Your information and what you should know (privacy notice)
Supplementary privacy note on Covid-19 for Patients [pdf] 127KB
Supplementary privacy notice for Coronavirus (COVID-19) testing of staff and family
This page explains why information is collected about you and the ways in which this information may be used – this is called a Fair Processing Notice or Privacy Notice. It is designed to inform you about how the Trust is complying with the General Data Protection Regulation (GDPR) 2018 and the Access to Health Records Act 1990. It also explains how you can access or get copies of your information held by the Trust.
Who we are
We, Epsom and St Helier University Hospitals NHS Trust (the Trust), are a data controller. Our address for communications is:
St Helier Hospital
Wrythe Lane
Carshalton
SM5 1AA
Our telephone number is 020 8296 2000.
Our hospitals are registered to process personal and sensitive information under the Data Protection Act 2018 - our registration number is Z6690929.
Our Caldicott Guardian (senior person responsible for sharing of patient information) is Dr Vipula De Silva. Dr De Silva can be contacted via email at v.desilva@nhs.net
Our Senior Information Risk Owner (SIRO) is Mr Andrew Grimshaw, Group Chief Finance Officer. He can be contacted via email at andrew.grimshaw@stgeorges.nhs.uk
Our Deputy Senior Information Risk Owner (SIRO) is Mr John Taylor, who is also our Operational Director of Digital Services. He can be contacted via email at john.taylor@stgeorges.nhs.uk.
Our Data Protection Officer is Paul Kenny. Paul Kenny is also our Information Governance Manager, and can be contacted at paul.kenny@nhs.net.
Please note that emails sent to the above addresses will not be secure in transit.
Why we collect and use your information (purpose of processing)
We ask for information about you so that you can receive care and treatment. We keep this information, together with details of your care, because it may be needed if we see you again, and allows continuity of your care.
As data controllers under the GDPR we process personal data (under Article 6) and sensitive data which the GDPR terms as Special Categories (under article 9).
Personal data is defined as information relating to a living individual that can identify them. Examples include name, date of birth, NHS Number or a combination that can also identify an individual.
Special Categories are defined as: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life and sexual orientation.
Why do we hold your information?
Records about you are used by those caring for you to:
-
Provide a good basis for all healthcare decisions by you and care professionals
- We may offer you services, referrals or information based on your profile Enable you to work in partnership with those providing care
- Make sure the care we provide is safe and effective care
- Work effectively with others providing you with care
- To provide chaplaincy and pastoral care services
- Remind you about appointments.
Others within the Trust and the NHS may also need to access records about you to:
- Check the quality of care (called clinical audit)
- Protect the health of the general public
- Keep track of NHS spending including and goods and services the Trust provides
- Manage the health service
- Help investigate untoward incidents, complaints or legal claims
- Teach healthcare staff
- Help with research. If we need to use information that identifies you, for more than your direct care or to check the quality of that care we will always seek your consent beforehand
- To keep you informed of the work of the Trust such as new services and to carry out surveys.
How your patient records are used to help you
-
Your doctor, nurse or any other healthcare professional involved in your care needs to have accurate and up-to-date information to assess your health
-
A record of any treatment or care you receive in hospital needs to be kept, in case you return for further treatment
- This information is available should you have to see another doctor at our hospitals, or receive treatment elsewhere in the NHS
- Your records are a good basis for hospital staff to assess the type and quality of care you have received
- Your concerns can be properly investigated if you need to complain.
How your patient records are used to help the NHS
- Review the care we provide for you and other patients, to ensure it is of the highest standard
- Make sure our services can meet all patients’ needs in the future
- Teach and train healthcare professionals
- Conduct health research and development
- Makes sure your hospital gets paid for your treatment
- Audit NHS services and accounts
- Prepare statistics on NHS performance
- Investigate complaints, legal claims or untoward incidents.
Some of this information will also be held centrally by the NHS where it is used for statistical purposes in order to plan ahead. This is known as Secondary Use. Strict security measures are taken to ensure that individual patients cannot be identified.
