Our Privacy Notice Your information, your rights and your choices
Our Privacy Notice tells you what to expect about your information, what we may collect and hold about you, our uses including whom we may share it with, how we look after it, your rights and where you can obtain further information.
We, the Princess Alexandra Hospital NHS Trust are responsible for providing you with the right care, at the right time, in the right place. We provide a wide range of services including emergency, maternity, cancer and elderly care. We need to collect and use information about you to enable us to do this efficiently and safely.
Your safety is paramount at all times.
We are open and clear about the information operations we carry out to ensure we are processing your information accordingly, securely and efficiently.
Our data protection registration details
We, the Princess Alexandra Hospital NHS Trust, in data protection terms act as the 'data controller' of the information and personal data we collect from you.
We are data protection registered with the Information Commissioners Office. Our data protection registration number is Z8759485.
Our data protection allegiance
As the data controller, we determine the purposes of obtaining, recording, holding or carrying out any operations of the information and data we collect.
We have a data protection framework in place to oversee the effective and secure processing of your information.
We take data protection and privacy seriously. We have internal data protection guidance, policies and procedures in place to protect the integrity of your information, but also the Trust and our employees as liable individuals.
We are aware that organisations can be fined up to €10 million for failing to meet certain requirements of the General Data Protection Regulation and fined up to €20 million for an incident in which identifiable, sensitive, confidential data has been accessed or disclosed in an unlawful way.
Data protection law
Did you know that if staff handle, any of your information as part of their job, it should be done so in accordance with the new General Data Protection Regulation.
Why is this important?
- It replaces the Data Protection Act 1998 on 25 May 2018.
- There are new rules for handling information with greater transparency, enhanced rights for people, increased accountability and stronger enforcement of the rules.
GDPR expands on the existing Data Protection Act 1998 and we already comply with this existing data protection legislation. However, to read what we have done to prepare for the GDPR then please contact our Information Governance Department by emailing InfoGov@pah.nhs.uk.
Why we collect and use your information
There are a number of lawful reasons why we need to collect and use your personal information. Therefore, we will collect and use your information in the following circumstances:
- it is necessary to provide you with health or social care services; for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality;
- it is necessary to perform our statutory duties;
- consent was provided directly from you, or your legal representative;
- we hold an individual contract with you;
- it is necessary to protect an individual in an emergency such as treating them after a read accident; to protect the vital interests of the individual or another person;
- the disclosure of the information is required by law;
- it is necessary to protect individuals or society from risks of serious harm, such as serious communicable diseases;
- it is necessary for preventing or detecting crime and protecting the public against malpractice or mal administration;
- it is necessary to enable medical research, education or other secondary uses of information that will benefit society over time;
- it is necessary to comply with employment law; in connection with individual contracts of employment and to comply with the employer's legal obligations;
- it is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights;
- you have made your information publicly available;
- some processing is carried out by our not-for-profit charity and does not involve disclosing personal data to a third party unless the individual consents.
Under data protection law, you have a number of very important rights, these are:
- To be informed about how we collect and use your personal information.
- To obtain a copy of the information we hold about you, free of charge and within one month. Where a request is complex, we may extend the release of the information to two months, should this be essential, we will write to you within one month of the request and explain why the extension is necessary. Please note, in some circumstances, where a request is manifestly unfounded, excessive and/or repetitive we may also charge a 'reasonable fee'.
- To update or amend the information we hold about you if it is inaccurate or incomplete. We will write to you within one month of the request. Where a request is complex, we may extend the response to two months. In this circumstance, we will write to you and explain why the extension is necessary.
- To ask us to stop processing your information in the following circumstances:
- Where you contest the accuracy of your information.
- Where you have objected to the processing.
- When processing is unlawful.
- If we no longer need the personal data but you require the information to establish, exercise or defend a legal claim.
