Our privacy notices

Privacy notice for healthcare

When you are a patient of ours we collect data, including your personal identifiable data, so that we can provide you with treatment and care.

The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary for us to perform our statutory tasks, functions and duties.

Where the data contains special category data, such as health, disability or language preferences, diagnostic images, religious views or ethnicity, the lawful basis we use to process it is

  • Article 9(2)(h) of the UK GDPR which also relates to our public task and to provide you with health or social care services.
  • Article 9(2)(c) when it is necessary for us to protect you in an emergency such as treating after a road accident, in addition to, and:
  • Article 9(2)(i) when it is necessary to protect people or society from risks of serious harm, such as serious communicable diseases.

What we do with the data

We’ll set up a digital health record to record your appointments, attendances, observations, diagnostic results or tests, any decisions, and also any care and treatment given. We may also set up a paper health record to store items that are not yet digital. We will also use it to deal with any subsequent issues that may arise, and to check on the level of service we provide.

For more information, please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

This privacy notice was last reviewed in August 2021.

Privacy notice for My Care Record

The Princess Alexandra Hospital NHS Trust is part of My Care Record, an approach to improving care by joining up health and care information. Health and care professionals from other services will be able to view information from the records we hold about you when it is needed for your care. Please see www.mycarerecord.org.uk for more information.

Privacy notice for COVID-19

The health and social care system is facing significant pressures due to the COVID-19 pandemic. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the pandemic. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this pandemic. Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 pandemic.

Any information used or shared during the COVID-19 pandemic will be limited to the period of the pandemic unless there is another legal basis to use the data. Further information is available on gov.uk here and some FAQs on this law are available here.

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 pandemic, due to the public interest in sharing information. This includes national data opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt out requests whilst we focus our efforts on responding to the pandemic.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email. 

The single most important action we can all take, in fighting COVID-19, is to stay at home. During this period of emergency we may offer you a consultation via telephone or videoconferencing. This means that some appointments (depending on individual care needs) will be made using a web-based platform called Attend Anywhere. Attend Anywhere is an easy and secure way of providing patients with video consultation appointments. The web-based platform can be used on any PC, Mac, smartphone, iPad or tablet providing that it has Google Chrome or Safari installed on it. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation. 

To find about more about using Attend Anywhere and how your video consultation will work, please watch these short videos: 

https://youtu.be/o-64JK4nLuE  https://youtu.be/wGtVW1EJzTY

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the pandemic. 

Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the COVID19 response is here.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you are experiencing COVID-19 symptoms, we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards. We may amend this privacy notice at any time, so please review it frequently. The date will be shown at the top of this page each time this notice is updated.

This privacy notice was last reviewed in August 2021.

Privacy notice for external organisations

We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business. If this relates to interactions regarding our health and social care functions, the lawful basis is article 6(1)(e) of the UK GDPR.

If the interactions relate to suppliers, goods and services contracts, buildings management, IT services etc., the legal basis is article 6(1)(c) of the UK GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as an organisation.

We may also process information where we need to protect your interests (or someone else’s interest) or where it is required in the public interest or for an official purpose.

Do we use any data processors to achieve our purposes?

We are obliged by law to carry out safety checks for commercial visitors and suppliers visiting our sites. Any personal information provided to us as part of the vetting process will be held in the SEC³URE portal. We use IntelliCentrics UK Ltd.’s for this and their privacy notice can be viewed here .

We have authorised Hertfordshire NHS Procurement Hub to handle our contract affairs and are contractually forbidden to unlawfully process or sell any of the data collected on our behalf.

This privacy notice was last reviewed in August 2021.

Privacy notice for employment

During the course of our employment function, we collect data including personal identifiable data of prospective, current and former staff.

This includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

The lawful basis we rely on for processing your personal data is article 6(1)(b) of the UK GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

If you provide us with any data about reasonable adjustments you require under the Equality Act 2010, the lawful basis we rely on for processing this data is article 6(1)(c) to comply with our legal obligations under the Act.

The lawful basis we rely on to process any data you provide as part of your application which is special category data, such as health, religious or ethnicity data is article 9(2)(b) of the UK GDPR, which relates to our obligations in employment and the safeguarding of your fundamental rights. Also, Schedule 1 part 1(1) of the DPA2018 which again relates to processing for employment purposes.

We process data about applicant criminal convictions and offences. The lawful basis we rely to process this data are Article 6(1)(e) for the performance of our public task. In addition we rely on the processing condition at Schedule 1 part 2 paragraph 6(2)(a).

What we do with the data

We’ll use it for the following purposes:

  • Accounting and auditing 
  • Accounts and records 
  • Business management and planning 
  • Crime prevention and prosecution of offenders 
  • Education 
  • Health administration and services 
  • Information and databank administration 
  • Invite staff for vaccines
  • Invite staff to take part in the NHS Staff Survey
  • Pensions administration 
  • Sharing and matching of personal information for national fraud initiative
  • Staff administration and management (including payroll and performance) 

How long we keep the data

For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

What are your rights?

