[Skip to content]

  • High Contrast
  • High Contrast
  • Normal Contrast
George Eliot Hospital - NHS Trust
Search our Site
Advanced Search How To Find Us
.

General Data Protection Regulations (GDPR) Privacy Notice

About GDPR Privacy Notice

The European Union General Data Protection Regulations (GDPR) will come into force on 25th May 2018. 

This regulation replaces the current Data Protection Act 1998 and brings in a number of new elements and significant enhancements.

The EU General Data Protection Regulation (GDPR) includes rules on giving privacy information to data subjects in Articles 12, 13 and 14. These are more detailed and specific than in the Data Protection Act 1998 and place an emphasis on making privacy notices more transparent, intelligible, written in clear and plain language and easily accessible.

The GDPR defines personal data as the following: ‘Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’ ‘Special categories’ of personal data (sensitive personal data) relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

This regulation replaces the current Data Protection Act 1998 and brings in a number of new elements and significant enhancements listed below;

  • Awareness
  • Information you hold
  • Communicating privacy information
  • Individuals’ rights
  • Subject access requests
  • Lawful basis for processing personal data
  • Consent
  • Children
  • Data breaches
  • Data Protection by Design and Data Protection Impact Assessments
  • Data Protection Officers
  • International

 

Further information about these changes can be found here.

Preparing for GDPR - 12 Steps

What information do we collect about you

  • Basic details about you, such as name, address, date of birth, NHS number, GP and next of kin
  • Contacts we have had with you, such as clinic visits or hospital admissionsnotes and reports about your health and any treatment and care you need 
  • Details and records about the treatment and care you receive results of investigations, such as x-rays, scans and laboratory tests relevant information from other health professionals, relatives or those who care for you and know you well 

How will your information be used?

Your doctor, nurse or any other healthcare professional involved in your care has accurate and up-to-date information to assess your health and decide what care you need when you visit us we can contact you for health checks (for example, immunisation, cervical smears, breast screening or other preventative treatment) full information is available should you see another doctor, be referred to a specialist or another part of the NHS there is a good basis for assessing the type and quality of care you have received your concerns can be properly investigated if you need to complain

What is our legal basis for processing your personal data?

For processing to be lawful under the GDPR, George Eliot Hospital NHS Trust is obliged to identify a lawful basis before it can process personal data. The obligation requires GEH to satisfy a condition under Article 6 and, where special category data is being processed, also under Article 9. For George Eliot Hospital's purposes, the following condition, under Article 6, for lawful processing will apply: 6(1)(e) ‘for the performance of a task carried out in the public interest or in the exercise of official authority’

There may be occasions when the data subject’s consent will provide the legal basis for the processing of their personal data: 6(1)(a) – Consent of the data subject

For necessary processing of special categories, e.g. health data for employment purposes the following condition, under Article 9, will apply: 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional’

As information relating to criminal convictions and offences are not special categories

Your rights

Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data. You have the right to request from us access to and rectification of your personal data, If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.

GDPR Individual Rights

Personal information held for patients consists of your name, date of birth, marital status, National Health Service number, address, contact telephone numbers, medical condition, your next of kin and a contact number for them.

Your personal information is used solely for the purposes of 6(1)(e) and 9(2)(h), please see link;https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

Who will your information be shared with

Your personal information will be shared with:
  • NHS Trusts
  • Commissioning Support Units
  • General Practitioners (GPs)
  • Ambulance Services
 
If it is necessary to share your information with other agencies, it will be subject to strict controls and data sharing agreements describing how your information may be used and what portion of it, for example:


  • NHS Common Service Agencies such as dentists, ophthal mic services etc.
  • Social Care Services
  • Education Services
  • Local Authorities
  • Voluntary or Private Sector Providers

 
You have the right to access this information to ensure that it is accurate. Please let the Data Protection Officer know if you would like to do this.
Your data is processed in Accordance with the provisions of the General Data Protection Regulations as stated above

How do we keep your information confidential?

We protect your information in the following ways:

Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.