Anonymous statistical information may also be passed to organisations with a legitimate interest in healthcare and its management, including universities, community safety units and research institutions.
Where it is not possible to use anonymous information, personally identifiable information may be used for essential NHS purposes such as research and auditing. This will only be done with your consent, unless the law permits the information to be passed on to improve public health or the research has been approved by the Confidentiality Advisory Group (CAG) - a national body comprised of ethicists, data protection experts as well as lay people.
There are times when it may be necessary to be able to track back to the patient details. In these cases the patient detail is replaced by a code and we keep the decode information within the Trust. This is called pseudonymisation.
How we keep your records confidential
Everyone working for the NHS has a legal duty to keep information about you confidential.
You may receive care from other people as well as the NHS (like Social Services). We may need to share some information about you so that we can all work together for your benefit. We will only ever use, or pass on, information about you if others involved in your care have a genuine need for it such as our partner organisations listed below.
All NHS organisations must comply with the NHS Care Records Guarantee. The document sets out the rules that govern how patient information is used in the NHS and what controls a patient can have over this.
We will not disclose your information to third parties without your consent unless there are exceptional circumstances. These may be in situations when the health and safety of others is at risk, or where the law permits information to be passed on. Anyone who receives information from us is also under a legal duty to keep it confidential.
We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional.
When do we need to pass on information? Occasionally, we must pass on including:
-
Notification of new births
-
Where we encounter infectious diseases which may endanger the safety of others, such as meningitis, or measles (but not HIV/AIDS)
- Where a formal court order has been issued
- Where a serious crime has been committed or a terrorist incident.
We have appointed a senior person, an Associate Medical Director, as our Caldicott Guardian. The Caldicott Guardian is responsible for protecting the confidentiality of patients and enabling appropriate and lawful information sharing.
The lawful basis of the processing
The Trust processes (uses) personal information only when it has a legal basis for doing so.
The primary purpose for which the Trust processes personal information is in order to support its healthcare activities as set out in the National Health Service and Community Care Act 1990. This is the Trust’s source of “official authority.”
The basis for the Trust processing your information is described in Article 6 (Lawfulness of processing) and Article 9 (processing of special categories of personal data) of the General Data Protection Regulation.
Personal data is defined as information relating to a living individual that can identify them. Examples include name, date of birth, NHS number or a combination that can also identify an individual.
Our guiding principle is that we hold your records in strict confidence.
The legal basis for using your data will depend on what we need to do but includes:
6)(1)(a) Consent
6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. And
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Alternative conditions may be
6(1)(c) ‘...necessary for compliance with a legal obligation to which the controller is subject or:
6(1)(d) ‘…necessary in order to protect the vital interests of the data subject or of another natural person’ and
For safeguarding:
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’
under the General Data Protection legislation.
In addition for employment purposes:
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’
For staff and volunteers disclosure and barring service (DBS) checks the Trust will process under Article 10 of the GDPR 2018 and the Safeguarding Vulnerable Groups Act 2006.
For a contract:
Article 6(1)(b) is necessary for a contract where the individual has a contract with the Trust or because the individual has asked the Trust to take specific steps before entering into a contract.
Where the terms below used in the above mean:
Consent: the individual has given clear consent for the Trust to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract the individual has with the Trust, or because they have asked the Trust to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for the Trust to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for the Trust to perform a task in the public interest or for the Trusts official functions, and the task or function has a clear basis in law.
What information may we hold about our patients, users of our online services, staff and others and why
Patients
We hold details about you, such as your address (including correspondence address), telephone numbers, date of birth, sex, “next of kin” (who to contact in an emergency - please note “next of kin” has no legal standing) and your GP.
It is your responsibility to ensure the Trust has up to date contact information for you.
Together with this information, we also hold other details about you, which you may have been provided or may have been given to us by other organisations or public sources which may include:
Categories of personal data
Our guiding principle is that we hold your records in strict confidence.
