information about a patient because the law tells us to. For example, when someone might be harmed, when a judge in a court tells us to, or if there is a special law about a disease.
If you have questions about how we use your information, you are unhappy, or you think your information may be incorrect you can talk to your doctor. You can also contact the Data Protection Officer:
If you are still unhappy about how we use your information you can write to:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 01625 545 700
During the course of its employment activities, University Hospitals of Derby and Burton NHS Foundation Trust collects, stores and processes personal information about prospective, current and former staff.
This privacy notice includes applicants, employees (and former employees), workers (including agency, casual, honorary and contracted staff), volunteers, trainees and those carrying out work experience.
We recognise the need to treat our staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.
In order to carry out our activities and obligations as an employer we handle data in relation to:
Our staff are trained to handle your information correctly and protect your confidentiality and privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected or sold for direct marketing purposes.
We have a legal basis to process this as part of your contract of employment (either permanent, temporary or working arrangements) or as part of our recruitment processes following data protection and employment legislation.
There are a number of reasons why we share information. This can be due to:
Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.
To enable effective staff administration University Hospitals of Derby and Burton NHS Foundation Trust may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer.
The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.
Details may be transferred from this Trust to other NHS Trusts to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS Organisation to another NHS Organisation. The personal data that is shared includes: name, address, date of birth, national insurance number, completed training and registration details.
We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.
We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.
Your information rights under General Data Protection Regulations (GDPR)/UK Data Protection Law:
Code of Data Matching Practice
This organisation is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed on the GOV.UK website (opens in new window) >
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018.
Data matching by the Cabinet Office is subject to a Code of Practice. Visit GOV.UK website for further information (opens in new window) >
View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information (opens in new window) >. For further information on data matching at this organisation please contact Daniel Mason on 07464 521746 or email daniel.mason15@nhs.net.
We will retain your information in line with the Department of Health and Social Care Retention Schedule. If you have cause to complaint please contact the Human Resource Department. If you wish to discuss any other issues regarding your data the contact details are:
Information Governance
Level 3 M&G
Royal Derby Hospital
Uttoxeter Road
Derby
DE22 3NE
Email: uhdb.dataprotectionofficer@nhs.net
Telephone: 01332 788645
If you are still unhappy with the outcome of your enquiry you can write to:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 01625 54570