About this privacy notice
This notice tells you:
- why we process information about you
- who we may share your personal information with and why
- the laws under which we process your personal information
- when we may ask for your consent
- what personal information we process about patients
- how long we retain patient records for
- your rights over the information we hold about you
- how we protect your information
- keeping your information up to date
- what to do if you don’t want your information used for research or planning purposes
- how to raise a concern or make a complaint
Information from which you can be identified, either directly (from your name or a unique identifier) or indirectly (by combining items of data that on their own would not identify you) is called personal information.
Why do you need to process my personal information?
We collect, hold and share patient information for a lot of different reasons. The main reason we process information about you is to provide you with care and treatment, and to honour your next of kin details. We also process information for research, to help us plan and improve local services, for clinical audits, for outcome reporting and other statutory purposes. We always use the minimum personal data needed and anonymise data where personal data is not required for the purpose.
Who do you share my personal information with and why?
My Care Record
The Trust is part of My Care Record. My Care Record operates across the East of England, enabling health and care professionals who are involved in your care to access information about you. This helps to improve your care by enabling more coordinated care, quicker diagnoses and treatment, fewer unnecessary clinical tests, less paperwork, and repetition. This gives clinicians more time to spend delivering patient care.
If you have any questions about My Care Record or if you don’t want to be part of My Care Record, speak to your clinician at the hospital.
Who else do you share my information with and why?
We may share your information with other organisations we work with to deliver your healthcare services. We will tell you if we are making a referral to one of our approved contracted providers.
We share patient information for NHS statutory reporting purposes, where we have a legal obligation to do so or where there is a substantial public interest, for example, to protect public health.
We must have a lawful basis to process your personal information.
The laws under which we process your personal information
The main laws governing the protection of personal data are the UK GDPR and the Data Protection Act 2018. We must have a lawful basis under Article 6 of the UK GDPR and, for special category data, a lawful basis under Article 9 of the UK GDPR to process personal information. Some Article 9 lawful bases must also meet a condition for processing under Schedule 1 of the Data Protection Act 2018.
Most of the personal data we process about NHS patients relies on Article 6(e) ‘Public task’ as the lawful basis, and for special category data, we mostly use Article 9(2)(h) ‘Health and social care (with a basis in law)’ as the lawful basis.
Below are the main UK GDPR lawful bases we use to process patient information. This list is not exhaustive and there are other reasons why we may need to process your personal information.
Purpose | Article 6 | Article 9 |
NHS funded care | Public task | Health and social care (with a basis in law) |
NHS funded care | Vital interests | Health and social care (with a basis in law) or vital interests |
Research | Public task | Archiving, research and statistics (with a basis in law) |
Planning care services | Public task | Health and social care (with a basis in law) |
Clinical audits | Legal obligation | Health and social care (with a basis in law) |
Patient or family member surveys | Public task | Health and social care (with a basis in law) |
Privately funded care | Contract | Health and social care (with a basis in law) |
Legal claims | Legitimate interests | Legal claims and judicial acts |
Public health | Public task | Public health (with a basis in law) or Substantial public interest (Protecting the public) |
Safeguarding | Public task | Substantial public interest (protecting children and individuals at risk) |
When we may ask for your consent
When the processing is related to your care or treatment or when there is another lawful basis that we can use, we do not rely on consent as the lawful basis under the UK GDPR. Consent under the UK GDPR gives the data subject (patient) a right to stop the processing and a right to erasure. If we could comply with this right, for example, where we have a statutory duty to process the information, then consent would not be valid.
However, where you have provided information in confidence and we need to share it in ways you could not reasonably expect (except where we are required to do so by law), we will ask for your consent under ‘common law’ to share your information. Common law consent comes from the ‘Common law duty of confidence’. This is not a written law but is based on case law. Common law consent is not the same as consent under the UK GDPR and does not give a patient a right to erasure.
What personal information do you process about patients?
