• Basic details about you, such as name, address, date of birth, contact details, NHS number, GP and next of kin.

•  

• Contacts we have had with you, such as clinic visits or hospital admissions notes and reports about your health and any treatment and care you need.
• 
  
• Details and records about the treatment and care you receive, results of investigations, such as x-rays, scans and laboratory tests relevant information from other health professionals, relatives or those who care for you and know you well.

    GEH use your information and records for:

Direct Care and Administrative Purposes

All   health and adult social care providers are subject to the statutory duty to process information about a patient for their direct care. This would also include

The lawful basis for processing personal information is: 6(1)(e)   ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ 

The lawful basis for processing personal data is: 9(2)(h)   ‘…medical diagnosis, the provision of health or social care or treatment or   the management of health or social care systems…’   

Other information:

• NHS Trusts National Health Service and Community Care Act 1990
• NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers
• 251B of the Health and Social Care Act 2012

Commissioning and Planning

Most national and local flows of personal data in support of commissioning are established as collections by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).

The lawful basis for processing personal information is: 6(1)(c) ‘…for compliance with a legal obligation…’ Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it,

The lawful basis for processing personal data is: 9(2)(h)   ‘…medical diagnosis, the provision of health or social care or treatment or   the management of health or social care systems…’   

Other information:

• Commissioners may receive personal data in support of commissioning where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as ‘section 251 support’. This support does not remove the need for GDPR compliance
• Trusts are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on Trusts can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions-

Research

In most cases you will be asked for consent to take part in any research project.  Any research project including personal identifiable information that does not seek consent will be approved by the NHS under section 251 approval.

The Trust may share anonymised data for research purposes with third parties.

The lawful basis for processing personal information is: 6(1)(a) the data subject has given consent to the processing of their personal data for one or more specific purposes. Or in cases where section 251 approval has been granted; 6(1)(e)   ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ 

The lawful basis for processing personal data is: 9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable  and specific measures to safeguard the fundamental rights and interests of the data subject …’

Other information:

A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support

Public Health Functions

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

The lawful basis for processing personal information is:  6(1)(c) ‘…necessary for compliance with a legal obligation…

The lawful basis for processing personal data is: 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…

Other information:

Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008

Safeguarding

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”. 

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees. The purpose of the processing is to protect the child or vulnerable adult.

The lawful basis for processing personal information is:  6(1)(c) ‘…necessary for compliance with a legal obligation…

The lawful basis for processing personal data is: 9(2)(b) ‘...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law..’

Other information:

• This sharing is a legal and professional requirement and therefore there is no right to object.
• The data will be shared with local safeguarding services

CCTV

We may record CCTV images of people entering, approaching, entering or passing our buildings to:

1. help staff and visitors feel safer
2. act as a deterrent to offenders
3. allow the collection of evidence to help find and convict offender

Security staff may wear body worn cameras which can be activated to preserve evidence during incidents.

The lawful basis for processing personal information is:  6(1) (f) processing is necessary for the purposes of the legitimate interests pursued by a controller

Other information:

CCTV data may be shared with third parties such as the police or courts where there is a legal basis to do so

The personal information we collect about you may also be used to:

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.

National Data Opt Out

National Data Opt-Out

George Eliot Hospital NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public. 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

·         improving the quality and standards of care provided

·         research into the development of new treatments

·         preventing illness and diseases

·         monitoring safety

·         planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will:

·         See what is meant by confidential patient information

·         Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care

·         Find out more about the benefits of sharing data

·         Understand more about who uses the data

·         Find out how your data is protected

·         Be able to access the system to view, set or change your opt-out setting

·         Find the contact telephone number if you want to know any more or to set/change your opt-out by phone

·         See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is compliant with the national data opt-out policy.

For processing to be lawful under the GDPR, George Eliot Hospital NHS Trust is obliged to identify a lawful basis before it can process personal data. The obligation requires GEH to satisfy a condition under Article 6 and, where special category data is being processed, also under Article 9. For George Eliot Hospital's purposes, the following condition, under Article 6, for lawful processing will apply: 6(1)(e) ‘for the performance of a task carried out in the public interest or in the exercise of official authority’

There may be occasions when the data subject’s consent will provide the legal basis for the processing of their personal data: 6(1)(a) – Consent of the data subject

For necessary processing of special categories, e.g. health data for employment purposes the following condition, under Article 9, will apply: 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional’

As information relating to criminal convictions and offences are not special categories

1. To be informed why, where and how we use your information.

2. To ask for access to your information.

3. To ask for your information to be corrected if it is inaccurate or incomplete.

4. To ask for your information to be deleted or removed where there is no need for us to continue processing it.

5. To ask us to restrict the use of your information. 

6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.

7. To object to how your information is used.

8. To challenge any decisions made without human intervention (automated decision making)

9. You have the right to refuse /withdraw consent to information sharing at any time. The possible consequences will be fully explained to you and could include delays in receiving care

Who will your information be shared with

Integrated Care Record

George Eliot Hospital NHS Trust works with other health and social care organisations to share information that will form part of your Integrated Care Record. The Integrated Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other health and care professionals in Coventry and Warwickshire, Birmingham and Solihull, and Herefordshire and Worcestershire when they are involved in your health or social care.

For more information on how your data is used on the Integrated Care Record and how to exercise your rights please see the full Privacy Notice or copy and paste this link www.happyhealthylives.uk/integrated-care-record/privacy-notice/.

Who do we share information with?

We will share information with the following main partner organisations:

• Other NHS Trusts, Hospitals that are involved in your care
• Clinical Commissioning Groups and other NHS Bodies
• General Practitioners (GPs)
• Ambulance Trusts
• 
  

Sharing with non-NHS organisations

For your benefit, we may also need to share information from your records with non-NHS organisations who are providing you with care or other services, such as social services or private healthcare organisations.

We may also be asked to share basic information about you, such as your name and parts of your address, which does not include special category information from your health records. Generally, we would only do this to assist another organisation to carry out their statutory duties (such as usages of healthcare services, public health or national audits)

Non-NHS organisations may include, but are not restricted to:

·         social services,

·         education services,

·         local authorities,

·         the police,

·         voluntary sector providers and

·         Private sector providers.

Where do we obtain your information from?

The Trust will collect data about you in a numbers of ways. The main method of collection is from you directly. The Trust also receives information from other NHS bodies and services.

Transfers outside the European Economic Area

The Trust will ensure that personal confidential data, even it would constitute fair processing, will not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the European Economic Area to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects

We protect your information in the following ways:

Training

Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community. Staff must undertake annual mandatory training in information governance and data security awareness.

DSP Toolkit

All NHS Trusts are required to complete an annual assessment of compliance with Data Protection and Security. Details of the assessments can be found here. https://www.dsptoolkit.nhs.uk/organisationsearch

Access controls

Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails

We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation

If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management

All healthcare records are stored confidentially in a secure location.

Caldicott Guardian

Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the George Eliot Hospital NHS Trust is Dr Catherine Free.