Information we collect includes:
- Your name and address
- Your medical conditions, allergies and medications
- Treatment provided and contact you have had with us
- Results of investigations, such as x-rays, MRI / CT and laboratory tests
- Reports about your health and the care you need
- Relevant information from other health professionals
- Smoking status
- Any learning disabilities
- Religion
- Marital status
- NHS number
- Occupation
- Overseas status
- Place of birth
- Preferred name or maiden name
- Where applicable, the date, cause and place of death
- Your ethnic origin, in order to help in planning services and ensuring equal access
- School details
- Child/Adult protection status
- Email address
- Your religious, spiritual or pastoral beliefs (or none)
- Family details
- Sexual life
- Next of Kin details
- Where applicable, the date, cause (if died in hospital) and place of death
- Power of Attorney Status / Deputyship under the Mental Capacity Act (Health and Personal Welfare)
- Photographs, audio and video recordings
- Financial information for private care.
Special category data
Special category data is personal data which the GDPR says is more sensitive (very like sensitive data under the DPA 1998), and so needs more protection.
-
Race
- Ethnic origin
- Politics
- Religion
- Trade union membership
- Genetics
- Biometrics (where used for ID purposes)
- Health
- Sex life
- Sexual orientation.
The Care Records Guarantee (opens in a new window) outlines the duty we have to maintain accurate records of the care we provide to you; keep these records confidential and secure; and provide information in a format that is accessible to you.
For staff, volunteers and job applicants and others
In addition to patients, the Trust also processes information on those who are not patients such as:
-
Employees, job applicants, apprentices, complainants, enquirers, survey respondents, suppliers, professional experts, consultants, people captured in closed circuit television images including by body worn cameras.
- Information is also held on job applicants for the purposes of processing their application and ensuring equality and patient safety
- Information on staff, volunteers and apprentices may be shared with third parties that provide services to the trust and in order to comply with statutory requirements and to facilitate the running of the Trust.
- Staff, Volunteers and apprentices need to be aware however their information will be processed as part of their contract / agreement with the Trust. This will be fully explained to you by The Human Resources team and / or your manager.
- Staff, volunteers and job applicants should contact the Trust Human Resources department for further information on how their information is processed.
Data will be stored in a range of different places, including in your personnel file, in the Trust's HR management systems (including First Care, Healthroster, ESR, TRAC, ER Case Tracker) and in other IT systems (including the Trust's email system).
The legal basis for the Trust as a public authority for processing information for your individual care under GDPR is as follows:
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’
For individual contractors providing services to the Trust
Article 6(1)(b) is necessary for a contract where the individual has a contract with the Trust or because the individual has asked the Trust to take specific steps before entering into a contract.
This information may include:
- Your name, address and contact details, including email address and telephone number, date of birth and gender
- The terms and conditions of your employment
- Details of your qualifications, membership of professional bodies, skills, experience and employment history, including start and end dates, with previous employers and with the trust
- Information about your remuneration, including entitlement to benefits such as pensions or insurance cover
- Details of your bank account and national insurance number
- Information about your marital status, next of kin, dependents and emergency contacts
- Information about your nationality and entitlement to work in the UK
- Information about your criminal record
- Details of your schedule (days of work and working hours) and attendance at work
- Details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
- Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
- Assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence
- Information about medical or health conditions, including whether or not you have a disability for which the trust needs to make reasonable adjustments
- Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
The Trust may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving license; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
In some cases, the Trust may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
Not a patient or staff? Visitors, relatives, friends, next of kin, etc.
It is possible that the Trust holds information on you as part of someone else’s record. Under GDPR you may still be entitled to receive a copy of this information, so long as it would not breach the confidentiality of the person whose records hold the information, or there is another reason not to provide it.
The legal basis for the Trust as a public authority for processing information for your individual care under GDPR is as follows:
6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’
What the GDPR terms mean:
Contract: the processing is necessary for a contract the individual has with the Trust, or because they have asked the Trust to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for the Trust to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for the Trust to perform a task in the public interest or for the Trust's official functions, and the task or function has a clear basis in law.
