Toggle site contrast Toggle Contract

Privacy notice

Protecting your confidentiality 

This Fair Processing Notice informs all users of Buckinghamshire Healthcare NHS Trust how we use the information we collect, who we share it with and how we maintain patient confidentiality.

Here at Buckinghamshire Healthcare NHS Trust we collect and process personal and sensitive data about our service users to ensure that you receive the best possible treatment and care.

Information is collected in a number of ways, either via your healthcare professional, referral details from your GP or other referrers, or directly given by you.

In order to lawfully process this personal data, as required under UK Data Protection Act 2018 and the UK General Data Protection Regulation, there must be an appropriate legal basis such as:

  • direct clinical care
  • medical diagnosis and treatment
  • to provide health or social care
  • for the protection of vital interests, for example, to protect physical integrity of life
  • with your consent, or with consent from your authorised representative
  • for the management and planning of health and social care services (secondary indirect care purposes).

Your information is never collected for direct marketing purposes and is not sold on to any other third parties.

We collect information and maintain records about your health and treatment in order to make sure that you receive the best possible care.  This information may be stored electronically or in written form and may include:

  • your name, address, date of birth, next of kin, ethnicity and contact details
  • details about your care and treatment such as appointments, test results, medical history, symptoms, prescriptions, x-rays
  • relevant information from other health and social care professions who care for you.

This information assists staff involved in your care to deliver and provide improved care and deliver appropriate treatment and care plans to meet your needs.¬† All information about you is treated confidentially and only ever shared on a ‚Äėneed to know‚Äô basis.

It is essential therefore that your details are accurate and up to date.  Always check that your personal details are correct and up to date when you visit us and please inform us of any changes as soon as possible.

The Trust also records CCTV images for the prevention and detection of crime and to protect staff, patients and visitors and Trust property.

We take our duty to protect your personal information and confidentiality very seriously and everyone working for the NHS has a legal duty to keep information about you confidential and secure, as set out in the NHS Confidentiality Code of Conduct.

The information is held and processed in accordance with and under the legal governance of:

  • UK Data Protection Act 2018
  • UK General Data Protection Regulation
  • Human Rights Act 1998
  • Health and Social Care Act 2015
  • Common Law Duty of Confidentiality
  • The Health Service Act 2006
  • Records Management NHS Code of Practice for Health and Social Care

We are regularly audited and assessed to ensure that appropriate security measures and good practice is in place.  We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel only.

The Trust has appointed a Senior Information Risk Owner, who provides the focus for the management of information risk and provides our Trust Board with assurance that information risk is being managed appropriately and effectively across the organisation.

We have also appointed a Caldicott Guardian, who is a senior health professional responsible for protecting the confidentiality of patient and service-user information and enabling and overseeing appropriate information-sharing.

All employees of the Trust are bound by the terms and conditions of their professional ethic codes of practice and contractual employment contract.  Only authorised staff who have a legitimate involvement in your care are given access to your records.

Any potential breach of confidentiality is a staff disciplinary offence and is taken very seriously.  We also ensure that other organisations for example, suppliers who support us, have adequate information security standards in place.

All information held by the Trust is used specifically for the purposes it was consented to unless statutory legislation permits otherwise, for example disclosure is required to protect the health and safety of others who may be put at risk, or there is an urgent safeguarding matter to resolve.

We will only keep your information as long as is necessary and in accordance with the retention periods set out in the Record Management Code of Practice for Health and Social Care 2016.

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Direct care purposes

The Trust will normally share information about you with other health and social care professionals directly involved in your care, so that you may receive the best quality of care.

The Trust works in partnership with a number of NHS and non-NHS organisations to deliver joined up, integrated services to users.  This may involve the Trust routinely sharing information with third parties where there is a genuine need for information to be shared, and where patient consent has been provided.

Data sharing agreements with third party organisations are in place to ensure that the requirements of law and guidance are being met.  Principal organisations we share information with include:

  • NHS Trusts involved in your care
  • GPs
  • ambulance Services
  • private health sector providers who work with the Trust

Buckinghamshire’s Shared Care Record and the Thames Valley and Surrey Local Health and Care Record (LHCR)

Within Buckinghamshire, the Trust participates in a Shared Care Record which provides authorised health and social care staff for example, Emergency Department, Minor Illness and Injury Unit, 111 Out of Hours, with controlled access to relevant information to help them to make informed decisions about your care and treatment.

