[Skip to content]

  • High Contrast
  • High Contrast
  • Normal Contrast
George Eliot Hospital - NHS Trust
Search our Site
Advanced Search How To Find Us

General Data Protection Regulations (GDPR) Privacy Notice

About GDPR Privacy Notice

Data Controller and Contacts

At GEH we aim to provide you with the highest quality healthcare. To do this we must keep information about you, your health and the care we have provided to you or plan to provide to you. This privacy statement provides a summary of how we use your information.

George Eliot Hospital NHS Trust (GEH) is the Data Controller [and Data Processor] of data for the purposes of the Data Protection Act 2018 (DPA2018) and General Data protection Regulation 2016 (GDPR).

ICO Registration Number: Z7279219

What information do we collect about you

  • Basic details about you, such as name, address, date of birth, contact details, NHS number, GP and next of kin.
  •  

  • Contacts we have had with you, such as clinic visits or hospital admissions notes and reports about your health and any treatment and care you need.

  • Details and records about the treatment and care you receive, results of investigations, such as x-rays, scans and laboratory tests relevant information from other health professionals, relatives or those who care for you and know you well.

How will your information be used?

    GEH use your information and records for:

Direct Care and Administrative Purposes

All   health and adult social care providers are subject to the statutory duty to process information about a patient for their direct care. This would also include

•  Preventive or occupational medicine,
•  The assessment of the working capacity of an employee,
•  Medical diagnosis,
•  The provision of health care or treatment,
•  The provision of social care, or
•  The management of health care systems or services
•  Waiting list management
•  Performance against national targets
•  Activity monitoring
•  Local clinical audit
•  Patient feedback and service improvement

The lawful basis for processing personal information is: 6(1)(e)   ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ 

The lawful basis for processing personal data is: 9(2)(h)   ‘…medical diagnosis, the provision of health or social care or treatment or   the management of health or social care systems…’   

Other information:

  • NHS Trusts National Health Service and Community Care Act 1990
  • NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers
  • 251B of the Health and Social Care Act 2012


Commissioning and Planning

Most national and local flows of personal data in support of commissioning are established as collections by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).

The lawful basis for processing personal information is: 6(1)(c) ‘…for compliance with a legal obligation…’ Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it,

The lawful basis for processing personal data is: 9(2)(h)   ‘…medical diagnosis, the provision of health or social care or treatment or   the management of health or social care systems…’   

Other information:

  • Commissioners may receive personal data in support of commissioning where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as ‘section 251 support’. This support does not remove the need for GDPR compliance
  • Trusts are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on Trusts can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions-


Research

In most cases you will be asked for consent to take part in any research project.  Any research project including personal identifiable information that does not seek consent will be approved by the NHS under section 251 approval.

The Trust may share anonymised data for research purposes with third parties.

The lawful basis for processing personal information is: 6(1)(a) the data subject has given consent to the processing of their personal data for one or more specific purposes. Or in cases where section 251 approval has been granted; 6(1)(e)   ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ 

The lawful basis for processing personal data is: 9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable  and specific measures to safeguard the fundamental rights and interests of the data subject …’

Other information:

A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support

Public Health Functions

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

The lawful basis for processing personal information is:  6(1)(c) ‘…necessary for compliance with a legal obligation…

The lawful basis for processing personal data is: 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…

Other information:

Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008

Safeguarding

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”. 

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees. The purpose of the processing is to protect the child or vulnerable adult.

The lawful basis for processing personal information is:  6(1)(c) ‘…necessary for compliance with a legal obligation…

The lawful basis for processing personal data is: 9(2)(b) ‘...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law..’

Other information:

  • This sharing is a legal and professional requirement and therefore there is no right to object.
  • The data will be shared with local safeguarding services


CCTV

We may record CCTV images of people entering, approaching, entering or passing our buildings to:

  1. help staff and visitors feel safer
  2. act as a deterrent to offenders
  3. allow the collection of evidence to help find and convict offender

 

Security staff may wear body worn cameras which can be activated to preserve evidence during incidents.

The lawful basis for processing personal information is:  6(1) (f) processing is necessary for the purposes of the legitimate interests pursued by a controller

Other information:

CCTV data may be shared with third parties such as the police or courts where there is a legal basis to do so

The personal information we collect about you may also be used to:

Remind you about your appointments and send you relevant correspondence
Review the care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research
Support the funding of your care, e.g. with commissioning organisations
Prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
Help to train and educate healthcare professionals
Report and investigate complaints, claims and untoward incidents
Report events to the appropriate authorities when we are required to do so by law
Review your suitability for research studies or clinical trials
Teaching clinicians
Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients


Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.

National Data Opt Out

National Data Opt Out

National Data Opt-Out

George Eliot Hospital NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public. 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

·         improving the quality and standards of care provided

·         research into the development of new treatments

·         preventing illness and diseases

·         monitoring safety

·         planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will:

·         See what is meant by confidential patient information

·         Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care

·         Find out more about the benefits of sharing data

·         Understand more about who uses the data

·         Find out how your data is protected

·         Be able to access the system to view, set or change your opt-out setting

·         Find the contact telephone number if you want to know any more or to set/change your opt-out by phone

·         See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is compliant with the national data opt-out policy.