The recipients of your data and those that provide us with data about you
Who do we share information with?
We will share information with you the patient and other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.
We will also share information as required by law, for example, to comply with a court order.
We will anonymise or pseudonymise your information wherever possible to protect confidentiality.
In particular, as a patient we will inform your GP and others involved in your care of your progress unless you ask us not to.
You need to be aware however that there are possible consequences if you do not allow us to share. These will be fully explained to you by your clinician, and could include delays in receiving care and you being harmed.
We may share your information with other organisations and individuals where it may benefit you or we are required to do so, for example with:
- Hospitals and Health care organisations
- Social services
- Community services
- General Practitioners (GP)
- Clinical commissioning groups (who commission hospital services– usually information is partly or fully anonymised)
- Education Services, such as research at universities and examining bodies
- Ambulance services
- Companies that provide services on behalf of the trust.) this maybe via an Integrated Clinical Care Record (IDCR)
- Family, associates and representatives (with your consent or under Lasting Power of Attorney/Deputyship under Mental Capacity Act – Personal Welfare)
- Staff
- Healthcare social and welfare organisations
- Suppliers, service providers
- Auditors and audit bodies
- Financial organisations; including in order to process payments you make for goods and services
- Professional advisers and consultants, legal representatives, debt recovery
- Security organisations
- Voluntary sector providers, such as patient groups or health charities
- Care homes including private sector care homes
- Private health care providers
- Police forces
- Chaplaincy and Pastoral Care
- Hospital Hotel Services
- The Health and Safety Executive
- Couriers and Taxi providers.
Where this is done it will be either to benefit your treatment plan or to help plan future services.
In addition to patients the Trust also processes information in order to support and manage our employees, job applicants, complainants, enquirers, Survey respondents, suppliers, professional experts, consultants.
We usually require certain information in order for us to provide you services (including treatment) or information, if you are unable or unwilling to provide us with the requested information it may reduce the levels of care or service we are able to provide or our ability to answer your questions.
When we share your information with other organisations the sharing will be covered by an agreement describing how the information is to be used (an Information Sharing Protocol)
Information we are required to report
We are also required by law to report certain information to the appropriate authorities, for example notification of new births. We may also provide information regarding crimes to the police and where a court order has been received.
Whenever we share information with other organisations we will do this line with the Data Protection Act and the NHS Confidentiality Code of Practice (2003).
We share anonymous information with local authorities and the police for the purposes of crime mapping.
We do not share information, in the ways described above, regarding treatment you may have received in the specialities of sexually transmitted infections and human fertilisation and embryology (not withstanding any legal requirements imposed on the trust).
We do not share information, in the ways described above, regarding treatment you may have received in the specialities of sexually transmitted infections and human fertilisation and embryology (not withstanding any legal requirements imposed on the trust).
The source of personal data where we do not obtain it from you
We may obtain your personal information from the organisations or individuals listed above that we share with or others that have information that may assist with the provision of your care.
Social media and our website
When you use our website or interact with our social media presence (eg Twitter, Instagram and Facebook) your data (eg comments, likes, reviews) may be visible to providers of social networking services and their users.
We suggest that you review the privacy and security settings of your social media accounts to ensure you understand how your data maybe shared and used.
Information on visitors to the website are collected by Google Analytics which collects information on pages visited, length of visit, URL and search terms of referring sites, your browser’s capabilities, and your IP address. Google will not associate this with any other data held by Google. You can opt out of Google Analytics with their opt-out browser add-on (opens in a new window) or any of a number of third party privacy extensions for your browser.
We do analyse the server log files which contain details of the Internet address (IP address) of computers using the site, pages looked at, the times of day and the type of web browser used. None of this information is linked to individuals.
You can also read our Cookies policy which describes how our website uses cookies.