- To ask us to remove your personal information from our records. However, there are two circumstances where the right to erasure will not apply to special category data:
- If the processing is necessary for public health purposes in the public interest;
- If the processing is necessary for the purposes of preventative or occupational medicine. This includes where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services.
- To request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances.
- To obtain and reuse your own personal data for their own purposes. Enabling you to view, access and use your personal consumption and transaction data in a way that is portable and safe.
- Rights related to automated decision making including profiling, this means to not be subject to a decision based solely on automated processing, including profiling.
If you would like to know more about your rights please visit the Information Commissioners Office website by visiting www.ico.co.uk.
Under the Health and Social Care Act, we supply data, on a regular and continuous basis to NHS Digital, who are the Health and Social Care Information Centre for the NHS. This is because some of the information from your record may be useful for specific purposes beyond your individual care, for research and planning purposes, to improve health, care and services across the NHS.
From the 25th May 2018, you will have a choice about whether or not you wish to for your information to be used in this way. The national data opt-out will be introduced alongside the new data protection legislation.
If you would like to know more about how this information is used please visit the understanding patient data website by visiting www.understandingpatientdata.org.uk
We have several charitable funds which are administered by the overall trust charity the Princess Alexandra Hospital's Charity (registered no. 1054745).
The charity enhances patient care, purchases special equipment, improves facilities and invests in vital research which is beyond the scope or limits of the NHS.
When we contact you, we will only communicate with you by the methods that you have consented to. At any time, if you no longer want to hear from us or want to change your preferences then please let us know by contacting the relevant charity office.
We'd love to keep you updated with information and news of what we do. If you would like to hear from us, please tell us how happy for us to contact you by contacting us. We will never share or pass on your information without your consent.
By e-mail: firstname.lastname@example.org
By phone: 01279 82 7312
Breast unit fundraising office
By e-mail: email@example.com
By phone: 01279 82 7857
Text message appointment reminder service
Since 2013, we have provided a text message appointment reminder service to patients who register their mobile number to deliver quality care.
If you have the right to register a mobile number for a child, we will also provide the text message appointment reminder service to the registered number.
Important information: If the mobile is registered for multiple family members or patients, please be aware that for confidentiality reasons we do not include any identifiable information in the reminder message. Therefore, we recommend that you carefully check the specialty, time and date of your appointment before travelling to ensure the correct person attends the appointment and to avoid any disappointment.
We also ask you to take care if you are considering using a mobile number which you do not own, such as a company mobile as the reminder message might be seen by friends, family, colleague or unauthorised user.
You have a choice whether or not you wish to for your mobile number to be used in this way. You can change your contact preferences at any time by contacting us directly by calling our booking service team on 01279 82 7391 which is open 8am to 8pm Monday to Friday.
In order to enable us to send you an appointment reminder by this method, we have integrated a product from MJog. This will allow you to receive a text message whenever an appointment is scheduled, rescheduled, or cancelled, and prior to appointments taking place. MJog deliver's the appointment reminders and is designed to increase your awareness and engagement.
If you would like to know more about the text message appointment reminder service then please visit the MJog website by visiting www.mjog.com.
As a patient of ours, you will be giving us information about yourself and your condition which could be of a sensitive nature and which you may not wish to be widely known. We need to collect and record that information to help us provide you with the best care.
To ensure that treatment and care is provided to you efficiently and safely, we may collect and hold the following records about you which may include:
Disability and language preferences
this information is collected to enable us to provide you with care which meets your needs such as accommodating mobility such as wheelchairs, providing interpreters or providing you with information in a different format such as braille or easy read.
we are required by law to collect and use your ethnicity to ensure that we providing a fair and open service. An individual's ethnicity can also have a result on the type of diseases an individual is at risk to.
we collect gender identity and use it in a sensitive way to plan future services, procedures and practices. It helps us determine if existing practices or procedures unfairly discriminate individuals to ensure you receive a positive healthcare experience.