What is the legal basis for processing your data and Your rights

For processing to be lawful under the GDPR, George Eliot Hospital NHS Trust is obliged to identify a lawful basis before it can process personal data. The obligation requires GEH to satisfy a condition under Article 6 and, where special category data is being processed, also under Article 9. For George Eliot Hospital's purposes, the following condition, under Article 6, for lawful processing will apply: 6(1)(e) ‘for the performance of a task carried out in the public interest or in the exercise of official authority’

There may be occasions when the data subject’s consent will provide the legal basis for the processing of their personal data: 6(1)(a) – Consent of the data subject

For necessary processing of special categories, e.g. health data for employment purposes the following condition, under Article 9, will apply: 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional’

As information relating to criminal convictions and offences are not special categories

1. To be informed why, where and how we use your information.

2. To ask for access to your information.

3. To ask for your information to be corrected if it is inaccurate or incomplete.

4. To ask for your information to be deleted or removed where there is no need for us to continue processing it.

5. To ask us to restrict the use of your information. 

6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.

7. To object to how your information is used.

8. To challenge any decisions made without human intervention (automated decision making)

9. You have the right to refuse /withdraw consent to information sharing at any time. The possible consequences will be fully explained to you and could include delays in receiving care

Who will your information be shared with

Who do we share information with?

We will share information with the following main partner organisations:

  • Other NHS Trusts, Hospitals that are involved in your care
  • Clinical Commissioning Groups and other NHS Bodies
  • General Practitioners (GPs)
  • Ambulance Trusts

Sharing with non-NHS organisations

For your benefit, we may also need to share information from your records with non-NHS organisations who are providing you with care or other services, such as social services or private healthcare organisations.

We may also be asked to share basic information about you, such as your name and parts of your address, which does not include special category information from your health records. Generally, we would only do this to assist another organisation to carry out their statutory duties (such as usages of healthcare services, public health or national audits)

Non-NHS organisations may include, but are not restricted to:

·         social services,

·         education services,

·         local authorities,

·         the police,

·         voluntary sector providers and

·         Private sector providers.

Where do we obtain your information from?

The Trust will collect data about you in a numbers of ways. The main method of collection is from you directly. The Trust also receives information from other NHS bodies and services.

Transfers outside the European Economic Area

The Trust will ensure that personal confidential data, even it would constitute fair processing, will not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the European Economic Area to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects

How do we keep your information confidential?

We protect your information in the following ways:

Training

Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community. Staff must undertake annual mandatory training in information governance and data security awareness.

DSP Toolkit

All NHS Trusts are required to complete an annual assessment of compliance with Data Protection and Security. Details of the assessments can be found here. https://www.dsptoolkit.nhs.uk/organisationsearch

Access controls

Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails

We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation

If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management

All healthcare records are stored confidentially in a secure location.

Caldicott Guardian

Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the George Eliot Hospital NHS Trust is Dr Catherine Free.

GDPR Additional information

Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

a) Processed lawfully, fairly and in a transparent manner in relation to individuals;

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Personal Data

"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

  • name
  • identification number
  • social media posts
  • location data
  • online identifier

Special category of personal data

"Special category of personal data" means information which is thought to be "extra sensitive" such as ethnicity, sexual orientation and religion.

Data controller

"Data controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.

Processing

"Processing" means anything that is done to the personal data we hold.

Pseudonymisation

"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information.

What's new?

Special category data is broadly similar to the concept of sensitive personal data under the 1998 Data Protection Act. The requirement to identify a specific condition for processing this type of data is also very similar.

One change is that the GDPR includes genetic data and some biometric data in the definition. Another is that it does not include personal data relating to criminal offences and convictions, as there are separate and specific safeguards for this type of data within GDPR.

What’s different about special category data?

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. In order to lawfully process special category data, both a lawful basis must be identified and a separate condition for processing special category data. These do not have to be linked.

This is because special category data is more sensitive, and so needs more protection. For example, information about an individual’s: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation. In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.

What are the conditions for processing special category data?

There are ten conditions for processing special category data in the GDPR itself, but the Data Protection Bill will introduce additional conditions and safeguards.

The condition for processing special category data must be determined before you begin this processing under the GDPR and you should document it.

(a) the data subject has given explicit consent to the processing of their personal data for one or more specified purposes;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services with a health professional;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Special categories of data

  • Racial/Ethnic origin

  • Political opinions

  • Religious/philosophical beliefs

  • Health

  • Trade Union

  • Genetic or biometric data

  • Sex life/Sexual orientation

GDPR

Data Controller and Contacts

George Eliot Hospital NHS Trust (GEH) is the Data Controller [and Data Processor] of data for the purposes of the DPA18 and GDPR. 

GEH as the Data Controller is committed to protecting the rights of individuals in line with the Data Protection Act 1998(DPA) and the new General Data Protection Regulation(GDPR).

George Eliot Hospital has a Data Protection Officer (DPO) and if you have any concerns as to how your data is processed please contact the Data Protection Officer by email:  data.protectionofficer@geh.nhs.uk

Information Commissioner

Information Commissioner Advice about GDPR

GDPR Individual Rights

Frequently Asked Questions

How long do we keep your information?

Records are retained in accordance with national guidance from the Department of Health and Social Care and the Records Management Code of Practice for Health and Social Care 2016. Records including confidential information are securely destroyed in line with this code of practice.

The Trust does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

How do I make a complaint

We aim to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint through the Trust’s Complaints Procedure, which is available on our web site, or you can write to:

Data Protection Officer

George Eliot Hospital

College Street

Nuneaton

CV10 7DJ

Data.ProtectionOfficer@geh.nhs.uk

 

If you remain dissatisfied with the Trust’s decision following your complaint, you may wish to contact:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Their web site is at www.ico.gov.uk