Please see the Terms of use of our website for more information
Mailing lists
We may ask you if you would like to be added to one of our mailing lists in order for you to receive information not related to your direct care, for instance, to receive information about the Trust and its activities.
You can stop receiving such communications at any time by letting us know and this will be made clear when you sign up.
Automated decision-making and profiling
The Trust does not carry out automated decision making but will endeavour to identify people who may benefit from additional services (profiling) for example those who attend our emergency department frequently.
Appropriate staff, for example clinicians, would make the actual decisions based on the available information.
Transfers of your information to third countries or international organisations
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA) unless additional safeguards have been put in place to protect your information.
Any transfers made will be in full compliance with all aspects of the Data Protection legislation.
How long do we hold your information for?
We retain health records for at least eight years from the last date that you presented at the Trust and until 25th birthday for children. Oncology and Blood Transfusion is kept for 30 years.
These are the minimum times for which we keep information; we may keep it for longer if we believe doing so will be of benefit to you or we are not able to delete it due to a technical issue for example.
We have a duty to:
- Maintain full and accurate records of the care we provide to you
- Keep records about you confidential and secure.
Further details can be found in “The Records Management Code of Practice for Health and Social Care 2021” (opens in a new window).
How can you access (get a copy of) your health records?
Subject Access
For patients
You have the right to see or have a copy of your personal information.
You do not need to give a reason; and normally there will be no charge.
We may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information.
Any fee will be based on the administrative cost of providing the information.
If you want to access your health records, you should make a written request to the Trust subject access team at the following address:
Subject Access Team
Medical Records
Epsom Hospital
Dorking Road
Epsom
Surrey
KT18 7EG
Email: esth.subject.access@nhs.net
Tel: 020 8296 4067
We provide an application form to and other information to assist you with your application which can be found at www.epsom-sthelier.nhs.uk/access-to-health-records but you do not need to use our form as long as you provide us with the information we require to process your request.
We will normally provide your information within one month (four weeks) of receiving all the information we need to respond to your request. If maybe that we have to extend the time period by a further two months (eight weeks) if your request is complex, numerus or large. We will inform you within the month of receipt if this is the case and explain why the extension is necessary.
Please be as detailed as possible when requesting information, for instance stating date ranges, appointment types or specific letters.
Before records are release we will seek the advice of the consultant in charge of the patient care to ensure that no information about an individual’s physical or mental health or condition will be released if it would be likely to cause harm to them or another person’s physical or mental health condition. We will also withhold information provided by third parties where we don’t have consent to release it or where the patient has made it clear that they did not want the information disclosed.
Before providing any information we will need to verify your identity and may request further information from you so we may progress your query as quickly as possible.
For staff, volunteers and job applicants
Staff, volunteers and job applicants should contact our Human Resources department at esth.staffsar@nhs.net for copies of information the Trust we hold about them.
Your rights in respect of restricting our processing of your information
Your right to be informed
This means you have a right to be informed about the way we collect and use your data.
Your right to rectification
This means you have the right to have inaccurate (incorrect or misleading as to any matter of fact) personal data corrected or completed.
Your right to have your personal information erased
This right is not absolute and only applies in certain circumstances.
It does not apply to Health Records which are legal documents under the Public Records Act 1950.
You can request either in writing or verbally to have your information erased. We will respond to your request within one month.
When does the right to erasure not apply?
If the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
-
if the processing is necessary for the purposes of preventative or occupational medicine (eg. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services)
- to comply with a legal obligation
- for the performance of a task carried out in the public interest or in the exercise of official authority
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
The right to erasure applies if:
-
Your personal data is no longer necessary for the purpose which we originally collected or processed it for
-
We are relying on consent as your lawful basis for holding the data, and you withdraw your consent
- We are relying on legitimate interests as your basis for processing, you object to the processing of your data, and there is no overriding legitimate interest to continue this processing
- We are processing the personal data for direct marketing purposes and you object to that processing
- We have processed your personal data unlawfully, or we have to do it to comply with a legal obligation; or
- We have processed the personal data to offer information society services to a child.
