East and North Hertfordshire NHS Trust collects a lot of data and information about you, the patient, to ensure that you get the best care possible. This privacy notice explains how and why we collect information about you what we do with it and your rights under data protection law.
The Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulations (GDPR, Regulation (EU) 2016/679) governs how we take care of your information which we hold about you. The first principle of the Act is that your personal information must be processed fairly. We have an obligation to let you know how we will take care of the information about you and what we will use it for.
Why do we collect and use patient information?
We need to keep records about your healthcare and treatment, and we may need to contact you to arrange appointments. We may also need to process your personal data for other purposes, including, but not limited to, for the purposes of safety, security, research and development. This helps us to make sure that you receive the best possible care and support.
We collect and use your information under the following lawful bases:
- where we have the consent of the data subject (this means you, the patient)
- where it is necessary for compliance with a legal obligation
- where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
- where processing is necessary to protect the vital interests of the data subject or another person; and/or
- where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Where the personal data we collect about you is special category personal data, we will only process it where:
- we have explicit consent
- it is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- the personal data is already manifestly made public by the data subject
- it is necessary for the establishment, exercise or defence of legal claims
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional
- it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices
- it is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes
- processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; and/or
- processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
We may also process special category personal data for the conditions laid out in the Data Protection Act 2018, including but not limited to:
- Employment, social security and social protection
- Health or social care purposes
- Public health
- Research
- Statutory and government purposes
- Equality of opportunity or treatment
- Preventing or detecting unlawful acts
- Protecting the public against dishonesty
- Regulatory requirements relating to unlawful acts and dishonesty
- Preventing fraud
- Suspicion of terrorist financing or money laundering
- Support for individuals with a particular disability or medical condition
- Counselling
- Safeguarding of children and of individuals at risk
- Safeguarding of economic well-being of certain individuals
- Insurance; and/or
- Disclosure to elected representatives.
The information that we collect, hold and share include:
- personal information (such as name, DOB, NHS number and address)
- characteristics (such as ethnicity, language, medical conditions, nationality, country of birth)
- information relating to child protection or safeguarding; and/or
- medical and health data
Collecting patient information
We may ask you for your explicit consent to process personal data for any other purpose other than direct healthcare, for example to participate in a research and development study.
When patients reach 13 years old they are deemed to be old enough to make their own decisions in relation to their own personal data. When relying on consent, we will make sure that the child understands what they are consenting to. However, the child’s data cannot be shared with a third party without the consent of a parent or guardian. Children may withdraw consent if consent has previously been given.
How long are health records retained?
All patient records are destroyed in accordance with the Records Management Code of Practice for Health and Social Care (2016), which sets out the appropriate length of time each type of health record retained.
The Trust does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.
The Trust retains all other records in alignment with relevant statutory guidelines and legal obligations.
Who do we share patient information with?
We may share your personal information for health care purposes with other NHS organisations – including other NHS trusts, or other providers of NHS services including general practitioners (GPs), ambulance services, and primary care agencies – as well as with local authorities.
We may need to share information from your health records with other non-NHS organisations, such as social services if you are also receiving care from them, to ensure that the services you receive are appropriate.
We may process, receive and share your data with Herts Urgent Care (HUC) if you use the 111 service to book an appointment at our emergency department. For more information, please see the HUC website.
We may need to share your information with external organisations for the purposes of safeguarding children and adults. We will only do so where we have a legal basis upon which to share information, such as through a court order, or through our legal obligation to protect children and vulnerable adults. For more information, please see our Safeguarding page.
We may need to share your information with our external data processor, Open Medical, to process any health records relating to trauma and orthopaedic care. For more information, please see our Trauma and Orthopaedics page.
We may need to share your information with our external data processor, Medilogik Ltd, to process any health records relating to endoscopy care. For more information, please see our Endoscopy page.
We may need to share your information with our external data processor, Clinical Computing UK Limited, to process any health records relating to renal care. For more information, please see our Renal Medicine page.
Additionally, we may need to share your information with our external data processor, The Phoenix Partnership (Leeds) Ltd., to receive and share with your GP any health records relating to renal care. For more information, please see our Renal Medicine page.