The Trust is moving to an Integrated Care Partnership in which healthcare providers, commissioners and local authorities take explicit collective responsibility for resourcing the provision of health in our area. Your information may be securely shared between members of the consortium through the shared care record, to ensure that the optimum timely care is provided to you.

Employees are only allowed to access the information necessary to effectively perform their job duties using role-based access controls and discretionary access only.

Buckinghamshire’s shared care record is part of the Thames Valley and Surrey (TVS) Local Health and Care Record (LHCR) Partnership, which has the same aim, but on a wider footprint and helps ensure the right services are available wherever and whenever someone needs care.

TVS will use the same data for the same purposes for when/if you receive treatment across TVS.  It allows patient data and patient health and care information to be shared across Berkshire, Buckinghamshire, Milton Keynes, Oxfordshire and Surrey (Thames Valley and Surrey).

All information will be stored securely on a protected NHS IT system and only accessed by authorised professionals.

If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable.  Please discuss any concerns with the clinician treating you so that you are aware of any potential impact.

If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision.  You can also change your mind at any time about a disclosure decision.

The Trust has a legal obligation to share data where it is in respect of:

  • the notification of births.
  • where a formal court order has been served on us.
  • to third parties such as the Police, the Department of Work and Pensions and anti-fraud agencies where it is for the purpose of the prevention and detection of crime and fraud.
  • to protect public interest.
  • to safeguard vulnerable children and adults.
  • health and safety purposes.

(This list is not exhaustive).

We may also share anonymised data with Clinical Commissioning Groups for performance and commissioning purposes.

Indirect care purposes

Your information will also be used to help us manage and improve the NHS and protect the health of the public by using it to:

  • review the care we provide to ensure it is of the highest standard and quality.
  • ensure our services can meet patient needs in future.
  • investigate patient queries, complaints and legal claims.
  • ensure the hospital receives payment for the care you receive.
  • prepare statistics on NHS performance.
  • audit NHS accounts and services.
  • undertake health research and development (with your consent).
  • help train and educate healthcare professionals.
  • patient satisfaction surveys.

Nationally there are strict controls on how your information is used for these purposes.  These regulate whether your information has to be anonymised first and with whom we may share identifiable information.

Where information sharing is required with third parties, we will always have a relevant contractual obligation and Data Sharing Agreement in place and will not disclose any health information without your explicit consent unless there are exceptional circumstances, for example, if the health or safety of others was at risk or where the law requires it to carry out a statutory function.

In addition, we may arrange for overseas or external transcription companies to type dictated correspondence.  In order to maintain confidentiality, your name and address is not added until the typed correspondence has been returned to us, so it is not possible for anyone outside the Trust to identify you.  Any transfer will be made in full compliance with all aspects of the Data Protection requirements.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness.

All of these help to provide better health and care for you, your family and future generations.  Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

We have charitable funds which are administered by the Trust charity the Buckinghamshire Healthcare NHS Trust Charitable Fund, Registered Number: 1053113.

The charity fundraising makes a significant contribution to the quality of care provided by the Trust by supporting research, enabling the provision of additional facilities or equipment that enhances patient experience.

The national data opt-out, introduced on 25th May 2018, is a new service that allows people to opt out of their confidential patient information being used for research and planning.

You can register your choice to opt out if you do not want your data to be used for research and planning. If you choose to opt out, you can still consent to your data being used for specific purposes.

Buckinghamshire Healthcare Trust has put systems and processes in place to ensure compliance with the National Data opt-out.

As well as the right to privacy and to expect the NHS to keep your information confidential and secure, you have certain other legal rights, including a right to have your information processed fairly and lawfully.

Right to be informed

This encompasses our obligation to provide ’fair processing information’, typically through a privacy notice.  It emphasises the need for transparency over why, where and how we use personal data.

Right of access

You have the right to obtain confirmation that your data is being processed and for what purposes.  You can request a copy of your health record and other supplementary information we hold about you.  This is commonly known as a Subject Access Request.

Right to object

You have the right to object to us making use of your information for any reason other than direct healthcare e.g. processing for purposes of scientific/historical research and statistics, direct marketing including profiling.