Mobile telephone number
we collect mobile telephone numbers from you to enable us to provide you with a text message reminder for any forthcoming hospital appointments you may have.
Name, address, date of birth
we collect personal details from you such as your name, date of birth, address to enable us to send you letters about your care such as your inpatient and outpatient letters. These details are also used to correctly identify you from other individuals.
Next of kin
we collect details of your next of kin as a person you would like to be contacted in an emergency. The person you name as a next of kin has no legal right to any confidential information held by us about you or to make any decisions about your care. An individual who wishes to make a decision about your care must obtain the appropriate legal Power of Attorney. If a patient dies in the hospital, we will contact the patient's relatives and/or the named next of kin to provide information on the bereavement services managed by the Trust such as a bereavement meeting with an Emergency Department consultant or the annual memorial service. If a named next of kin or patients relative does not wish to be contacted in this way, they should inform the member of staff involved in the care of their relative.
your NHS number is used identify you correctly and match your details to your health records, ensuring you receive safe and efficient care from us.
we are under a statutory obligation to identify and charge overseas visitors who are not eligible for free care. We use it for service planning, to recover costs and improve our cost recovery systems.
we provide a Chaplaincy service for all individuals. In your best interest or with your consent, tour religion and name is passed to our Chaplains to enable them to visit you whilst in hospital to ensure any pastoral and spiritual needs are adequately supported.
we collect your sex from you to ensure that service provision matches your healthcare need such as emergency care for obstetric and gynaecological conditions.
we collect your contact telephone number including your mobile number to enable us to contact you regarding your care.
Your attendance records
We maintain paper and electronic information about your inpatient and outpatient visits, and visits to the Emergency Department. Details of your outpatient clinic visits, stays in hospital, appointment letters, notes, x-rays, laboratory tests and reports relating to your health and treatment are stored in a paper and electronic record.
Your health record is shared with the appropriate staff who are involved in providing your care, to ensure consistent, appropriate and safe health care is provided to you.
Your treatment and care records
To ensure the treatment and care provided to you by the Trust is appropriate and consistent. Records about the treatment and care you have been provided will be recorded. This will ensure that there is a full and comprehensive record which is available to the appropriate staff who are involved with providing you with the right care and treatment. During your treatment, the staff you see will make notes, write a report or letter about the care they have provided to you. Copies of letters will be sent to your GP and a copy will be placed in your paper or electronic health record.
Ultrasound scan of unborn babies
We offer all pregnant women at least two ultrasound scans during their pregnancy. The ultrasound scans are usually to determine whether the baby is healthy and growing as it should be. In order to determine this, the sonographer will use the ultrasound to view the baby onscreen for these purposes. We do not retain these images and have no reason to print them for diagnostic purposes. However, at the time of your scan you can purchase a 'grab' shot of the moving image as a souvenir to take home.
Medication and prescription records
Sometimes the medication you require could be specialist. As a result, it might not be directly available from us. Therefore we may need to share your personal information, prescription records and drug history with our pharmaceutical stakeholders to deliver you with the more specialised treatment. We will only share if there is a genuine need for it. Our pharmaceutical stakeholders include:
Lloyds Pharmacy Clinical Homecare
Healthcare at home
Home Oxygen Service Supplier
We also work closely with local community pharmacies in West Essex and Hertfordshire. With your consent, we can share your personal information, prescription records and drug history to help to ensure you continue to receive the correct medication in the community.
Your information from other healthcare providers
We may receive information detailing your personal details, your physical health and/or mental health, in addition to treatments you have received if you are referred to us by your GP or another health professional, such as dentist or ophthalmologist.
We may also obtain information to assist in giving you the best, most appropriate care from other people who care for you and know you well such as health care professionals and relatives.
It is good practice for people in the NHS who provide care to discuss and agree with you, what they are going to record about you.
