Protecting your confidentiality
This Fair Processing Notice informs all users of Buckinghamshire Healthcare NHS Trust how we use the information we collect, who we share it with and how we maintain patient confidentiality.
Here at Buckinghamshire Healthcare NHS Trust we collect and process personal and sensitive data about our service users to ensure that you receive the best possible treatment and care.
Information is collected in a number of ways, either via your healthcare professional, referral details from your GP or other referrers, or directly given by you.
The Trust has to provide a legal basis for the processing of your information. Under the Data Protection Act, the Trust may process information which is appropriate to provide the health and social care treatment to patients, as well as the management of health or social care systems and services.
Your information is never collected for direct marketing purposes and is not sold on to any other third parties.
We collect information and maintain records about your health and treatment in order to make sure that you receive the best possible care. This information may be stored electronically or in written form and may include:
- your name, address, date of birth, next of kin, ethnicity and contact details
- details about your care and treatment such as appointments, test results, medical history, symptoms, prescriptions, x-rays
- relevant information from other health and social care professions who care for you.
This information assists staff involved in your care to deliver and provide improved care and deliver appropriate treatment and care plans to meet your needs. All information about you is treated confidentially and only ever shared on a ‘need to know’ basis.
It is essential therefore that your details are accurate and up to date. Always check that your personal details are correct and up to date when you visit us and please inform us of any changes as soon as possible.
The Trust also records CCTV images for the prevention and detection of crime and to protect staff, patients and visitors and Trust property.
We take our duty to protect your personal information and confidentiality very seriously and everyone working for the NHS has a legal duty to keep information about you confidential and secure, as set out in the NHS Confidentiality Code of Conduct.
The information is held and processed in accordance with and under the legal governance of:
- UK Data Protection Act 2018
- UK General Data Protection Regulation
- Human Rights Act 1998
- Health and Social Care Act 2015
- Common Law Duty of Confidentiality
- The Health Service Act 2006
- Records Management NHS Code of Practice for Health and Social Care
We are regularly audited and assessed to ensure that appropriate security measures and good practice is in place. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel only.
The Trust has appointed a Senior Information Risk Owner, who provides the focus for the management of information risk and provides our Trust Board with assurance that information risk is being managed appropriately and effectively across the organisation.
We have also appointed a Caldicott Guardian, who is a senior health professional responsible for protecting the confidentiality of patient and service-user information and enabling and overseeing appropriate information-sharing.
All employees of the Trust are bound by the terms and conditions of their professional ethic codes of practice and contractual employment contract. Only authorised staff who have a legitimate involvement in your care are given access to your records.
Any potential breach of confidentiality is a staff disciplinary offence and is taken very seriously. We also ensure that other organisations for example, suppliers who support us, have adequate information security standards in place.
All information held by the Trust is used specifically for the purposes it was consented to unless statutory legislation permits otherwise, for example disclosure is required to protect the health and safety of others who may be put at risk, or there is an urgent safeguarding matter to resolve.
We will only keep your information as long as is necessary and in accordance with the retention periods set out in the Record Management Code of Practice 2021- NHSX.
All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.
Direct care purposes
The Trust will normally share information about you with other health and social care professionals directly involved in your care, so that you may receive the best quality of care.
The Trust also works in partnership with a number of NHS and non-NHS organisations to deliver joined up, integrated services to give you the best care possible. This may involve the Trust routinely sharing information with third parties where there is a genuine need for information to be shared, and they are subject to strict information sharing protocols.
Data sharing agreements with third party organisations are in place to ensure that the requirements of law and guidance are being met.
Anyone who receives information from the Trust has a legal duty to keep it confidential and secure. Only information that is required and appropriate to support your care and treatment will be provided.
Where we share information with other organisations that do not form part of your care, permission from yourself will be sought before disclosure, unless we have a legal obligation to provide the information or public interest is thought to be of greater importance.
Principal organisations we share information with include:
- NHS Trusts involved in your care
- Ambulance services
- Private health sector providers who work with the Trust
Buckinghamshire’s Shared Care Record and the Thames Valley and Surrey Local Health and Care Record (LHCR)
Within Buckinghamshire, the Trust participates in a Shared Care Record which provides authorised health and social care staff for example, Emergency Department, Minor Illness and Injury Unit, 111 Out of Hours, with controlled access to relevant information to help them to make informed decisions about your care and treatment.
The Trust is moving to an Integrated Care Partnership in which healthcare providers, commissioners and local authorities take explicit collective responsibility for resourcing the provision of health in our area. Your information may be securely shared between members of the consortium through the shared care record, to ensure that the optimum timely care is provided to you.