The personal data we process about patients includes:
- First name and surname
- Date of birth
- Gender
- Ethnicity
- Religion
- Address
- Email address
- Contact number
- Postal address
- Contact details of parent or your next of kin
- Carer contact details (if applicable)
- Appointments and hospital visits
- Tests
- Diagnoses
- Other health conditions (called comorbidities)
- Treatments, operations and medications
- Allergies
- Pregnancy information
- Xrays, scans and ultrasound images
- Genetic data
- NHS Number
- Hospital Number
- Your GP practice
- Financial information on payments (private patients)
- Any images that have been captured by CCTV security cameras in our hospitals
- Nationality
How long are my healthcare records retained for?
The Trust follows the NHS Records Management Code of Practice 2021 record retention periods.
Your rights over your personal data
The UK GDPR gives you rights over your personal data. Some rights are universal, and others depend on the lawful basis for processing.
- The right to be informed – we must tell you how we process your personal information.
- The right of access – you can ask to see what personal information we hold about you. This is called making a Subject Access Request (SAR). To find out more about how to make a SAR go to https://www.enherts-tr.nhs.uk/patient-visitors/commitment/health-records/
- The right to rectification – if you think we hold information about you that is inaccurate, you can ask us to correct it. We will correct any information that we agree is wrong, or we don’t agree, will add your comments to your record about what you feel is wrong.
- The right to erasure – in some circumstances you have a right to erasure of certain information we hold about you. This depends on whether we have a statutory obligation to retain the information and what lawful bases we have relied upon for the processing.
- The right to restrict the processing – this right, where it applies, allows you to ask us to retain some information but to restrict what we can retain or use.
- The right to object – you can object to how we process your personal information. We will comply with your objection unless there is an overriding reason to continue the processing.
- The right to data portability – in some circumstances, you can request a copy of the personal data that you have provided to us, in a machine-readable format, so that you can transfer it to another organisation or use it for a similar purpose.
- The right to challenge an automated decision – where computers have been set up to make automated decisions, you have a right to challenge the decision or ask for a personal to check the automated decision
How we protect your information
It’s important that your information is held securely and that your clinician(s) and other staff involved in your care can access the information they need to see, whenever they need to, and from whatever location they are working from.
Our digital patient information systems have strict access controls and staff are only able to see information that they need to know to perform their role. All our staff are subject to a duty of confidentiality and receive data protection and information security training every year as a minimum.
Keeping your information up to date
Please tell us straight away if your contact details change or if you notice any incorrect or out of date information on your records.
We will take the opportunity to share information from our records with you when you attend appointments, so you can tell us if there is anything that is incorrect or that you don’t agree with.
If you want don’t want your information used for research or planning purposes
Being able to use patient information for research and planning is vital for research into new treatments, improving existing treatments, faster diagnoses, and helping the NHS to improve patient experiences and outcomes. It also helps the NHS to plan services where they are needed most, such as new clinics and GP practices.
However, if you don’t want your information used for these purposes, then you can opt out using the national data opt-out service. To find out more about the national data opt-out and how to set your opt-out choice visit https://digital.nhs.uk/services/national-data-opt-out. You can change you opt-out choice at any time, but please allow 21 days for your request to be actioned.
How to raise a concern or make a complaint
If you have any questions, concerns, or objections about how we process your personal information, please speak to your clinician in the first instance. If you still have concerns, you can contact our Patient Advice and Liaison Service (PALS) who can help to resolve any issues. If you are still dissatisfied and want to make a complaint, please write to our Data Protection Officer at data.protection.enr-tr@nhs.net who will investigate your concerns and write to you.
If you remain dissatisfied you have a right to make a complain to the Information Commissioner’s Office (ICO). The ICO is the UK’s independent authority that upholds information rights in the public interest, including data privacy for individuals.
For more information on how we process personal data as part of our COVID19 response plan, see our COVID-19 Privacy Notice.
Looking for information about how we protect information about staff, contractors, volunteers and applicant? See our Staff Privacy Notice.