Your complaint records
When we receive a complaint from an individual, we create a record containing the details of the complaint, this may include the identity of the complainant and any other individuals involved in the complaint. We will only use this information to process the complaint. However, we may need to disclose the complainant's identity to staff involved in the complaint and appropriate management teams.
We respect privacy, therefore should a complainant wish to remain anonymous, we will respect that decision. However, it may not be possible to handle a complaint on an anonymous basis.
Children's information and records
We comply with the requirements of the General Data Protection Regulation, not just those specifically relating to children. We design our information processing with children in mind from the outset and use a data protection by design and by default approach. We make sure that our information processing is fair and complies with the data protection principles and as a matter of good practice, our staff, undertake Data Protection and Privacy Impact Assessments to help us assess and mitigate the risks to children.
Because children may be less aware of why we need their information, or what we will do with it, in addition to the risks inherent in the information processing, and how we intend to safeguard against them, as a matter of good practice we will explain these matters in a way which they can understand, so that children (and their parents) can understand the implications. We feel that it is important that children (and their parents) therefore if there has been any non understanding please ask a member of staff to provide the privacy in easy read format.
Under data protection law, children have their own rights. This means that children over the age of 13 can give their own consent to process information. For children under this age, consent is sought from the child's parent or legal guardian.
To read more about children's data protection rights, please visit the Information Commissioner's Office by visiting www.ico.co.uk.
We will process information provided by applicants for the management of their application and the subsequent selection process. This involves providing details to the short-listing and selection panels. Other details are kept to help fulfil our obligations to monitor equality and diversity within the organisation and in the application process. You can find more information about the use of your information throughout the application process.
How we retain your information and records
We only keep information for as long as necessary. We retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. It sets out what people working with or in NHS organisations in England need to do to manage records correctly. It's based on current legal requirements and professional best practice
How we destroy information
We only keep information for as long as necessary and destroy any unnecessary duplicate records, copies of records which are no longer required and records which have met their retention period, had an appraisal and have no continuing value.
The destruction of records is an irreversible act. We only destroy information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016
We normally use the following destruction methods:
Identifiable, confidential or sensitive information is disposed in confidential waste bins and then cross shredded. The shredding of this information is securely carried out onsite using Shred Station Ltd who is an accredited mobile shredding company. A certificate and waste transfer note is issued once the shredding has been completed.
Electronic data is carefully and systematically handled to minimise the risk of illegal and/or unauthorised access to information. Electronic files must be properly sanitised and purged before they can be considered satisfactorily disposed of. Our and backup tapes must be auditable in respect of the information they hold.
Information technology hardware and infrastructure
We do not store or save any information on any hard drive of any computer or laptop provided or owned by the Trust. All information technology hardware components including computers and laptops are destroyed by Icex Ltd who is an accredited computer and it asset disposal company. Data destruction and IT recycling certificates are issued once the work has been completed.
Who has access to your information
Your information will need to be shared with the health professionals who are directly involved in your care, but some of it will also need to be seen by administrative and financial staff. Everyone working in the NHS has a legal duty to keep information about you confidential. Therefore we will not sell your information to third parties and we will not share your information with third parties for marketing purposes.
We also work in partnership with other health and care organisations such as:
British Association of Immediate Care
East and North Hertfordshire Clinical Commissioning Group
East and North Herts NHS Trust
East of England Ambulance Service
Essex and Herts Air Ambulance Trust
Essex Partnership University NHS Foundation Trust
North East London Foundation Trust
Uttlesford Health Limited
West Essex Clinical Commissioning Group
To deliver you with right health or social care services, we may need to share some of your information with our non-care stakeholders. We will only share information about you if there is a genuine need for it, and we will only share the minimum amount of information that is required, taking steps where possible to prevent identification. This includes organisations such as:
Children's social care
Sure start teams
How we keep your information safe
All our staff including flexible, temporary, permanent, new starters, locum, student and contract staff members have contractual obligations of confidentiality, enforceable through disciplinary procedures.