Employees are only allowed to access the information necessary to effectively perform their job duties using role-based access controls and discretionary access only.
Buckinghamshire’s shared care record is part of the Thames Valley and Surrey (TVS) Local Health and Care Record (LHCR) Partnership, which has the same aim, but on a wider footprint and helps ensure the right services are available wherever and whenever someone needs care.
TVS will use the same data for the same purposes for when/if you receive treatment across TVS. It allows patient data and patient health and care information to be shared across Berkshire, Buckinghamshire, Milton Keynes, Oxfordshire and Surrey (Thames Valley and Surrey).
All information will be stored securely on a protected NHS IT system and only accessed by authorised professionals.
If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable. Please discuss any concerns with the clinician treating you so that you are aware of any potential impact.
If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. You can also change your mind at any time about a disclosure decision.
The Trust has a legal obligation to share data where it is in respect of:
- the notification of births.
- where a formal court order has been served on us.
- to third parties such as the Police, the Department of Work and Pensions and anti-fraud agencies where it is for the purpose of the prevention and detection of crime and fraud.
- to protect public interest
- to safeguard vulnerable children and adults
- health and safety purposes
(This list is not exhaustive).
We may also share anonymised data with Clinical Commissioning Groups for performance and commissioning purposes.
Indirect care purposes
Your information will also be used to help us manage and improve the NHS and protect the health of the public by using it to:
- review the care we provide to ensure it is of the highest standard and quality
- ensure our services can meet patient needs in future
- investigate patient queries, complaints and legal claims
- ensure the hospital receives payment for the care you receive
- prepare statistics on NHS performance
- audit NHS accounts and services
- undertake health research and development (with your consent)
- help train and educate healthcare professionals
- patient satisfaction surveys
Nationally there are strict controls on how your information is used for these purposes. These regulate whether your information has to be anonymised first and with whom we may share identifiable information.
In addition, we may arrange for overseas or external transcription companies to type dictated correspondence. In order to maintain confidentiality, your name and address is not added until the typed correspondence has been returned to us, so it is not possible for anyone outside the Trust to identify you. Any transfer will be made in full compliance with all aspects of the Data Protection requirements.
The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these helps to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent. Where information sharing is required with third parties, we will always have a relevant contractual obligation and Data Sharing Agreement in place.
As well as the right to privacy and to expect the NHS to keep your information confidential and secure, you have certain other legal rights, including a right to have your information processed fairly and lawfully. These are:
- Right to be informed – This encompasses our obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over why, where and how we use personal data
- Right of access – You have the right to obtain confirmation that your data is being processed and for what purposes. You can request a copy of your health record and other supplementary information we hold about you. This is commonly known as a Subject Access Request
- Right to object – You have the right to object to us making use of your information for any reason other than direct healthcare e.g. processing for purposes of scientific/historical research and statistics, direct marketing including profiling.
- Right to restrict processing – You can ask us to change or restrict the way we use your information. This is not an absolute right and only applies in certain circumstances
- Right to erasure – You have the right to ask for your information to be erased where there is not a legal ground to keep it, or compelling reason for its continued processing, and to prevent processing in specified circumstances. However, this depends on the legal justification for why you provided the data. For instance, medical records are collated under the Health and Social Care Act and therefore are not able to be erased.
- Right to rectification – You have the right to have your personal data rectified if you believe it to be incomplete or inaccurate
- Right to data portability – Allows you to obtain and reuse your personal data for your own purposes, across different services
- You have the right to prevent automatic decision making. This means to not be subject to a decision based solely on automated processing (e.g. the decision is made via a computer).
- You have the right to prevent profiling. This is when the recording and analysis of a person’s psychological and behavioural characteristics are used. However, health profiling is sometimes essential to help us support wellness.
The NHS Constitution states, “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objection considered”.
In order for us to consider your request please contact us in writing either by letter to:
Medical Records Department
Stoke Mandeville Hospital
Buckinghamshire Healthcare NHS Trust
Aylesbury, Bucks HP21 8AL
or via email at firstname.lastname@example.org
The national data opt-out, introduced on 25th May 2018, is a service that allows people to opt out of their confidential patient information being used for research and planning.
Further information can be found on the following website: https://digital.nhs.uk/national-data-opt-out
To register your choice to opt out if you do not want your data to be used for research and planning, visit www.nhs.uk/my-data-choice. If you choose to opt out you can still consent to your data being used for specific purposes.
