This page summarises who we are, what information we hold about you, what we will do with the information we hold including who we may share it with and how long we will keep the information for. This page also explains what rights you have to control how we use your information.
Every time you see a doctor or go to hospital, they must keep a record of the care that you receive. Your records include information about your health, appointments, treatment and test results. This information may be stored on paper or electronically and may include x-rays, photos and image slides (MRI and CT information). For a summary of this information please view our Patient Information Privacy Notice or Children’s Privacy Notice.
The information we may keep could include personal data and special category data:
Personal data means any information relating to an identified or identifiable individual; an identifiable person is one who can be identified directly or indirectly.
Identifiers include ID numbers, location data, physical, psychological, genetic, mental factors, this may include (but is not limited to):
- Date of Birth
- Next of Kin Contact Details
- Carer Contact Details (if applicable)
- National Insurance Number
- Photographs, digital images etc.
- NHS Number
- Hospital Number
- Date of Death
- Passport Number
- Online Identifiers and location data (such as MAC, IP addresses and mobile device ID’s)
Definition of Special Categories data
Categories of information are classified as special categories of personal data and require additional safeguards ‘formerly sensitive data’ when sharing or disclosing this information in line with guidance and legislation. This includes (but is not limited to):
- Concerning health, sex life or sexual orientation.
- Racial or ethnic origins.
- Trade union membership.
- Political opinions.
- Religious or philosophical beliefs.
- Genetic / Biometric data.
We need information about you so that we can provide care services to you when you come into contact with us. Information about you is used to help deliver care services to you and which may include sharing with external organisations so that the care services are integrated.
Information will also be used to contribute to the management of healthcare systems, which means we may need to use your information to ensure the hospital is paid for the services it provides or is held accountable for the quality of the services provided.
Whilst we receive information from you when you come into contact with us, we also receive information about you from other individuals or organisations, such as when you are referred for treatment. We need enough information to be able to provide you with appropriate healthcare services.
The hospital may need to process your personal data or special category data in order to:
- Provide healthcare related services to you
- Review the standards of care that we provide to make sure they are safe and effective
- Teach or train healthcare professionals
- Carry out audit, research and service evaluation
- Manage complaints, concerns, legal claims and incident management
- Make sure the hospital is paid for the services that it provides (particularly cross-border services)
Where we do this we will process your personal data because it is necessary for the performance of a task carried out in the public interest. Where we process your special category data we will do so because it is necessary for the purposes of preventative medicine, medical diagnosis, the provision of healthcare or treatment or the management of healthcare systems.
We have an obligation to protect the health of the general public and where we do this we will process your personal data for the performance of a task carried out in the public interest. Where we process your special category data we will do so because it is necessary for reasons of public interest in the area of public health.
As a healthcare provider, there may be occasions where we need to process personal and/or special category data because someone is at risk of serious harm and, where we do this, we will process the information to protect that person’s vital interests.
There may be occasions when we will be obliged to process your information in order to comply with a court order, coroner’s instruction, to prevent or detect crime or to comply with the law. Where we will do this we will process your personal and/or special category data to comply with a legal obligation to which the Trust is subject.
If we process your information for other purposes that are not described above then we will seek your consent to do so before we process it.
Our Trust is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
You may also be receiving care from other organisations as well as the NHS so we may need to share your information with them, for example with:
- Other healthcare professionals e.g. doctors, nurses, ambulance service
- Partner organisations who contribute to your long term care e.g. GPs, social services, private sector providers
- Carers or guardians with carer or parental responsibilities
- Disclosure to NHS Managers and the Department of Health for the purposes of planning, commissioning services, managing and auditing healthcare services
- Disclosure to bodies with statutory investigative powers such as the Care Quality Commission (CQC), the General Medical Council (GMC), the Audit Commission or the Health Service Ombudsman
- Government departments such as the Department of Health or the Home Office
- Disclosure to Solicitors, to the police, to the courts (including the Coroner’s court, and to tribunals and enquiries.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit the NHS website. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
- Health Research Authority (which covers health and care research);
- Understanding Patient Data (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently working towards being compliant with the national data opt-out policy by 30th September 2020 in line with NHS Digital guidance.
Information about patients’ coronavirus (COVID-19) status and other confidential patient information (in relation to your health record) may be shared with other partners involved in your care and treatment, along with:
- NHS England
- Public Health England
- the Department of Health
- other government departments where it’s legally required, or where it’s necessary for the protection of public health or management of the outbreak
The lawful basis is GDPR Article 6(1)(c), compliance with a legal obligation, or Article 6(1)(e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).
The exemptions in GDPR Article 9(1)(g) and 9(2)(h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems.
The conditions in paragraphs 2 (management of health care systems), 3 (public health) and 6 (statutory and government purposes) of schedule 1 of the Data Protection Act 2018 are engaged.
For further information on this please refer to the Information Commissioners Office
Unless subject to an exemption, individuals (patients, other service users and all staff and other employee groups) have the following rights with respect to their personal data:
- The right to be informed – Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. This can be done by using a privacy notice.