All staff will receive appropriate training on confidentiality with training refreshed annually.
We ensure organisational and technical measures are in place to ensure the information we hold is secure. This includes implementing policies, undertaking Data Protection and Privacy Impact assessments, storing and holding paper information in secure locations, restricting access to information to authorised personnel, ensuring role-based access with audit trails is used for electronic health information, protecting mobile equipment such as laptops with encryption and mobile device management controls.
Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing, this person is known as the Caldicott Guardian. Our Caldicott Guardian is Dr Andy Morris, who is also the Chief Medical Officer.
Each NHS organisation also has a senior person responsible and accountable for information risk, this person is known as the Senior Information Risk Owner. Our Senior Information Risk Owner is Trevor Smith, who is also the Chief Finance Officer.
When you provide us information
Although we have measures in place to protect the loss, misuse or alteration of your information, please be aware that we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we will make our best efforts to ensure it is secure within our systems.
When you electronically provide us information to us, such as by email, social media or our website forms, we will take steps to ensure that it's treated securely.
When you email us
Although we will take steps to secure email communications sent to you, emails sent to us may not be a secure method of communication. It is your responsibility to limit the amount of personally identifiable or sensitive information you send us.
Please be aware that the use of e-mail has a number of risks set out below but not limited to:
Your internet connection provider or email service provider may not be secure; therefore data could be intercepted or spoofed by an unauthorised person;
Electronic communication held on mobile devices could be intercepted by friends, family or by an unauthorised user following the loss or misplacement of the mobile device;
Open e-mails which are left unattended can be seen by other members of the household, visitors or other unauthorised people;
Your anti-virus provider may become out-of-date hampering security of your personal electronic devices opening risks to malicious software and viruses, which could be designed to log texts or steal data;
Your email service provider may have a right to retain copies and inspect emails held within your email account;
Your internet connection provider or email service provider may become unavailable, delaying the receipt of the communication.
Therefore it is your responsibility to:
Manage and protect the communication methods which you provide us;
Give correct and complete information;
Update your information and circumstances, should it change;
Ask questions if you do not understand information or instructions;
Keep hospital appointments, and, when you are unable to do so, notify us in advance.
We love that you can proactively contact us and share information via social media. However, we cannot guarantee the security of Information on or transmitted via the Internet. Therefore we encourage you to read the privacy statements on the other websites you visit.
Our website and online forms
Our website uses encryption to ensure that information is encrypted and protected with the following 128 Bit encryption. When you are on a secure page of our website, a padlock icon will appear in the search bar of your web browsers.
The information you provide us is only used for the purpose of the form.
How we use your information for indirect care
For the provision of indirect care, we use a number of approved, secure services and systems to process information about you, these are:
Controlled Environment for Finance
Under a Section 251 exemption of the NHS Act 2006, Clinical Commissioning Groups (CCGs), Commissioning Support Units (CSUs) and Providers can process personal datasets for invoice validation purposes, subject to a set of conditions to ensure the processing is lawful.
Invoice validation is an essential process, which ensures that we are reimbursed correctly for the care and treatment we have delivered to you. The process involves checking that you have received the treatment as identified and that the right Clinical Commissioning Group.
National Registries such as the Learning Disabilities Register have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Under a Section 251 exemption of the NHS Act 2006, we have approval to share limited and appropriate clinical information with Pre-Hospital Emergency Medicine teams such as ambulance and air ambulance clinicians in relation to outcome of seriously ill or injured patients who those clinicians have treated to improve lifelong learning and reflection for patients whose diagnoses are difficult to make, whose most appropriate management was uncertain, who were critically unwell or whose case led to emotional distress for the clinician.
This is intended to further improve the clinical capabilities of pre-hospital teams who work alongside us to look after patients in our community by giving them access to additional information we gained through further assessments and investigations which can clarify the signs and symptoms that they witnessed in the community before the patient arrived at hospital.