Right to restrict processing

You can ask us to change or restrict the way we use your information.  This is not an absolute right and only applies in certain circumstances.

Right to erasure

You have the right to ask for your information to be erased where there is not a legal ground to keep it, or compelling reason for its continued processing, and to prevent processing in specified circumstances.

However, this depends on the legal justification for why you provided the data.  For instance, medical records are collated under the Health and Social Care Act and therefore are not able to be erased.

Right to rectification

You have the right to have your personal data rectified if you believe it to be incomplete or inaccurate.

Right to data portability

Allows you to obtain and reuse your personal data for your own purposes, across different services.

Right to prevent automatic decision making

This means to not be subject to a decision based solely on automated processing (e.g. the decision is made via a computer).

Right to prevent profiling

This is when the recording and analysis of a person’s psychological and behavioural characteristics are used.  However, health profiling is sometimes essential to help us support wellness.

The NHS Constitution states,

‚ÄúYou have the right to request that your ¬†confidential information is not used beyond your own care and treatment and to have your objection considered‚ÄĚ.

So that we can consider your request please contact us in writing either by letter to:

Medical Records Department
Stoke Mandeville Hospital
Buckinghamshire Healthcare NHS Trust
Mandeville Road
Aylesbury
Bucks HP21 8AL

Or email buc-tr.medicalrecords@nhs.net 

When attending the Trust for an outpatient appointment or procedure, patients may be asked to confirm their contact number/mobile telephone number. We may use these numbers or where you have provided your contact details for the National Summary Care Record via your GP, to send your appointment details and reminder messages via SMS text message.

Most of our patients appreciate these reminders and it can help in reducing the number of missed appointments. If you do not wish to receive these texts, please inform the relevant department involved.

The Trust may also use your details to contact you with regards to patient satisfaction surveys relating to services you have used within our hospital.  This is to improve the way we deliver healthcare to you and other patients.

The Trust may also pass your contact information to approved contractors to carry out surveys for the purpose of NPSP.  Only anonymised reports produced by the survey programme are used to help make service improvements.

Details about any such surveys will be informed through posters and leaflets to enable you to make an informed decision.  Any objection to taking part will be respected and you have the right to opt out of this.

The UK General Data Protection Regulation and UK Data Protection Act Law 2018 give you the right to access the information we hold about you.  Requests must be made in writing to:

Medical Records Department
Stoke Mandeville Hospital
Mandeville Road
Aylesbury
Bucks
HP21 8AL

The Freedom of Information Act 2000 provides members of the public access to recorded official information held by public authorities, subject to exemptions.  For more details or to request some information from us please see our Freedom of Information page.

The Accessible Information Standard became a legal requirement as at 31st July 2016.  Organisations must provide one or more communication or contact methods which are accessible to and useable by all.

Effective information and communication are vital components of a ‚Äėpatient centred‚Äô NHS and it is important therefore, that information is presented in an accessible way and in a range of formats and languages.

If you have¬†particular communication¬†needs, we can help you.¬† Please refer to the Accessibility section of¬†our ‚Äėhow we support you‚Äô page¬†which explains how we can help and who to contact

Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact the Patient Advice and Liaison Service (PALS) or write to:

Complaints Department
Trust Offices, Amersham Hospital
Buckinghamshire Healthcare NHS Trust
Whielden Street
Amersham
Bucks HP7 0JD

A Data Controller is a person who (either jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.

The Data Controller responsible for keeping your information confidential is:

Buckinghamshire Healthcare NHS Trust
Trust Headquarters
Hartwell Wing
Stoke Mandeville Hospital
Mandeville Road
Aylesbury
Bucks HP21 8AL
 
Notification with Information Commissioner’s Office (ICO)

The ICO is the UK’s independent regulatory body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

We are data protection registered with the ICO, registration number Z7752080.

Patients have the right to complain to the Information Commissioner, the supervisory authority, if they should ever be dissatisfied with the way the Trust has handled or shared their personal information:

The Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

0303 123 1113 or 01625 545745

Information Commissioner’s website

For more information, please contact:

Data Protection Officer
Information Governance Department
Buckinghamshire Healthcare NHS Trust
1st Floor, 66 High Street
Aylesbury
HP20 1SD