- The right of access – Individuals (data subjects) have a right to request access or copies of their records in line with the Data Protection Act by making a ‘Subject Access Request’ e.g. copies of ‘personnel files’. Staff should familiarise themselves with the Trusts Subject Access Request procedures, also the Trust’s ‘Access to Health Records’ procedure which should be followed for requests for data relating to their ‘healthcare and treatment’. Subject access requests must be completed within 30 days and provided free of charge (unless a request is “manifestly unfounded or excessive”).
- The right to rectification – The right to request that the Trust corrects any data if it is found to be inaccurate or out of date;
- The right to erasure – The right to request their personal data is erased where it is no longer necessary for the Trust to retain such information;
- The right to restrict processing – The right, where there is a dispute in relation to the accuracy or processing of their personal data, to request a restriction is placed on further processing;
- The right to data portability – The right to request that the Trust provides them with their personal information and where possible, to transmit that data directly to another data controller, where their information has been processed with their consent. Only applies to information provided by the data subject, where processed on a basis of consent or where necessary for performance of a contract; and carried out by automated means. The ‘Data Portability’ does not apply to the majority of ‘paper’ files.
- The right to object – The right to object to the processing of their data
- The right to withdraw their consent to the processing at any time if they have previously given consent for processing;
- Rights in relation to automated decision making and profiling – The GDPR applies to all automated individual decision-making and profiling. The Trust can only carry out this type of decision-making where the decision is:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to the controller; or
- based on the individual’s explicit consent.
Data subjects also have the right to lodge a complaint with the Information Commissioner’s Office. For further information about individual’s rights this can be found in the Information Commissioners Office.
The NHS has a comprehensive set of guidelines, which govern the length of time that we may keep your records for, which are called NHS Retention Schedules – available in the Records Management NHS Code of Practice. The Shrewsbury and Telford Hospital NHS Trust will comply with the NHS Retention Schedules.
There may be occasions where the Trust will be obliged to vary from the NHS Retention Schedules, for example, in response to a Court Order or other equivalent legal requirement.
Information about the NHS Retention Schedules may be found via the NHS Digital website.
This situation will be assessed on a case by case basis. Currently, parents or legal guardians have the right to have access to their child’s records, if the child is under 16. A child, under 16, has the right to ask us not to give their parent or guardian access to their records.
For more information please view our Children’s Privacy Notice.
We take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
The Trust has a Senior Information Risk Owner (SIRO), a Caldicott Guardian, Information Governance Manager and a Data Protection Officer who between them are responsible for the management of patient information, patient confidentiality and information security. We have access control systems in place to allow only those that have a legitimate reason to access your personal and health information and systems and processes to verify who has accessed your records.
Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect information, and inform you of how your information will be used. Everyone working for the NHS is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purpose advised or consented to by the service user, unless it is required or permitted by the law.
All Trust staff are required to complete annual mandatory Data Security and Data Protection training and comply with the Trust’s Data Protection, General Data Protection Regulation and Confidentiality policy.
We are always seeking to improve treatments and carry out research to find the most effective ways of achieving this. You may be asked if you would be willing to take part in research projects, but you do not have to agree if you do not want to.
Research that involves patients, or their personal information, requires their explicit written informed consent. Before you are asked for your consent, you will be given a patient information sheet telling you exactly what information will be collected and who will have access to it. This type of research must also be approved by a number of relevant regulatory authorities; for instance the research Ethics Service.
A small number of research projects are undertaken that involve a past review of patient information. If you can be identified, this will only be done with your permission. Otherwise, the information shared with researchers will not include personal details so that patients cannot be identified in any way.
The Shrewsbury and Telford Hospital NHS Trust do not routinely transfer information outside the European Economic Area but if there is a need to do so we will ensure that the security and protections that are put in place are of the equivalent standards to those standards that we would use internally when processing your information.
- Let us know when you change your name or address or your contact details e.g. telephone numbers / mobile number
- Keep a note of your unique NHS number (this is also available from your GP)
- Tell us if any information in your record is incorrect
- Give your consent so that we can share information about you to make sure you receive the right healthcare
- Let us know if you change your mind about how we share the information in your record.
- Tell us if your next of kin / nearest relative changes
- Tell us if you no longer wish to share your information with a named family member
If we wish to use your personal information for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining the new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we ensure there is a legal basis/justification for such processing.
Where the Shrewsbury and Telford Hospital NHS Trust wish to use your information that is for any reason not in line with administering the business of the Shrewsbury and Telford Hospital NHS Trust or complying with a legal obligation then we will seek your consent to do so.
The Trust is registered with the Information Commissioner’s Office (Registration Number Z8157295)
Our name, address and contact details are:
The Shrewsbury and Telford Hospital NHS Trust
Mytton Oak Road
Tel: 01743 261000
Data Protection Officer: email@example.com
Tel: 01952 641222 Ext 5312
The Information Commissioner’s Office
Cheshire SK9 5AF
Helpline: 08456 30 60 60
Patient Advice and liaison Service (PALS) & Complaints/Access to Records
Royal Shrewsbury Hospital: 01743 261 000 Extension: 1691
Princess Royal Hospital: 01952 641222 Extension: 4382
Legal Services Department/Access to Records
Princess Royal Hospital: 01952 641222 Extension: 4586
Information Governance Office
Princess Royal Hospital: 01952 641222 Extension: 4735
The Information Commissioner’s Office
Cheshire SK9 5AF
Helpline: 08456 30 60 60