For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

Do we use any data processors to achieve our purposes

Yes, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

This privacy notice was last reviewed in August 2021.

Privacy notice for CCTV

CCTV operates inside and outside our buildings on our sites.

The lawful basis we rely on to process your personal data is article 6(1)(f) of the UK GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

What we do with the data

The purpose for processing this information is for safety and security reasons.

How long we keep the data

We keep CCTV footage for 31 days. However, it may be necessary to retain footage, the retention will be determined by the purpose for which the CCTV needs been used. For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

What are your rights?

If we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

Do we use any data processors to achieve our purposes

Yes, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

This privacy notice was last reviewed in August 2021.

Privacy notice for the use Wi-Fi

Wi-Fi is available on site for our visitors. We collect device data of those that connect to the Wi-Fi services owned and provided by us.

The lawful basis we rely on to process your personal data is article 6(1)(f) of the UK GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

What we do with the data

The purpose for processing this information is to provide you with access to the internet whilst visiting our site. Additionally, we will log information about the sites visited, duration, and date sent/received.

How long we keep the data

For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

What are your rights?

If we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

Do we use any data processors to achieve our purposes

No, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

This privacy notice was last reviewed in August 2021.

Privacy notice for IT security

We collect data including personal identifiable data of prospective, current and former staff of those register for the use of Information Technology services owned and provided by the us.

This includes employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

The lawful basis we rely on for processing your personal data is article 6(1)(b) of the UK GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. Failure to provide such personal data may mean that we cannot perform the agreement with you and would not have access to the services which you have requested.

The lawful basis we rely on to process your personal data where monitoring occurs, is Article 6(1)(f) which allows us to process personal data when it’s necessary for our legitimate interests. For example, in order to maintain the integrity of our IT systems and the continuity of our services.

What we do with the data

We will use it so we can facilitate and provide you with the Information Technology services being requested.

We will also use it to monitor our networks to help maintain the security of our infrastructure, network and systems for instance identify suspicious activity, suspicious such as suspicious credential activity and when credential(s) or e-mail addresses have been compromised.

If you are provided a mobile device we will also use it to define which applications can be present and to locate or secure the device if lost or stolen.

How long we keep the data

For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

What are your rights?

If we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

Do we use any data processors to achieve our purposes

Yes, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)

This privacy notice was last reviewed in August 2021.

Your data matters

Your data protection rights

Under data protection law, you have a number of very important rights, these are:

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. It should be understood that in data protection law nothing can be erased from a health record but a correction may be added and a copy given to you. You can read more about this right here. 

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can read more about this right here. 

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.

Your choices

Text message appointment reminder service

We provide a text message appointment reminder service to patients who register their mobile number to deliver care. If you have the right to register a mobile number for a child, we will also provide the text message appointment reminder service to the registered number.

Important information: If the mobile is registered for multiple family members or patients, please be aware that for confidentiality reasons we do not include any identifiable information in the reminder message. Therefore, we recommend that you carefully check the specialty, time and date of your appointment before travelling to ensure the correct person attends the appointment and to avoid any disappointment. We also ask you to take care if you are considering using a mobile number which you do not own, such as a company mobile as the reminder message might be seen by friends, family, a colleague or unauthorised user.

You have a choice whether or not you wish for your mobile number to be used in this way. You can change your contact preferences at any time by contacting us directly. Call our booking service team on 01279 827391, which is open 8am to 8pm, Monday to Friday.

NHS national patient experience surveys

We carry out patient surveys to learn about the patient experience and the quality of the healthcare we provide. If you are selected to take part in a survey, your contact details will be used by researchers to carry out the survey. Each survey is carried out by the Care Quality Commission (CQC) and is used to measure and monitor the performance between hospitals and monitor NHS service improvements. To read more about the national patient survey programme, including the lawful basis for processing your data in this way, please visit https://www.cqc.org.uk/publications/surveys/surveys .

National Learning Disabilities Improvement Standards Survey

Our hospital is taking part in a patient survey for people with learning disabilities. We want to know what you think about the care you received from our hospital. Your answers will help us to work out what was good and what needs to change.  If you are selected to take part in this survey, we will use your contact details to post the survey to you. Your returned feedback will then be anonymously shared with NHS Improvement. If you want to take part in the survey, please contact paht.learningdisabilities@nhs.net .

Opt-out of national patient experience surveys

You can opt out of national patient experience surveys at any time. If you wish to do so please email paht.pals@nhs.net with the words 'Survey Opt Out' in the subject line, giving your full name and a contact telephone number so that we can find out which surveys you may be contacted about. After this, you will not be contacted again.

