GEH use your information and records for:
Direct Care and Administrative Purposes
All health and adult social care providers are subject to the statutory duty to process information about a patient for their direct care. This would also include
• Preventive or occupational medicine, • The assessment of the working capacity of an employee, • Medical diagnosis, • The provision of health care or treatment, • The provision of social care, or • The management of health care systems or services • Waiting list management • Performance against national targets • Activity monitoring • Local clinical audit • Patient feedback and service improvement The lawful basis for processing personal information is: 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’
The lawful basis for processing personal data is: 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Other information:
- NHS Trusts National Health Service and Community Care Act 1990
- NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers
- 251B of the Health and Social Care Act 2012
Commissioning and Planning
Most national and local flows of personal data in support of commissioning are established as collections by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).
The lawful basis for processing personal information is: 6(1)(c) ‘…for compliance with a legal obligation…’ Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it,
The lawful basis for processing personal data is: 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Other information:
- Commissioners may receive personal data in support of commissioning where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as ‘section 251 support’. This support does not remove the need for GDPR compliance
- Trusts are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on Trusts can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions-
Research
In most cases you will be asked for consent to take part in any research project. Any research project including personal identifiable information that does not seek consent will be approved by the NHS under section 251 approval.
The Trust may share anonymised data for research purposes with third parties.
The lawful basis for processing personal information is: 6(1)(a) the data subject has given consent to the processing of their personal data for one or more specific purposes. Or in cases where section 251 approval has been granted; 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’
The lawful basis for processing personal data is: 9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject …’
Other information:
A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support
Public Health Functions
Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
The lawful basis for processing personal information is: 6(1)(c) ‘…necessary for compliance with a legal obligation…
The lawful basis for processing personal data is: 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…
Other information:
Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008
Safeguarding
Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.
Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees. The purpose of the processing is to protect the child or vulnerable adult.
The lawful basis for processing personal information is: 6(1)(c) ‘…necessary for compliance with a legal obligation…
The lawful basis for processing personal data is: 9(2)(b) ‘...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law..’
Other information:
- This sharing is a legal and professional requirement and therefore there is no right to object.
- The data will be shared with local safeguarding services
CCTV
We may record CCTV images of people entering, approaching, entering or passing our buildings to:
- help staff and visitors feel safer
- act as a deterrent to offenders
- allow the collection of evidence to help find and convict offender
Security staff may wear body worn cameras which can be activated to preserve evidence during incidents.
The lawful basis for processing personal information is: 6(1) (f) processing is necessary for the purposes of the legitimate interests pursued by a controller
Other information:
CCTV data may be shared with third parties such as the police or courts where there is a legal basis to do so
The personal information we collect about you may also be used to:
Remind you about your appointments and send you relevant correspondence Review the care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research Support the funding of your care, e.g. with commissioning organisations Prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies Help to train and educate healthcare professionals Report and investigate complaints, claims and untoward incidents Report events to the appropriate authorities when we are required to do so by law Review your suitability for research studies or clinical trials Teaching clinicians Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.
National Data Opt Out