Privacy Notice for patients: data protection and confidentiality
View a copy of our easy read notice.
What is a Privacy notice?
In the NHS we aim to provide you with the highest quality health care.
To do this we must keep records about you, your health and the care we have provided or plan to provide to you.
This Privacy Notice tells you about the information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. It also explains the choices you can make about the way in which your information is used and how you can opt-out of any sharing arrangements that may be in place.
Why we collect information about you
Your doctor and other health professionals caring for you, such as nurses, health visitors and physiotherapists, keep records about your health and treatment so that they are able to provide you with the best possible care.
These records may be stored in paper form or electronically.
Your health record may include:
- basic details about you, such as your address, date of birth, and next of kin
- contact we have had with you, such as clinical visits
- notes and reports about your health
- details and records about your treatment and care
- results of x-rays, laboratory tests etc.
Your health care record is used to ensure that:
- health care professionals looking after you have accurate and up-to-date information about you to help them decide on any care you may require
- full information is available should you see another doctor or be referred to a specialist or another part of the NHS
- there is a good basis for assessing the type and quality of care you have received. This will lead to better care both for you and for other patients in the future.
- your concerns can be properly investigated if you need to complain.
How your records are used to help the NHS
- paying your GP or hospital for the care you have received
- the audit of NHS accounts, Service Evaluation and Clinical Audit of the quality of services provided
- reporting and investigating complaints, claims and untoward incidents
- planning services to ensure we meet the needs of our population in the future
- preparing statistics on our performance for the Department of Health.
- reviewing our care to make sure that it is of the highest standard
- teaching and training health care professionals
- conducting health research and development – please see ‘Research’ below
Records will be kept in line with the Department of Health Records Management Code of Practice which determines the minimum length of time that records should be kept for.
SMS messages may be used by services for purposes directly relating to a patient’s care, for example:
- To send appointment confirmations and reminders
- For the sending of links to documents for completion by the patient (e.g. using SystmOne Communications Annexe)
- For sending links to websites for further information about the service or patient self-care
- For sending the ‘Friends and Family’ SMS messages to receive feedback on the service received
If you do not want to receive SMS messages then please let the service know and they will ensure your record is updated accordingly.
How we use your information – legal aspects
Under the General Data Protection Regulations (GDPR), all organisations must ensure they have a clear legal basis for processing information.
When your information is used for your care and administrative purposes related to your care, we rely on Article 6(1)e and Article 9(2)h of the GDPR.
For Research, in most instances we will rely on Article 6(1)e and Article 9(2)j of the GDPR if and when we use your information for research. If you have formally consented to take part in research, this will satisfy the common law duty of confidentiality. Where it has been impracticable to obtain your consent we will seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.
For Secondary (indirect care) purposes, when there is a legal requirement that we provide specified data to NHS Digital for example, we rely on Article 6(1)c of the GDPR. In cases where the common duty of confidentiality cannot be satisfied through consent we seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.
Your information rights
- You have the right to know how we will use your personal information;
- You have the right to see your health record – see the section on Requesting a Copy of your Records below.
- You have the right to object to us making use of your information other than for your care;
- You can ask us to change or restrict the way we use your information and we have to agree if possible;
- You have the right to ask for the information we hold about you to be corrected or erased if it is incorrect.
If you object to how we are using your information, or wish us to restrict, erase or correct it, please first discuss this with the staff providing your care. You can also contact our Information Governance team at email@example.com.
How we keep your information secure
Whenever information is used for your care, it will be handled in the strictest confidence. Derbyshire Community Health Services (DCHS) will:
- only use the minimum amount of information necessary for the purpose. Where possible, we will use information that does not identify you.
- ensure that anyone receiving information about you is under an obligation to keep it confidential and to only use the information for the specified purpose
- have secure systems in place to help prevent unauthorised access to patient information held on its computers
- have audit trails available on electronic systems to ensure we can identify who has accessed your record
We are committed to protecting your privacy and will only process personal confidential data in accordance with the General Data Protection Regulation (GDPR), UK Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998.
DCHS is a Data Controller under the terms of the General Data Protection Regulations (GDPR). We are legally responsible for ensuring that all personal confidential data that we collect and use i.e. hold, obtain, record, use or share about you is done in compliance with the Data Protection Principles.
Our Data Protection Officer is Hannah Fletcher, who can be contacted at firstname.lastname@example.org.
DCHS is registered as a data controller with the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is Z2576474 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
Sharing your information
If you receive care from other organisations, such as Social Care or voluntary healthcare providers, there may be a need to share information about you so that everyone involved in your care can work together for your benefit. Information about you will only be used or passed on to others involved in your care.
DCHS works in partnership with a number of NHS and Non-NHS organisations across Derbyshire to deliver joined up integrated services to users. DCHS is part of the Derbyshire Partnership Forum and is signed up to their overarching Information Sharing Protocol which is available on their website.