Access controls - Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails - We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation - If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management - All healthcare records are stored confidentially in a secure location.

Legislation - There are laws in place to protect your information, including the General Data Protection Regulation and the Human Rights Act 1998.

Caldicott Guardian - Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the George Eliot Hospital NHS Trust is Dr Catherine Free.

GDPR Additional information

Under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:

a) Processed lawfully, fairly and in a transparent manner in relation to individuals;

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

For the purposes of this Regulation:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. ‘processing’means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. ‘restriction of processing’means the marking of stored personal data with the aim of limiting their processing in the future;

4. ‘profiling’means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

5. ‘pseudonymisation’means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional informationiskeptseparatelyandissubjecttotechnicalandorganizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

6. ‘filing system’means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

7. ‘controller’means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

8. ‘processor’means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. ‘recipient’means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

10. ‘third party’means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

11. ‘consent’of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

12. ‘personal data breach’means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

13. ‘genetic data’means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

14. ‘biometric data’means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

15. ‘data concerning health’means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

16. ‘main establishment’ means:

i. as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

ii. as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

17. ‘representative’means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article27, represents the controller or processor with regard to their respective obligations under this Regulation;

18. ‘enterprise’means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

19. ‘group of undertakings’means a controlling undertaking and its controlled undertakings;

20. ‘binding corporate rules’means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

21. ‘supervisory authority’means an independent public authority which is established by a Member State pursuant to Article51;

22. ‘supervisory authority concerned’means a supervisory authority which is concerned by the processing of personal data because:

i. the controller or processor is established on the territory of the Member State of that supervisory authority;
ii. data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

iii. a complaint has been lodged with that supervisory authority;

23. ‘cross-border processing’means either:

i. processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State;or

ii. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

24. ‘relevant and reasoned objection’means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

25. ‘information society service’means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535of the European Parliament and of the Council;

26. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

What's new?

Special category data is broadly similar to the concept of sensitive personal data under the 1998 Data Protection Act. The requirement to identify a specific condition for processing this type of data is also very similar.

One change is that the GDPR includes genetic data and some biometric data in the definition. Another is that it does not include personal data relating to criminal offences and convictions, as there are separate and specific safeguards for this type of data within GDPR.

What’s different about special category data?

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. In order to lawfully process special category data, both a lawful basis must be identified and a separate condition for processing special category data. These do not have to be linked.

This is because special category data is more sensitive, and so needs more protection. For example, information about an individual’s: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation. In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.

What are the conditions for processing special category data?

There are ten conditions for processing special category data in the GDPR itself, but the Data Protection Bill will introduce additional conditions and safeguards.

The condition for processing special category data must be determined before you begin this processing under the GDPR and you should document it.

(a) the data subject has given explicit consent to the processing of their personal data for one or more specified purposes;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services with a health professional;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Special categories of data

  • Racial/Ethnic origin

  • Political opinions

  • Religious/philosophical beliefs

  • Health

  • Trade Union

  • Genetic or biometric data

  • Sex life/Sexual orientation

GDPR

Data Controller and Contacts

George Eliot Hospital NHS Trust (GEH) is the Data Controller [and Data Processor] of data for the purposes of the DPA18 and GDPR. 

GEH as the Data Controller is committed to protecting the rights of individuals in line with the Data Protection Act 1998(DPA) and the new General Data Protection Regulation(GDPR).

George Eliot Hospital has a Data Protection Officer (DPO) and if you have any concerns as to how your data is processed please contact the Data Protection Officer by email:  data.protectionofficer@geh.nhs.uk

Information Commissioner

Information Commissioner Advice about GDPR

GDPR Individual Rights

Frequently Asked Questions

How long do we keep your information?

George Eliot Hospital NHS Trust is obliged to retain your data in accordance with the Department of Health’s Records Management Code of Practice 2016.

Any requests or objections should be made in writing to the Data Protection Officer above.

How do I make a complaint

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact the Data Protection Officer using the contact details above.

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for a decision.

The Information Commissioner can be contacted at: -

Information Commissioner's Office

 

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 

www.ico.org.uk