Herefordshire and Worcestershire Health and Care NHS Trust Privacy Policy

Herefordshire and Worcestershire Health and Care NHS Trust is required to comply with the laws and regulations that apply to protecting your data and how it is used. They are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Purpose of our Privacy Notice

Herefordshire and Worcestershire Health and Care NHS Trust (HWHCT) appreciates the trust you place in us when you share your personal information and we take your confidentiality and privacy rights very seriously. We believe that being open and honest with you about how your information is used and kept safe is extremely important.

In this privacy notice we will explain how we collect, use, store and protect your personal information. We will also explain what rights you have with regards to your personal information and how you can exercise those rights.

Who we are and what we do

Herefordshire and Worcestershire Health and Care NHS Trust is the main provider of community and mental health services in Worcestershire, and mental health services in Herefordshire. We deliver a wide range of services in a variety of settings, including in people’s homes, care homes, schools, community centres and our in-patient facilities including our five community hospitals.

We provide services to people across all age groups, from health visiting services for new born babies and their families to services which support older people with complex health and social care needs.

What is personal information?

‘Personal information’ means any information relating to an identified or identifiable living person. This includes things like: your name, address, date of birth, sex, NHS number and telephone number HWHCT also collects and uses personal information that is called ‘special category’ information and this includes things like: your physical or mental health information, racial or ethnic origin or sexual life.

Purposes and the legal basis for the processing

HWHCT processes personal information for a number of different reasons and these will be published in more detail very soon. But the main reason that we use personal information is for providing direct care and administrative purposes. HWHCT has a statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence, the UK General Data Protection Regulation ( UK GDPR) and the Data Protection Act 2018. For common law purposes, sharing information for direct care is on the basis of implied consent, which may also cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectations.

  • 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

Personal data concerning health are ‘special categories’ of personal data; and the UK GDPR Article 9 condition for the lawful processing of personal data for direct care and administrative purposes is:

  • 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

Local administrative purposes include:

  • waiting list management
  • performance against national targets
  • activity monitoring
  • local clinical audit
  • production of datasets to submit for commissioning purposes and national collections
  • local clinical supervision
  • teaching and training
  • patient surveys

You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in you receiving care.

However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other people. In these rare circumstances we are not required to have your consent.

Examples of this could be;

  • in order to comply with a court order
  • to protect someone’s life
  • for safeguarding purposes
  • if your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
  • to prevent or detect serious crime
  • if you are subject to the Mental Health Act, there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • in the legitimate interests of the Trust e.g. if it were necessary in order to defend ourselves in court
  • where the Trust is required to participate in national fraud detection exercises, such as the Cabinet Office's bi-annual National Fraud Initiative
  • Quality surveys, such as NACEL (National Audit of Care at the End of Life)

You have the right to refuse/withdraw your consent to information sharing at any time. Please contact the Trust if you wish to withdraw your consent. A person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other people. In these rare circumstances we are not required to have your consent.

Examples of this could be

  • in order to comply with a court order
  • to protect yours, or someone else’s life
  • for safeguarding purposes
  • if your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
  • to prevent or detect serious crime
  • if you are subject to the Mental Health Act, there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • in the legitimate interests of the Trust e.g. if it were necessary in order to defend ourselves in court
  • where the Trust is required to participate in national fraud detection exercises, such as the Cabinet Office's bi-annual National Fraud Initiative
  • Quality surveys, such as NACEL (National Audit of Care at the End of Life)

Where we do this we will process your personal and/or special category in compliance with the lawful conditions set out in the UK GDPR Articles 6 and 9. If we want to process your information for other purposes that are not described above then we will seek your consent to do so before we process it. For example, this could be for a research project. Please be assured that the information in your patient record will only be used for purposes that benefit your care - we will never share it for marketing or insurance purposes.

Full details of how we process your personal information can be found in our Record of Processing Activities (ROPA) information on the Trust website.

Who we share your information with

To help give you the best care possible, sometimes we will need to share information about you and your health. This information is shared to make sure we and other colleagues know enough about your needs to support you.