To ensure you receive safe and effective care, information about your health and treatment will be shared with other organisations caring for you. Information will only be shared for the purpose of direct care and will only be viewed by individuals who are directly involved in your care. In order to support the sharing of information to provide you with the best treatment, Derbyshire Health and Social Care organisations, including DCHS, have developed the Derbyshire Shared Care Record. More information can be found here: https://joinedupcarederbyshire.co.uk/about/our-work/derbyshire-shared-care-records.
Organisations providing care are increasingly working together to ensure patients receive the most appropriate treatment at the earliest opportunity. In order to support this, we may share your information with, or receive information from, another organisation in order to determine if you can receive treatment more quickly. Please be assured that this information is being shared for direct care purposes only and all organisations will treat your information confidentially.
If you do not want your health record to be shared with other services involved in your care, please ensure you inform the service(s) caring for you. You can choose to exclude parts of your record from being shared, or you can opt out of sharing your record altogether. You can also change your mind at any time about whether you wish to share your record.
If you ask us not to share information about you with another person or organisation we will respect your wishes unless there are exceptional circumstances. Not sharing information may mean that we have to alter the level of care we provide to you but this will be explained. The final decision will normally rest with you.
There are exceptional circumstances where information about you will be shared, even if you do not give us permission to do so. These are where information is shared for legal reasons or in the public interest. Circumstances where information may be shared without your permission include:
- Where it is required by law, for example the notification of births, deaths and some infectious diseases;
- Where a court order has been issued requesting the information;
- Where there is a serious risk of harm to you or other individuals;
- Where a child is believed to be at risk of harm (Children’s Act 1989);
- Where information is required for the prevention, detection or prosecution of a serious crime;
- Where information you have supplied to us is about a serious crime that has been committed, such as murder, manslaughter, rape, treason or kidnapping (Police and Criminal Evidence Act 1984);
- Where information you have supplied to us is about suspected terrorism (Anti-terrorism, Crime and Security Act 2001 and Terrorism Act 2000);
- Where the disclosure is necessary in any legal proceedings.
Sexual Health and HIV Information Collection
DCHS provides sexual health and HIV services - information on the confidentiality of these services can be found at Home (yoursexualhealthmatters.org.uk).
The UK Health Security Agency (UKHSA) is responsible for protecting the nation from infectious diseases and other threats to public health. The UKHSA’s responsibilities include collecting information on sexually transmitted infections (STIs) and human immunodeficiency virus (HIV) from all sexual health and HIV clinics and laboratories. The UKHSA collects information from DCHS sexual health and HIV clinics. The information collected is in a de-personalised form, which means it does not include any information that could be used to identify you. For example, your name and contact details are not shared with UKHSA. You can find out more about this at: Sexual health and HIV: privacy notice - GOV.UK (www.gov.uk)
Use of patient data to improve NHS Services
DCHS, like all NHS organisations, uses information about your care in order to review the quality of care. This enables us to be sure that standards are being met and helps us to improve the quality of care that we provide. This activity is carried out by clinical teams and may also involve Service Evaluation and Clinical Audit / other non-clinical Trust staff who are experts in data collection. The Trust oversees all of this activity through its authorisation processes. Our Caldicott Guardian is responsible for keeping the confidentiality of patient information safe. No patients can ever be identified in any subsequent reporting of results, unless we have previously asked and got your permission.
If you do not want your records or data to be used for Service Evaluation and Clinical Audit, please inform the service(s) caring for you.
All NHS organisations are expected to participate and support health and care research. The Health Research Authority sets standards for NHS organisations to make sure they protect your privacy and comply with the law when they are involved in research.
DCHS has a research innovation group dedicated to ensuring we apply the strictest governance around your information in relation to research.
Wherever possible, DCHS will use information that does not identify individuals. Where identifiable information is required, DCHS will always gain your consent before using your information for research purposes. A member of your care team may review your care records to determine if you are suitable to take part in a research study, before contacting you for your consent to take part in the research.
Further information for patients on health research can be found at: https://www.hra.nhs.uk/information-about-patients/
Further information on Data Protection in relation to research can be found from the Health Research Authority at: https://www.hra.nhs.uk/about-us/news-updates/gdpr-guidance-researchers/
National Data Opt Out
DCHS is compliant with the national data opt-out policy. Click here to find out more about the National Data Opt Out.
Requesting a copy of your records
You have the right to ask for a copy of all records about you under the General Data Protection Regulations:
- DCHS will provide a copy of the information free of charge. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- DCHS may also charge a reasonable fee to comply with requests for further copies of the same information.
- We must comply with your request within one month of receipt. However, we may extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
To request a copy of your records please contact:
Access to Records Team
Corporate Governance Officer
Contacting us if you have a complaint or concern
We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint through the Trust’s Complaints Procedure, which is available on our web site, or you can write to:
Patient Experience Team
Alfreton Primary Care Centre
Or contact them at: DCHST.PatientExperienceTeam@nhs.net
Copies of DCHS Policies, Procedures, Data Protection Impact Assessments and other relevant documents can be requested by contacting us at email@example.com
If you remain dissatisfied with the Trust’s decision following your complaint, you may wish to contact:
Information Commissioner’s Office
Their web site is at www.ico.gov.uk The Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to the Trust.