Your right to Restrict processing
This means that you can request the processing of your data is blocked and your data stored separately
-
You may request a restriction verbally or in writing. This is not an absolute right and will depend on the circumstances of your request
- The length of time the restriction will apply for will depend on the circumstances of your request
- If you restrict our processing of your data we are permitted to store the personal data, but not use it
- We will respond to your request within one calendar month.
You have the right to restrict the processing of your information in the following circumstances:
- You contest the accuracy of your personal data and we are verifying the accuracy of the data
- We no longer need the personal data but you need to keep it in order to establish, exercise or defend a legal claim; or
- You have objected to the Trust processing your data under Article 21(1), and The Trust is considering whether the Trusts legitimate grounds override yours (the individual).
How might we restrict processing?
We may make the information unavailable to users:
-
Temporarily move the data to another processing system
- Make the data unavailable to users; or
- Temporarily remove published data from a website.
When will a restriction be removed?
Once we have made a decision on the accuracy of the data, or whether our legitimate grounds override those of the individual, we may decide to lift the restriction. We will inform you before we lift the restriction.
Your right to data portability
This means that you can request a secure transfer of your data to another Data Controller.
The right to data portability only applies when:
- the data is about you and that it was provided by you to the Trust
- where the processing is based on your consent or for the performance of a contract; and
- when processing is carried out by automated means.
See the section on how to access your health records (subject access).
If the Trust provides your information to you under the right to portability no fee will be payable and the information will be provided within one month.
Your right to object
This means that you have the right to object to the Trust processing your data where the processing is based on:
- legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
You must have an objection on “grounds relating to your particular situation”
We will stop processing your information unless:
- We can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
- the processing is for the establishment, exercise or defence of legal claims
- The Trust is conducting research where the processing of personal data is necessary for the performance of a public interest task, in which case the Trust is not required to comply with an objection to the processing.
Your right to withdraw your consent
This means that once you have given your explicit consent for your information to be processed you have the right to:
-
Withdraw your explicit consent for the processing of your information
- You can withdraw your consent by informing the department / team that took your consent. You can do this in writing or verbally
- The fact that consent may be obtained for confidentiality purposes does not mean that consent must also be the lawful basis applied for the purposes of processing data in compliance with the Data Protection Legislation. Well established national guidance on confidentiality remains applicable.
It should be noted that:
- Data protection requirements (GDPR) do not affect the common law duty of confidence (confidentiality)
- Although the practice of assuming implied consent for processing data for direct care purposes will not comply with the consent standards under the GDPR, this does not mean that implied consent ceases to be valid for confidentiality purposes (e.g. sending a discharge summary to your GP).
Your right to complain to the regulator
Details on how you can do this are included further down the page.
Integrated Digital Care Records (IDCR)
The Trust works with GP practices and social services to make your information available to them.
By doing this:
- You won’t have to repeat your health and social care information
- Care professionals will be able to access it directly.
It is important that you understand your information will only be used for your care and as set out in this privacy notice. If your personal information would be useful if included in research, we will seek your consent in advance. We may use your anonymised information for research purposes.
You need to be aware however that there are possible consequences to your care if you do not allow us to share your information. These will be fully explained to you by your clinician, and could include delays in receiving care and you being harmed.
The Trust takes part in the following IDCRs:
- Surrey Care Record
The Surrey Care Record is a local, digital shared care record for health and care professionals across Surrey Heartlands. Please see the Surrey Care Record Privacy Notice for further detail about how personal data included in the shared care record is used and protected. The Surrey Care Record Privacy Notice also provides information on how individuals can exercise their rights with respect to data shared via the Surrey Care Record. - Connecting Your Care 2 - South West London Health and Care Partnership (also known as Connecting Your Care – CYC2)
Health and social care organisations are improving the way we connect your care across south west London. Health and care professionals will be able to access your records from other health and care organisation when you need them to. This will make it quicker and easier for you when you visit your GP or hospital. Connecting your Care means that professionals involved in your care such as your GP, hospital doctors, nurses and social workers and other care organisations will be able to immediately see important information about you through a secure system, to help them make the best decisions about your care, which could be lifesaving in emergency situations.