Buckinghamshire Healthcare Trust has put systems and processes in place to ensure compliance with the National Data opt-out.
We have charitable funds which are administered by the Trust charity the Buckinghamshire Healthcare NHS Trust Charitable Fund, Registered Number: 1053113.
We shall endeavour to ensure that the personal information we obtain will always be held, used and otherwise processed in accordance with the UK GDPR and Data Protection Act 2018 and all other applicable data protection laws and regulations.
We collect personal information when you donate money, undertake fundraising activities, ask about our activities, register on our website, order products and services (such as publications and email newsletters), or otherwise give us personal information online, in paper or electronic form, over the phone or face to face. We only collect your debit/credit card details if you provide them to us to make a donation. The card details are deleted once the donation is processed. We only collect bank account details if you set up a direct debit payment for regular donations to us.
We do not and never will sell or swap your data. We will use your personal information to provide you with the services, products or information you have requested, for administration purposes and to further our charitable aims, including for fundraising activities. We may need to share your information with our service providers such as external mailing houses that process our appeals. We will always have strict data protection arrangements in place with these fulfilment organisations. Any information we collect is stored and processed in the UK. We reserve the right to share your personal information if we are legally obliged to and to enable us to apply our terms and conditions and other agreements. This includes exchanging information with other organisations for fraud and credit risk reduction and for police investigations. We will ensure that there are appropriate technical controls in place to protect your personal details and our network is protected and routinely monitored.
The charity fund raising makes a significant contribution to the quality of care provided by the Trust by supporting research, enabling the provision of additional facilities or equipment that enhances patient experience. The Charity has always adopted the Mission, Vision, Values and Aims from the Trust.
When attending the Trust for an outpatient appointment or procedure, patients may be asked to confirm their contact number/mobile telephone number. We may use these numbers or where you have provided your contact details for the National Summary Care Record via your GP, to send your appointment details and reminder messages via SMS text message.
Most of our patients appreciate these reminders and it can help in reducing the number of missed appointments. If you do not wish to receive these texts, please inform the relevant department involved.
We run surveys to improve the quality of care and treatment provided to patients, by contacting patients or their carers after discharge from hospital. If you do not wish to be contacted in this way, please inform the ward staff during admission. The Trust may also use your details to contact you with regards to patient satisfaction surveys or clinical audits, including National Audits relating to services you have used within our hospital. This is to improve the way we deliver healthcare to you and other patients.
The Trust may also pass your contact information to approved contractors to carry out surveys for the purpose of NPSP. Only anonymised reports produced by the survey programme are used to help make service improvements.
We may process anonymised, pseudonymised or limited Personal Confidential Data (PCD) with other public sector organisations for the purposes of clinical audit or patient satisfaction surveys e.g. the National Audit of Care at the end of Life (NACEL).
Details about any such surveys will be informed through posters and leaflets to enable you to make an informed decision. Any objection to taking part will be respected and you have the right to opt-out of this.
Patients can make a choice about how their data is used by following this link https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/.
Preferences can be changed at any point.
The UK General Data Protection Regulation and UK Data Protection Act Law 2018 give you the right to access the information we hold about you. Requests must be made in writing to:
Medical Records Department
Stoke Mandeville Hospital
The Accessible Information Standard became a legal requirement as at 31st July 2016. Organisations must provide one or more communication or contact methods which are accessible to and useable by all.
Effective information and communication are vital components of a ‘patient centred’ NHS and it is important therefore, that information is presented in an accessible way and in a range of formats and languages.
If you have particular communication needs, we can help you. Please refer to the Accessibility section of our ‘how we support you’ page which explains how we can help and who to contact
Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact the Patient Advice and Liaison Service (PALS) or write to:
Trust Offices, Amersham Hospital
Buckinghamshire Healthcare NHS Trust
Bucks HP7 0JD
A Data Controller is a person who (either jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.
The Data Controller responsible for keeping your information confidential is:
Buckinghamshire Healthcare NHS Trust
Stoke Mandeville Hospital
Bucks HP21 8AL
Notification with Information Commissioner’s Office (ICO)
The ICO is the UK’s independent regulatory body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
We are data protection registered with the ICO, registration number Z7752080.
Patients have the right to complain to the Information Commissioner, the supervisory authority, if they should ever be dissatisfied with the way the Trust has handled or shared their personal information:
The Information Commissioner’s Office (ICO)
0303 123 1113 or 01625 545745
For further information please contact:
Data Protection Officer
Buckinghamshire Healthcare NHS Trust
Information Governance Department, IT Hub
Bucks HP7 0JD