Information Governance

Your personal information is very important to you and to us at University Hospitals of Derby and Burton NHS Foundation Trust.  We recognise the importance of protecting personal and confidential information and are committed to ensuring that your privacy is protected.   

The way your information is collected, used and retained has changed substantially over recent years with the development of new technologies. The laws that govern the use of personal data have also changed to encompass these developments. The General Data Protection Regulation (GDPR) becomes law 25 May 2018, at the same time a new UK Data Protection Bill is going through Parliament to incorporate the GDPR fully into UK Law, which will replace the current Data Protection Act 1998.

Contact

Anne Woodhouse
Information Governance
Level 3 M&G
Royal Derby Hospital
Uttoxeter Road
Derby
DE22 3NE

Email Information Governance

Tel: 01332 788645

Privacy notice - general

University Hospitals of Derby and Burton NHS Foundation Trust recognises the importance of protecting personal and confidential information and is committed to ensuring that your privacy is protected. 

The law determines how organisations can use personal information.  This is covered within the General Data Protection Regulation (GDPR), UK Data Protection Law, the Human Rights Act, Common Law Duty of Confidentiality and other Health Service legislation. 

In accordance with NHS guidance, the Trust has in place a:

  • Caldicott Guardian: an executive director who is responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. 
  • Senior Information Risk Owner: an executive director with overall responsibility for information risk within the Trust. 

The General Data Protection Regulation requires the Trust to appoint a Data Protection Officer to facilitate compliance with the data protection legislation/requirements, act as an intermediary between relevant stakeholders and be the first point of contact for supervisory authorities.

The Data Protection Officer for UHDB Trust is: 

Anne Woodhouse
Head of Information Governance & Data Protection Officer 
Email anne.woodhouse1@nhs.net

This privacy notice is intended to inform you about:

  • the type of information we hold and how we use and manage that information
  • how we ensure that the confidentiality of personal/sensitive information is maintained
  • how and why we may share information with other NHS organisations and non-NHS organisations  

Definition of personal and sensitive data: 

  • Personal data is information about an identifiable living person such as name, address, telephone number, date of birth, email address, online identifiers, and credit card/bank details.  This includes, but is not limited to, written correspondence, emails, photographs, audio recordings and video recordings.
  • Sensitive data is special categories of personal data, i.e. data concerning health, ethnic origin, race, political opinion, religious beliefs, biometric and genetic data. 

How we protect your data and ensure confidentiality of information is maintained

All NHS organisations and everyone who works for the NHS or in partnership with them have a legal duty to keep information confidential and take great care with the security of information and records. 

Staff have a legal responsibility to maintain confidentiality and security of all the personal information we hold and ensure compliance with the Data Protection Law, the Caldicott Principles, the NHS Code of Confidentiality and the Human Rights Act.

The Trust is the Data Controller for the data it holds.  All information and information systems within the Trust are stored on our secure network with appropriate security controls, which includes access controls, cyber security and assessments against all aspects of data security.  

Data Protection Impact Assessments (DPIAs) are completed for all new projects or changes to the way we process personal data to ensure that all potential risks have been considered and addressed appropriately.   These are signed off by the Senior Information Risk Owner and Caldicott Guardian before the project or change can continue.  Details of DPIAs completed can be obtained from the Trust’s Information Governance Team using the contact details below.

Training

Staff are trained to understand their responsibilities regarding the security and confidentiality of patient information and that access is on a strictly need to know basis.They must update this mandatory training on an annual basis.

Audit trails

Records are available to show who accessed what information.  Routine/random audits take place to ensure access in appropriate.  Any inappropriate access identified will be dealt with through the Trusts’ Disciplinary Process.

The Information Commissioner’s Office maintains a public register of organisations that process personal identifiable data.  
The Trust’s registration number is Z8575998.

CCTV

Security cameras are installed at various locations within this Trust to prevent and detect crime and for the protection of staff, visitors and patients and their property.  Our security staff are also equipped with body worn cameras which are only activated if they need to record a violent or aggressive incident.  Signage about CCTV is posted around the entrances and will be visible on all officers carrying body worn cameras.

Retention of your data

We will retain your information in line with the Department of Health Retention Schedule. 

Click here < http://digital.nhs.uk/binaries/content/assets/legacy/excel/o/o/rmcop-retention-schedules.xls>  to download the NHS Health & Social Care retention schedule.

Contact us for further information:

Privacy notice - patients

The type of patient information the Trust hold and process:

  • Person identifiable data: name, date of birth, NHS number
  • Contact details: address, telephone number, email address
  • Next of kin details
  • Details of referrals, clinic appointments and admissions
  • Details of health diagnosis and treatment plans
  • Details of investigations – scans, x-rays, pathology tests 

By providing the Trust with their contact details, patients are consenting to the Trust using these details as a means of communicating with them about their care, i.e. letter, text, voicemail or email communication.