If you are happy for your information to be shared in this way, then you don’t need to do anything. If you do not want your information to be shared, you have the right to opt out please follow the process below. Before opting out, please make sure you have read these FAQs (opens in a new window) so that you understand the benefits that we believe being part of this programme will bring you.
For additional information about the ‘Connecting Your Care’ programme please see the ‘Connecting Your Care’ leaflet and Frequently Asked Question which can be found at: www.swlondon.nhs.uk/connectingyourcare
Read the Connecting Your Care Privacy Notice (opens in new window).
Your right to object to the sharing of your information with the IDCRs
If you DO NOT want Epsom and St Helier Hospital to share your record with these systems, please contact the data quality team at this email address esth.dq@nhs.net
What information does the Integrated Care Record contain?
The doctors, nurses and team of healthcare professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. These records may include:
-
Details about you such as name, address, date of birth, emergency contact
- Contact we have had with you such as appointments or clinic visits
- Notes and reports about your health, treatment and care
- Test results, medication, allergies, mental health information
- Relevant information from health and social care services.
The South West London Radiology Picture Archiving and Communications System (PACS)
Supplementary privacy information for the South West London (SWL) Picture Archiving and Communications System (PACS) system and Radiology Information System (RIS).
The PACS is a computer system that stores clinical images such as X-Rays and Ultrasound scans and the RIS is a computer system that is used to manage the electronic radiology systems and processes.
Both systems allow those, from any of the partner organisations, who are providing you with care timely access to your diagnostic imaging and outcome information.
The partners in the SWL PACS system are:
Epsom and St Helier University Hospitals NHS Trust (lead partner)
St Georges’s University Hospitals NHS Foundation NHS Trust
Kingston Hospital NHS Foundation Trust
Hounslow and Richmond Community Healthcare NHS Trust
Croydon Health Services NHS Trust
And as such are joint data controllers of your information held in the SWL PACS and RIS this means they are responsible for the use of your information including keeping your information safe.
The partners will process your information under one or more of the following legal basis under the UK GDPR:
6(1)e Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Special categories of personal data:
9(2)h Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services.
Under the Common Law Duty of Confidentiality, information can be shared for the purposes of direct care with the reasonable expectation that the data subject understands their data will be shared. The Common Law Duty of Confidentiality is met on the basis that access by staff is for the provision care to individuals and can be classed as ‘reasonably expected/consent implied’.
If you require a copy of your information held in the radiology system, please contact the Trust(s) providing your care.
They will have appropriate procedures for accessing your information also know a Subject Access Request (SAR)
The individual partners privacy notices can be found on their respective websites as below
Epsom and St Helier University Hospitals NHS Trust
https://www.epsom-sthelier.nhs.uk/your-information-and-what-you-should-know
St Georges’s University Hospitals NHS Foundation NHS Trust
https://www.stgeorges.nhs.uk/about/privacy-notice/
Kingston Hospital NHS Foundation Trust
https://kingstonhospital.nhs.uk/privacy-policy/
Croydon Health Services NHS Trust
https://www.croydonhealthservices.nhs.uk/your-health-record
Hounslow and Richmond Community Healthcare NHS Trust
https://hrch.nhs.uk/patients-and-families/your-patient-records
Vulnerable Persons Reporting System
Fair processing notice for supporting vulnerable people in an emergency.
Supporting Vulnerable People in an Emergency - Privacy Notice
In an emergency that could affect you in your place of residence, (such as a fire, flood or even a prolonged utility loss), responding organisations across Surrey work together to identify people who are known to services who may be adversely impacted during such an event. We co-ordinate sharing appropriate data data about such people so that appropriate help and support can reach those in need, quickly.