 We may share information about you with the following agencies to support delivery of your care: 

  • NHS England
  • Integrated Care Boards
  • Other providers involved in your care, such as hospitals.
  • NHS 111, ambulance and/or other emergency services
  • General Practitioners (GP’s) in Herefordshire & Worcestershire
  • Ambulance Service
  • Child and adult safeguarding services
  • ·     Social services 

We may also share your information, where there is a lawful basis to do so, with:
 

  • NHS Improvement
  • Education services
  • Local authorities
  • Voluntary and Social care sector providers
  • Private sector organisations who are involved in your care
  • ·     Care Quality Commission 

Where we share your information, we will have appropriate technical and operational measures in place. There will be either a contract and/or an information sharing agreement in place. We will only share your information where we are satisfied that there are sufficiently secure arrangements in place with the other organisation(s). 

Herefordshire and Worcestershire Shared Care Record 

When you visit your GP or hospital, they can’t see all of your health and care information and you can be answering the same questions about the medicines you take, the treatment you’ve had, and whether you have any allergies. 

This is because they all use different computer systems to record your details and as these systems aren’t connected, the health and care organisations looking after you can’t see the information each other holds on you. 

Herefordshire and Worcestershire Health and Care NHS Trust works with other health and social care organisations to share information that will form part of your Shared Care Record. The Shared Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only to other health and care professionals in Herefordshire and Worcestershire, Birmingham and Solihull, and Coventry and Warwickshire when they are involved in your health or social care.

For more information on how your data is used on the Shared Care Record and how to exercise your rights please see the full privacy notice on the Herefordshire and Worcestershire Integrated Care System (ICS) website.

Herefordshire and Worcestershire ccg - Shared Care Record

National Data Opt-out Programme

Herefordshire and Worcestershire Health and Care NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending a Minor Injuries Unit or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn't needed. You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. Find out more or to register your choice to opt out. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: NHS Health Research Authority - Patient information and health and care research (which covers health and care research) and Understanding Patient Data - What you need to know (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement. 

Sharing Overseas

HWHCT does not routinely transfer information overseas, but if there is a need to do so we will ensure that the security and protections that are put in place are of an equivalent standard to those that we use internally when processing your information.

Use of CCTV

HWHCT has CCTV on some sites. This is to provide a safe and secure environment for patients, staff, visitors and to safeguard Trust property.  CCTV images may be used to assist in the prevention and detection of crime. Images may be shared with the Police for the investigation of crimes or shared with other agencies to investigate complaints, Serious Incident investigations and disciplinaries.

How long do we keep your information for?

HWHCT will only keep your information for as long as necessary and in accordance with the NHS Records Management Code of Practice 2021 retention schedule. The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes (for example your email address) during your relationship with us.

Your Rights

There are 8 rights under the UK GDPR; the relevant rights to this Privacy Notice are considered below.

  • Right to be Informed - This Privacy Notice is our main way of letting you know what personal information we hold about you and who we share it with etc. We have endeavoured to be as open and as honest as we can in this Notice, ensuring that we use concise, easily understood information that is written in clear and plain language. If there are any parts of this Privacy Notice that you do not understand then please get in touch with the HWHCT Data Protection Officer. The contact details are below.
  • Right of Access – You have the right to request access to or a copy of your personal data which HWHCT holds about you. More information on how to do this is available on the access to health records pages on the Trust website.
  • Right to rectification – You have the right to request that HWHCT corrects any personal data if it is found to be factually inaccurate or out of date.
  • Right to Erasure – You have the right to request your personal data is erased. Note – information contained in health records will not be erased as it forms part of a legal document and it was collected for the purposes of direct care.
  • Right to restrict processing – You have the right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on any further processing.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Who to contact for more information

The Trust’s Data Protection Officer is Shaun Tudge – Head of Information Governance.

If you have any questions about our Privacy Notice or how we use your personal information, please get in touch.

If you wish to know more about your rights, have any concerns or wish to escalate an issue then please contact the UK’s Supervisory Authority, the Information Commissioner's Office (ICO):

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Herefordshire and Worcestershire Health and Care NHS Trust is registered with the Information Commissioner's Office (the UK’s Supervisory Authority). Our Registration Number is Z2745227.

Supporting information