We may need to share your information with our external data processor, Zed Technologies, to process any health records relating to historic cardiology care. For more information, please see our Cardiology page.
We may need to share your information with NHS trusts within our vascular network to process any health records relating to vascular surgery and related patient care. For more information, please see our Vascular Surgery page.
It should be noted that the Trust may have occasion to share your Personal Data with Microsoft, Accenture and any other Data (Sub-) Processors as may be required for the facilitation and management of NHSMail and related services, in accordance with NHS Digital’s NHSmail live service with Office 365 Data Protection Impact Assessment. When processing your data for these purposes, your data will be kept secure and encrypted at all times and will not be processed outside of the UK.
If you are a patient or service user that has been placed on a waiting list to receive care, we may process your personal data for the purposes of assessing the Trust’s levels of demand and our capacity to deliver that care. If we do so, we will pseudonymise your personal data so that you cannot reasonably be identified and then share this information with our trusted data processors, IQVIA, who will assist the Trust in analysing our levels of demand and our capacity to deliver your care. Your personal data will not leave the European Economic Area (EEA) when it is processed for this purpose.
Similarly we may need to share information from your health record for the purposes of evaluating the quality of care that we provide. However, we will not disclose any health information to third parties without your consent unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.
We may need to share information about you and your care in the event that the provision of that care is directed to be transferred to another NHS trust. We will only do so where the law requires us to do so and when under the supervision of NHS special commissioners.
We may also be asked by other statutory bodies to share basic information about you, such as your name and address – but not sensitive information from your health records. When this happens it is normally because it will assist them to carry out their statutory duties.
These competent authorities may include, but are not restricted to:
- social services
- education services
- local authorities
- the police
- voluntary sector providers
- private sector providers; and/or
- the courts and other judiciary functions
All members of staff employed by these agencies are bound by the common law duty of confidentiality which means that information that you provide to us must be held in confidence and not shared with anyone else.
In order to protect the safety and security of our patients and staff, we may share audiovisual media captured through CCTV, bodycams or other sources with the Police or other relevant competent authorities. We will only share your data in this way where we are legally obligated to do so and where processing is necessary for the purposes of preventing or detecting unlawful acts.
We may also share your personal data with third parties, including private companies, who provide products and services to the Trust. In the event that we share personal data with third parties, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data.
We may need to share your information with our external data processor, Civica UK Limited, to process your health records for the purposes of financial processing. When we do so we will ensure that your Personal Data is appropriately encrypted and pseudonymised. For more information, please see the Civica Privacy Notice.
We do not share information about anyone without consent unless the law allows us to do so.
In the event that the Trust is relying on consent as the legal basis for processing your personal data, you have the right to refuse or withdraw consent to data processing at any time. Any possible consequences will be fully explained to you and could include delays in receiving care.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing or profiling
- object to decisions being taken by automated means
- request access to a portable copy of your personal data
- in certain circumstances, rectify or erase your personal data; and/or
- in certain circumstances, request that the processing of your personal data be restricted to specific purposes.
All processing of your personal data will occur within the European Economic Area (EEA) unless explicitly stated otherwise. If you have a concern about the way we are collecting or using your personal information, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office.
To learn more about how we use your information, please speak to the health professionals concerned with your care, or contact the Patient Advice and Liaison Service (PALS). If you require more detailed information, please contact the Trust’s Data Protection Officer.
For more information on how to access a copy of your medical records, please see our Health Records webpage or contact medicolegal.enh-tr@nhs.net.
For more information on how the Trust processes personal data in relation to its staff, contractors, volunteers and applicants, please see the Staff Privacy Notice.
For more information on how the Trust processes personal data of patients and service users as part of our COVID-19 Response Plan, please see the COVID-19 Privacy Notice.
For more information on Critical Worker COVID-19 testing, please see the Department of Health and Social Care (DHSC)’s Staff Testing Privacy Notice.
For more information on how the NHS utilises the COVID-19 Clinical Risk Assessment Tool, please see our COVID-19 Clinical Risk Assessment Tool Privacy Notice.
For more information on our Data Protection Impact Assessments (DPIAs), please see our Data Protection Impact Assessments page.
For more information on our Data Security and Protection Policies, please see our Data Security and Protection Policies page.