We are research active, we are involved in developing future treatments and care and you may be asked by a member of staff to take part in a research study. The purpose of the study will be explained to you and what it involves. If you decide that you would like to be involved you will be asked to sign a consent form. If you do not want to take part this will not affect your treatment in any way.
Please visit the Health Research Authority for advice on participation in health research by visiting www.hra.nhs.uk.
Other disclosures may be permitted under section 251 of the NHS Act 2006. This allows the Secretary of State for Health to set aside the common law duty of confidentiality in special circumstances. This has to be to improve patient care or in the 'public interest', such as for important medical research.
Applications for approval to use Section 251 powers are considered by the Confidentiality Advisory Group (CAG) who will advise whether there is sufficient justification to access the requested confidential patient information. Examples of this, used in the short-term until other measures can be put in place are, risk stratification and invoice validation.
If you would like to know more about Section 251 approvals please visit the Confidentiality Advisory Group website by visiting www.hra.nhs.uk.
We are also education active and may use your information for teaching purposes, to educate and support staff. If your information is used for teaching purposes steps will be taken to prevent any identification.
Secondary Uses Service (SUS)
SUS is the single and comprehensive data warehouse for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When you are treated or cared for, information is collected which the supports treatment.
If you would like to know more about SUS please visit NHS Digital's website by visiting www.digital.nhs.uk/sus.
Our website cookies
At any time you can switch off your cookies, however, it may result in a loss of functionality when using our website.
For more information visit our full cookies policy at www.pah.nhs.uk
Transferring your information outside of Europe
We are prohibited from transferring personal data outside the European Economic Area to a third country that does not have adequate data protection. If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.
Who to contact
Questions about confidentiality or data protection
If you have any questions about your information, this privacy notice, data protection or about confidentiality, please contact our Data Protection Officer at:
Telephone: 01279 444455 Ext 1032
If you wish to raise a complaint
If you wish to raise a complaint on how we have handled your information, or if you require this information in another language or format, please contact our Patient Advice and Liaison Service at:
Telephone: 01279 827211
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can contact the Information Commissioner's Office (ICO) to raise your concerns.
If you wish to obtain a copy of your information
All patients have the right to request a copy of their own records by writing to:
Medical Records Manager
The Princess Alexandra Hospital NHS Trust
Harlow, Essex, CM20 1QX
Telephone: 01279 827341
There may be some information that we are not able to provide: Where a patient requests access to their own records under data protection law and the person controlling the records is not a health professional (e.g. a Trust administrator), there is an obligation to consult the person most recently responsible for the clinical care of a patient and confirm that there is no risk of harm before releasing records to the patient. If this is the case we will explain the reasons why we cannot provide that information.
Please be aware that checks will be made to make sure the person applying has the right to view the records, especially if applying for someone else's records.
If you need to change or update your information
The accuracy of your information is important to us.
To help us keep your health record up-to-date, it is very important that you notify your GP if you change address, telephone number, mobile number and name such as surname.
You can tell us of any changes by phoning us on 01279 82 7391
If you feel that there are mistakes or inaccuracies in your health record
It should be understood that in data protection law nothing can be erased from a health record but a correction may be added and a copy given to you. If you feel that there are mistakes or inaccuracies in your health record, then please write to us at:
Medical Records Manager
The Princess Alexandra Hospital NHS Trust
Harlow, Essex, CM20 1QX
Telephone: 01279 827341
Found everything you are looking for?
If you need further help or guidance in relation to personal data or data protection then please find helpful and reliable information from our information regulator the Information Commissioners Office by visiting www.ico.co.uk.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice
We keep our privacy notice under regular review.
As new services are offered or as existing services are improved, we may need to update this page. Therefore, we encourage you to review this page from time to time to stay informed about how we are protecting the information you provide.
This privacy notice was last updated on 23rd of May 2018.