GDPR – our privacy notice

The East and North Hertfordshire NHS Trust collects a lot of data and information about you, the patient, to ensure that you get the best care possible. This privacy notice explains how and why we collect information about you what we do with it and your rights under data protection law.

The General Data Protection Regulation 2018 (GDPR) governs how we take care of your information which we hold about you. The first principle of the Act is that your personal information must be processed fairly. We have an obligation to let you know how we will take care of the information about you and what we will use it for.

Why do we collect and use Patient information?
We need to keep records about your healthcare and treatment, and we may need to contact you to arrange appointments. This helps us to make sure that you receive the best possible care and support.

We collect and use your information under the following lawful bases:

  • where we have the consent of the data subject (this means you, the patient);
  • where it is necessary for compliance with a legal obligation;
  • where processing is necessary to protect the vital interests of the data subject or another person;
  • where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Where the personal data we collect about you is sensitive personal data, we will only process it where:

  • we have explicit consent;
  • processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; and/or
  • processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The information that we collect, hold and share include:

  • personal information (such as name, DOB, NHS number and address);
  • characteristics (such as ethnicity, language, medical conditions, nationality, country of birth);
  • information relation to child protection or safeguarding.

Collecting patient information
We will always ask you for your explicit consent to process personal data for any other purpose other than direct healthcare, for example to participate in a research and development study.

When patients reach 13 years old they are deemed to be old enough to make their own decisions in relation to their own personal data. When relying on consent, we will make sure that the child understands what they are consenting to. However, the child’s data cannot be shared with a third party without the consent of a parent or guardian. Children may withdraw consent if consent has previously been given.

How long are health records retained?
All patient records are destroyed in accordance with the NHS Records Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained.

The Trust does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Click here for more information about records management code of practice for health and social care

Who do we share patient information with?
We routinely share information with NHS health professionals directly involved with your care. We may share your personal information with other NHS organisations, or the Local Authority for health care purposes. This may include other NHS trusts, or other providers of NHS services including general practitioners (GPs), ambulance services, and primary care agencies.

We may need to share information from your health records with other non-NHS organisations, such as Social Services if you are also receiving care from them, to ensure that the services you receive are appropriate.

Similarly we may need to share information from your health record for the purposes of evaluating the quality of care that we provide. However, we will not disclose any health information to third parties without your consent unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.

We may also be asked by other statutory bodies to share basic information about you, such as your name and address – but not sensitive information from your health records. When this happens it is normally because it will assist them to carry out their statutory duties.

These non-NHS organisations may include, but are not restricted to:

  • Social Services
  • Education services
  • Local authorities
  • The police
  • Voluntary sector providers
  • Private sector providers

All members of staff employed by these agencies are bound by the common law duty of confidentiality which means that information that you provide to us must be held in confidence and not shared with anyone else.

  • the Police and law enforcement agencies;
  • courts, if ordered to do so;
  • other trusts, for example if you need to be transferred to another hospital
  • outside resources if required on discharge
  • teaching and learning purposes; if we have your consent to share this information 

In the event that we share personal data with third parties, we will provide the minimum amount of personal data necessary to fulfill the purpose for which we are required to share the data.

We do not share information about anyone without consent unless the law allows us to do so.
You have the right to refuse/withdraw consent to information sharing at any time. Any possible consequences will be fully explained to you and could include delays in receiving care.

You also have the right to: 

  • object to processing of personal data that is likely to cause, or is causing, damage or distress;
  • prevent processing for the purpose of direct marketing;
  • object to decisions being taken by automated means;
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed

If you have a concern about the way we are collecting or using your personal information, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office.

To learn more about how we use your information, please speak to the health professionals concerned with your care, or contact the Patient advice and liaison service (PALS). If you require more detailed information, please contact the Data Protection Officer.