The legal basis for processing for this basis is:
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
Processing is required by the Civil Contingencies Act (2004) which requires all Category 1 responders, (which Epsom & St Helier University Hospital Trust (ESTH), is one), to share information and cooperate with other emergency responders to ensure a coordinated response to an emergency, and to care for those impacted.
Also under the UK GDPR
Article 6(1)(c) the processing is necessary for compliance with a legal obligation to which the controller is subject
And
Article 9(2)(g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
How are we doing this?
Surrey County Council use the data in the event of an emergency. The Trust shares some information about people under our care with Surrey County Council for this purpose along with other organisations such as, (other Care Providers, District and Borough Councils and Surrey County Council Adult Social Care Services).
Only the minimum amount of information about each person is shared.
What does this mean for you?
-
We only share personal information where it is in the best interests of the individual or where we are under a legal obligation to do so
-
Your information will continue to remain private and secure and will only be accessed if there's a possibility that your welfare may be compromised, due to an emergency so that appropriate help and support can be provided
- Working in this way will enable emergency staff to locate potentially known vulnerable people sooner
- It will also allow care and support to be tailored accordingly in times of need.
For details about the emergency planning process please see Surrey's Local Resilience Forum web pages
Surrey County Councils Fair Processing Notice can be read here
If you would like to know more about this initiative, then please contact Binu Cherian Chief Operating Officer, Surrey Downs Health and Care on 07770 684 846.
The national data opt-out
NHS Digital has provided a system to support the national data opt-out which gives patients more control over how their confidential patient information is used. The system offers patients and the public the opportunity to make an informed choice about whether they wish their confidential patient information to be used for research and planning purposes in addition to their individual care and treatment.
Read more about the National Data Opt Out (opens in a new window) including how to make your choice.
Closed Circuit Television (CCTV)
The Trust makes use of CCTV systems including body worn cameras for crime prevention in line with the Information Commissioners CCTV code of practice.
If you email us
Please note that we may use email monitoring or blocking software.
You have a responsibility to ensure that any email you send to us is within the bounds of the law.
Please note that emails sent to us may not be secure in transit, that we cannot take any responsibility for the security of your email before it is received by the Trust and we may choose not to reply via email if we have concerns regarding confidentiality and/or security.
If you email us or give us your email address then you accept that we may communicate with you via email.
Email is not a guaranteed delivery service - if your communication is important please confirm we have received it by other means.
It is your responsibility to ensure we and your GP have up to date contact details for you.
Further information, complaints and your right to complain to the Regulator
For further information or if you would like to make a complaint, please contact:
The Patient Advice and Liaison Service (PALS) on 020 8296 2508 or via email at est-tr.PALS@nhs.net
If you would like this leaflet in your own language, in large print, in Braille or audiotape please contact the PALS team.
If you feel that we have not adequately dealt with your complaint regarding how we process your information you can raise the issue with the Information Commissioner who is the supervisory authority for the United Kingdom (the Regulator) at the address below:
Information Commissioner's Office
The ICO's offices will be closed for the foreseeable future. They are therefore unable to receive correspondence via post. Please instead contact the ICO by completing their online contact form: https://ico.org.uk/global/contact-us/ or by calling the number below.
By phone: 0303 123 1113
By letter (temporarily unavailable):
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
By email casework@ico.org.uk
Website: ico.org.uk (opens in a new window)
How can you help the Trust?
By ensuring that your GP has your correct details; it is important that you tell your GP about any change of your address and contact details as this information is used to update your record held by the Trust and it may overwrite (replace) information you have given the Trust directly meaning any correspondence to you or your GP may be sent to the wrong address for example.
-
By pointing out any information in your records which is wrong (telling us when you change address, GP, email address or telephone number for example)
- By allowing us to share as much information about you as we need to in order to provide you with the best possible healthcare.
Sometimes, we might ask your permission to use records from which you could be identified for important research. Please give us permission unless you feel strongly that you do not want your information used in this way.
We may use your anonymised (information you can’t be identified by) information for research purposes.