This page summarises who we are, what information we hold about you, what we will do with the information we hold including who we may share it with and how long we will keep the information for. This page also explains what rights you have to control how we use your information.
Every time you see a doctor or go to hospital, they must keep a record of the care that you receive. Your records include information about your health, appointments, treatment and test results. This information may be stored on paper or electronically and may include x-rays, photos and image slides (MRI and CT information). For a summary of this information please view our Patient Information Privacy Notice or Children’s Privacy Notice.
The information we may keep could include personal data and special category data:
Personal data means any information relating to an identified or identifiable individual; an identifiable person is one who can be identified directly or indirectly.
Identifiers include ID numbers, location data, physical, psychological, genetic, mental factors, this may include (but is not limited to):
- Date of Birth
- Next of Kin Contact Details
- Carer Contact Details (if applicable)
- National Insurance Number
- Photographs, digital images etc.
- NHS Number
- Hospital Number
- Date of Death
- Passport Number
- Online Identifiers and location data (such as MAC, IP addresses and mobile device ID’s)
Definition of Special Categories data
Categories of information are classified as special categories of personal data and require additional safeguards ‘formerly sensitive data’ when sharing or disclosing this information in line with guidance and legislation. This includes (but is not limited to):
- Concerning health, sex life or sexual orientation.
- Racial or ethnic origins.
- Trade union membership.
- Political opinions.
- Religious or philosophical beliefs.
- Genetic / Biometric data.
We need information about you so that we can provide care services to you when you come into contact with us. Information about you is used to help deliver care services to you and which may include sharing with external organisations so that the care services are integrated.
Information will also be used to contribute to the management of healthcare systems, which means we may need to use your information to ensure the hospital is paid for the services it provides or is held accountable for the quality of the services provided.
Whilst we receive information from you when you come into contact with us, we also receive information about you from other individuals or organisations, such as when you are referred for treatment. We need enough information to be able to provide you with appropriate healthcare services.
The hospital may need to process your personal data or special category data in order to:
- Provide healthcare related services to you
- Review the standards of care that we provide to make sure they are safe and effective
- Teach or train healthcare professionals
- Carry out audit, research and service evaluation
- Manage complaints, concerns, legal claims and incident management
- Make sure the hospital is paid for the services that it provides (particularly cross-border services)
Where we do this we will process your personal data because it is necessary for the performance of a task carried out in the public interest. Where we process your special category data we will do so because it is necessary for the purposes of preventative medicine, medical diagnosis, the provision of healthcare or treatment or the management of healthcare systems.
We have an obligation to protect the health of the general public and where we do this we will process your personal data for the performance of a task carried out in the public interest. Where we process your special category data we will do so because it is necessary for reasons of public interest in the area of public health.
As a healthcare provider, there may be occasions where we need to process personal and/or special category data because someone is at risk of serious harm and, where we do this, we will process the information to protect that person’s vital interests.
There may be occasions when we will be obliged to process your information in order to comply with a court order, coroner’s instruction, to prevent or detect crime or to comply with the law. Where we will do this we will process your personal and/or special category data to comply with a legal obligation to which the Trust is subject.
If we process your information for other purposes that are not described above then we will seek your consent to do so before we process it.
In limited circumstances we have a legal duty to provide information without seeking your consent. These are:
- Notification of a birth;
- Reporting gunshot wounds to the police;
- Reporting a wound or injury from an attack with a knife, blade or other sharp instrument (non-accidental);
- When a court order instructs us to do so;
- When a serious crime has been committed;
- If there is a serious risk to the public or NHS staff;
- To protect children or vulnerable adults who are unable to decide whether their information should be shared;
- When it is required by the law, e.g. Under the Children’s Act 2004; Criminal Justice Act 1987, etc.
Under the law, your doctor may have to give information to certain organisations, e.g.
- The 1984 Public Health (Control of Disease) Act and the 1988 Public Health (Infectious Diseases) Regulations require doctors to pass on information to prevent the outbreak of certain diseases.
- If you have an infectious disease which might endanger the safety of others (e.g. meningitis or measles, but NOT HIV / AIDS) your doctor must tell the relevant organisations.
Some non-NHS services need information to support research and follow trends in diseases. This helps:
- Healthcare organisations to plan ahead and provide the right services in the right places and to the right people.
- Progress to be made in diagnosing and managing diseases.
- Drugs to be made more effective, for example by identifying and reducing side effects
You may be receiving care from other people as well as the NHS so we need to share your information with them, for example with:
- Other healthcare professionals e.g. doctors, nurses, ambulance service
- Partner organisations who contribute to your long term care e.g. GPs, social services, private sector providers
- Carers or guardians with carer or parental responsibilities
- Disclosure to NHS Managers and the Department of Health for the
purposes of planning, commissioning services, managing and auditing
- Disclosure to bodies with statutory investigative powers such as the Care Quality Commission (CQC), the General Medical Council (GMC), the Audit
Commission or the Health Service Ombudsman
- Government departments such as the Department of Health or the Home Office
- Disclosure to Solicitors, to the police, to the courts (including the Coroner’s court, and to tribunals and enquiries.
We will not share your information for marketing, social media or for insurance purposes unless we have your consent to do so.
Unless subject to an exemption, individuals (patients, other service users and all staff and other employee groups) have the following rights with respect to their personal data:
- The right to be informed – Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. This can be done by using a privacy notice.