The law requires us to identify a ‘lawful basis’ for processing your data.  The lawful basis for the above processing is Article (e) Public Task - the processing is necessary for us to perform a task in the public interest or for official functions, and special category data Article 9(h) - processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment. We also process:

  • Pseudonymised national Hospital Episode Statistics (HES) data obtained from NHS Digital about individuals from across the country.  The lawful basis for processing HES data is article 6 (1)e – for the performance of a task carried out in the public interest or in the exercise of official authority and special category data Article 9(2)g - processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. 


In order to assist us with keeping accurate information about you please tell us if your personal details change – address, telephone number, next of kin etc. so that we can update you details.   If you need to update your details please inform the clinic or ward staff during your next visit. 

Information is held for the purposes of providing appropriate care and treatment.  The Trust keeps records about your care and treatment provided in order to ensure that patients receive the best possible care.  Information provided in confidence will only be used for the purpose it was obtained or consented to by the patient. 

NHS organisations are expected to participate and support health and care research.  University Hospitals of Derby and Burton NHS Foundation Trust is a research active trust and your information may be used to support this:

  • Assess your health and make decisions about ongoing care and treatment.
  • Ensure that your care is safe and effective
  • Effectively work with other professionals who are providing your care. 

Your information may also be used to help us to:

  • Carry out clinical audit
  • Make sure our services meet patient’s needs in the future
  • To obtain feedback about your experience, through our Friends & Family questionnaire in order make changes/improve services
  • Investigate concerns, complaints, claims or untoward incidents
  • Provide statistics on NHS performance and activity
  • Train and educate our staff (you have the right to choose whether or not to be involved personally)
  • Receive payment for the care we provide
  • Conduct health research and development - for more information about research please visit the Health Research Authority website

Your information may be shared with a range of organisations or individuals depending on your circumstances:

  • GPs, other NHS health and social care staff, or private sector providers for the purpose of providing direct care. These teams may include healthcare professionals (doctors, nurses, pharmacists, physiotherapists, and occupational therapists), administrative support staff, pathology staff and radiology staff.  This enables relevant discussions as ‘a team’ for the benefit of the patient’s care, across care settings.
  • Department of Health for the purposes of planning, managing and auditing healthcare services
  • National generic registries, i.e. UK Association of Cancer Registries

The Health and Social (Safety and Quality) Act 2015 sets out a duty for information to be shared where it facilitates care for an individual and it is legal to do so.  Confidential information is shared with other health professionals who are involved in the direct care of a patient.

You may receive care from other organisations.  We may need to share your information with social services, education services, local authorities, voluntary sector providers (with your consent) in order to help with the management/support of your care and work together for your benefit.  We will only pass on information if there is a genuine need.  

There may be times when we need to share your information without your consent when required to do so by law, i.e.:

  • Organisations with statutory investigative powers – i.e. Care Quality Commission, GMC, Health Service Ombudsman
  • when there is a risk of harm to you or others
  • where we believe the reasons for sharing are so important that they override our obligation to confidentiality (i.e. to support the investigation of a serious crime)
  • where we have been instructed to do so by a court
  • where we are legally required to do so in order to control infectious diseases.

Where patient information is shared with non-NHS organisations or for reasons other than direct care, an information sharing agreement will be drawn up to ensure that information is shared in a way that complies with all relevant legislation.

Our guiding principle is that we are holding your information in strict confidence. 

Your information rights under General Data Protection Regulations (GDPR)/UK Data Protection Law 

You have the right to confidentiality under Data Protection Law, the Human Rights Act 1998 and the Common Law Duty of Confidentiality.

  • The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice and patient leaflets
  • The right of access – for details about how  to access your personal health data
  • The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us so that we are able to contact the person who entered the information.  We will correct factual mistakes and provide you with a copy of the corrected information

If you are not happy with an opinion or comment that has been recorded, we will add your own comments to the record so they can be viewed alongside any information you believe to be incorrect.

  • The right to erasure – this is also known as your ‘right to be forgotten’, where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed.

Your health record is retained in accordance with NHS national guidance, and because of our legal obligation to keep health records, it is extremely rare that we destroy or delete records earlier than the recommended retention period.  However, if you believe you have compelling grounds for having all or part of your record erased you should contact our Data Protection Officer.

The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.

  • The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue relating to your health record that requires us to restrict processing, we will investigate your concerns. Please note it will not be possible to restrict processing while you are receiving care and treatment at the hospital. 
  • The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process.  At present we do not process any personal data that meets this requirement.
  • The right to object – this is your right to object to the hospital processing your health data because of your particular situation.  Because of our obligation to keep health records it is extremely rare that we would stop processing your data if you wish to continue to be treated by the hospital. If you believe you have compelling grounds for the hospital to stop processing your data you should contact our Data Protection Officer.

The clinician in charge of your care and our Caldicott Guardian will decide whether we can safely accommodate your request. If you are unhappy with our decision you may wish to register a complaint to the Information Commissioner.

  • Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. While the hospital may use systems to determine how well a patient is, it does not replace our staff’s clinical judgements when making decisions about your care.

Retention of your data:

We will retain your information in line with the Department of Health Retention Schedule. If you wish to discuss any other issues regarding your data or have cause for complaint the contact details are:

Anne Woodhouse
Information Governance
Level 3 M&G
Royal Derby Hospital
Uttoxeter Road
Derby
DE22 3NE

Email: anne.woodhouse1@nhs.net

Telephone: 01332 788 645

If you are still unhappy with the outcome of your enquiry, you can write to: 

The Information Commissioner 
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 01625 545 700

Privacy notice - employment records

During the course of its employment activities, University Hospitals of Derby and Burton NHS Foundation Trust collects, stores and processes personal information about prospective, current and former staff.

This privacy notice includes applicants, employees (and former employees), workers (including agency, casual, honorary and contracted staff), volunteers, trainees and those carrying out work experience. 

We recognise the need to treat our staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. 

What types of personal/sensitive data we hold 

In order to carry out our activities and obligations as an employer we handle data in relation to: 

  • Personal demographics (including gender, race, ethnicity, sexual orientation, religion) 
  • Contact details such as names, addresses, telephone numbers and Emergency contact(s) 
  • Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks) 
  • Bank details 
  • Pension details 
  • Medical information including physical health or mental health conditions (occupational health information)
  • Information relating to health and safety 
  • Trade union membership 
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences 
  • Employment Tribunal applications, complaints, accidents, and incident details

Our staff are trained to handle your information correctly and protect your confidentiality and privacy.  We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected or sold for direct marketing purposes. 

Purpose of processing data:

  • Staff administration and management (including payroll and performance) 
  • Pensions administration 
  • Business management and planning 
  • Accounting and Auditing 
  • Accounts and records 
  • Crime prevention and prosecution of offenders 
  • Education 
  • Health administration and services 
  • Sharing and matching of personal information for national fraud initiative 

We have a legal basis to process this as part of your contract of employment (either permanent, temporary or working arrangements) or as part of our recruitment processes following data protection and employment legislation. 

Sharing your information

There are a number of reasons why we share information. This can be due to: 

  • Our obligations to comply with legislation
  • Our duty to comply any Court Orders which may be imposed

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Use of Third Party Companies 

To enable effective staff administration University Hospitals of Derby and Burton NHS Foundation Trust may share your information with external companies to process your data on our behalf in order to comply with our obligations as an employer.

Employee Records: Contracts Administration (NHS Business Services Authority) 

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

NHS Streamlining

Details may be transferred from this Trust to other NHS Trusts to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS Organisation to another NHS Organisation.  The personal data that is shared includes: name, address, date of birth, national insurance number, completed training and registration details.

Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.  

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation. 

Your information rights under General Data Protection Regulations (GDPR)/UK Data Protection Law: 

  • The right to be informed – you have the right to know what information we hold about you, what we use it for and if the information is shared, who it will be shared with, which we do through this privacy notice and patient leaflets.
  • The right of access – for details about how  to access your personal data, please click here
  • The right to rectification – this is your right to have your personal data rectified if it is inaccurate or incomplete. If you believe that the information recorded about you is incorrect, you will need to tell us so that we are able to contact the person who entered the information.  We will correct factual mistakes and provide you with a copy of the corrected information.   
  • The right to erasure – this is also known as your ‘right to be forgotten’, where there is no compelling reason to continue processing your data in relation to the purpose for which it was originally collected or processed. 
  • The Trust is required to retain your employment record in order to carry out activities and obligations as an employer and therefore cannot delete the record until it reaches the required DoHSC retention period.
  • The right to restrict processing – this is your right to block or suppress the processing of your personal data. If you raise an issue that requires us to restrict processing, we will investigate your concerns. 
  • The right to data portability – this is your right to obtain and re-use any information you have provided to us as part of an automated process.  At present we do not process any personal data that meets this requirement. 
  • The right to object – this is your right to object the processing of your data because of your particular situation.  Because of our obligation as an employer it is extremely rare that we would stop processing your data whilst you are still employed by this Trust. If you believe you have compelling grounds for us to stop processing your data you should contact our Data Protection Officer.
  • Rights in relation to automated decision making and profiling – GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. While the hospital may use automated systems to determine how well a patient is, it does not use automated decision making for the purpose of managing employment.

Retention of your data

We will retain your information in line with the Department of Health and Social Care Retention Schedule. If you have cause to complaint please contact the Human Resource Department. If you wish to discuss any other issues regarding your data the contact details are:

Anne Woodhouse
Information Governance
Level 3 M&G
Royal Derby Hospital
Uttoxeter Road
Derby
DE22 3NE

Email: anne.woodhouse1@nhs.net 

Telephone: 01332 788645 

 

If you are still unhappy with the outcome of your enquiry you can write to: 

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 01625 545700