- The right of access – Individuals (data subjects) have a right to request access or copies of their records in line with the Data Protection Act by making a ‘Subject Access Request’ e.g. copies of ‘personnel files’. Staff should familiarise themselves with the Trusts Subject Access Request procedures, also the Trust’s ‘Access to Health Records’ procedure which should be followed for requests for data relating to their ‘healthcare and treatment’. Subject access requests must be completed within 30 days and provided free of charge (unless a request is “manifestly unfounded or excessive”).
- The right to rectification – The right to request that the Trust corrects any data if it is found to be inaccurate or out of date;
- The right to erasure – The right to request their personal data is erased where it is no longer necessary for the Trust to retain such information;
- The right to restrict processing – The right, where there is a dispute in relation to the accuracy or processing of their personal data, to request a restriction is placed on further processing;
- The right to data portability – The right to request that the Trust provides them with their personal information and where possible, to transmit that data directly to another data controller, where their information has been processed with their consent. Only applies to information provided by the data subject, where processed on a basis of consent or where necessary for performance of a contract; and carried out by automated means. The ‘Data Portability’ does not apply to the majority of ‘paper’ files.
- The right to object – The right to object to the processing of their data
- The right to withdraw their consent to the processing at any time if they have previously given consent for processing;
- Rights in relation to automated decision making and profiling – The GDPR applies to all automated individual decision-making and profiling. The Trust can only carry out this type of decision-making where the decision is:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to the controller; or
- based on the individual’s explicit consent.
Data subjects also have the right to lodge a complaint with the Information Commissioner’s Office. For further information about individual’s rights this can be found in the Information Commissioners Office.
The NHS has a comprehensive set of guidelines, which govern the length of time that we may keep your records for, which are called NHS Retention Schedules – available in the Records Management NHS Code of Practice. The Shrewsbury and Telford Hospital NHS Trust will comply with the NHS Retention Schedules.
There may be occasions where the Trust will be obliged to vary from the NHS Retention Schedules, for example, in response to a Court Order or other equivalent legal requirement.
Information about the NHS Retention Schedules may be found via the NHS Digital website.
This situation will be assessed on a case by case basis. Currently, parents or legal guardians have the right to have access to their child’s records, if the child is under 16. A child, under 16, has the right to ask us not to give their parent or guardian access to their records.
For more information please view our Children’s Privacy Notice.
We take our duty to protect your personal information and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
The Trust has a Senior Information Risk Owner (SIRO), a Caldicott Guardian, Information Governance Manager and a Data Protection Officer who between them are responsible for the management of patient information, patient confidentiality and information security. We have access control systems in place to allow only those that have a legitimate reason to access your personal and health information and systems and processes to verify who has accessed your records.
Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect information, and inform you of how your information will be used. Everyone working for the NHS is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purpose advised or consented to by the service user, unless it is required or permitted by the law.
All Trust staff are required to complete annual mandatory Data Security and Data Protection training and comply with the Trust’s Data Protection, General Data Protection Regulation and Confidentiality policy.
We are always seeking to improve treatments and carry out research to find the most effective ways of achieving this. You may be asked if you would be willing to take part in research projects, but you do not have to agree if you do not want to.
Research that involves patients, or their personal information, requires their explicit written informed consent. Before you are asked for your consent, you will be given a patient information sheet telling you exactly what information will be collected and who will have access to it. This type of research must also be approved by a number of relevant regulatory authorities; for instance the research Ethics Service.
A small number of research projects are undertaken that involve a past review of patient information. If you can be identified, this will only be done with your permission. Otherwise, the information shared with researchers will not include personal details so that patients cannot be identified in any way.
The Shrewsbury and Telford Hospital NHS Trust do not routinely transfer information outside the European Economic Area but if there is a need to do so we will ensure that the security and protections that are put in place are of the equivalent standards to those standards that we would use internally when processing your information.
- Let us know when you change your name or address or your contact details e.g. telephone numbers / mobile number
- Keep a note of your unique NHS number (this is also available from your GP)
- Tell us if any information in your record is incorrect
- Give your consent so that we can share information about you to make sure you receive the right healthcare
- Let us know if you change your mind about how we share the information in your record.
- Tell us if your next of kin / nearest relative changes
- Tell us if you no longer wish to share your information with a named family member
If we wish to use your personal information for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining the new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we ensure there is a legal basis/justification for such processing.
Where the Shrewsbury and Telford Hospital NHS Trust wish to use your information that is for any reason not in line with administering the business of the Shrewsbury and Telford Hospital NHS Trust or complying with a legal obligation then we will seek your consent to do so.
The Trust is registered with the Information Commissioner’s Office (Registration Number Z8157295)
Our name, address and contact details are:
The Shrewsbury and Telford Hospital NHS Trust
Mytton Oak Road
Tel: 01743 261000
Data Protection Officer: firstname.lastname@example.org
Tel: 01952 641222 Ext 5312
The Information Commissioner’s Office
Cheshire SK9 5AF
Helpline: 08456 30 60 60
Patient Advice and liaison Service (PALS) & Complaints/Access to Records
Royal Shrewsbury Hospital: 01743 261 000 Extension: 1691
Princess Royal Hospital: 01952 641222 Extension: 4382
Legal Services Department/Access to Records
Princess Royal Hospital: 01952 641222 Extension: 4586
Information Governance Office
Princess Royal Hospital: 01952 641222 Extension: 4735
The Information Commissioner’s Office
Cheshire SK9 5AF
Helpline: 08456 30 60 60