Secondary uses

Under the Health and Social Care Act, we supply data, on a regular and continuous basis to NHS Digital, who are the Health and Social Care Information Centre for the NHS. This is because some of the information from your record may be useful for specific purposes beyond your individual care, for research and planning purposes, to improve health, care and services across the NHS. You have a choice about whether or not you wish to for your information to be used in this way. If you would like to know more about how this information is used, please visit the understanding patient data website: https://www.nhs.uk/your-nhs-data-matters/

Charitable marketing

We'd love to keep you updated with information and news of what we do. If you would like to hear from us, please tell us you are happy for us to contact you by contacting us. We will never share or pass on your information without your consent. When we contact you, we will only communicate with you by the methods that you have consented to. At any time, if you no longer want to hear from us or want to change your preferences, then please let us know by contacting the relevant charity office.

Fundraising office

paht.fundraising@nhs.net

Breast unit fundraising office

01279 827857
pah.breastunitcharity@nhs.net

 

NHS Staff Survey

All NHS staff are invited to take part in the national NHS Staff Survey. The survey offers a snapshot in time of how people experience their working lives, gathered at the same time each year. Its strength is in capturing a national picture alongside local detail, enabling a range of organisations to understand what it is like for staff across different parts of the NHS and work to make improvements.

For more information visit About | Working to improve NHS staff experiences | NHS Staff Survey (nhsstaffsurveys.com)

Our data protection registration details

We, in data protection terms, act as the 'data controller' of the information and personal data we collect from you. We are data protection registered with the Information Commissioner’s Office. Our data protection registration number is Z8759485.

About us

We are responsible for providing you with the right services, at the right time, in the right place. We provide a wide range of services including care and employment. We need to collect and use information about you to enable us to do this efficiently and safely.

We determine the purposes of the information and data we collect and hold. We take data protection and privacy seriously and have measures in place to protect the confidentiality, integrity and availability of the data we are responsible for.

We are open and clear about the data activities we carry out to ensure we are processing your information accordingly, securely and efficiently.

Sharing your data

We will never sell your information, nor share it with any third parties for the purposes of direct marketing.

To carry out our functions, we may need to share data with organisations such as:

  • Education services
  • Government departments
  • Housing departments
  • Local councils
  • Sure start teams
  • The police and judicial services
  • Voluntary services

As a patient, your data will need to be shared with the health professionals who are directly involved in your care, but some of it will also need to be seen by administrative or financial staff and other health and care organisations such as:

  • Ambulance trusts
  • Provide
  • Clinical Commissioning Groups
  • Dentists
  • Education services
  • Fire and rescue services
  • GPs
  • Local Authorities
  • NHS Business Services Authority
  • NHS Digital (NHSD)
  • NHS England (NHSE)
  • NHS Improvement (NHSI)
  • NHS Trusts/Foundation trusts
  • Opticians
  • Pharmacists
  • Provide
  • Contracted private sector health-care providers
  • Voluntary sector providers

We use data processors who are third parties, who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

How we use artificial intelligence

Artificial intelligence (AI) assisted medical diagnosis

We use AI technology to support our Clinician's to identify cancer in scans. The AI technology reviews the images to identify potential findings immediately. The purposes of the AI are to know a decision was accurate rather than why it was made. The AI will not be solely diagnosing patients or replacing doctors and uses human intervention. If you have received medical imaging such as an MRI or a mammogram, then you have the right to express your point of view and discuss the decisions made.

How we collect data

In most cases, the data we collect and store is provided directly by you for one of the following reasons:

  • It is necessary for you to be treated, or to have been treated.

  • You have requested information from us.

  • You applied for a position with us or for a job or secondment.

  • You are interested in attending or have attended an event or training session we offer.

  • You are representing your business or organisation.

  • You have contacted us with a complaint or query.

  • You have subscribed to one of our newsletters.

We also receive data indirectly, in the following scenarios:

  • From a GP or another health professional, such as a dentist or an ophthalmologist, if you are referred to us.

  • From other public authorities, regulatory agencies or law enforcement authorities.

  • If a complainant mentions you in their complaint correspondence.

  • If someone provides your contact information as a reference, next-of-kin, or an emergency contact.

  • If we have contacted an organisation about a complaint you have made and it gives us data in its response.

How we keep data safe

  • All our staff including flexible, temporary, permanent, new starters, locum, student and contract staff members have contractual obligations of confidentiality, enforceable through disciplinary procedures.
     
  • All staff will receive appropriate training on confidentiality with training refreshed annually.
     
  • We ensure organisational, technical and security measures are in place. This includes implementing policies, undertaking data protection and privacy impact assessments, storing and holding paper information in secure locations, restricting access to information to authorised personnel, ensuring role-based access with audit trails is used, using encryption and mobile device management controls.
     
  • We do not store or save any information on any hard drive of any computer or laptop provided or owned by the trust.
     
  • Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing, this person is known as the Caldicott Guardian. Our Caldicott Guardian is Dr Fay Gilder, who is also the medical director.
     
  • Each NHS organisation also has a senior person responsible and accountable for information risk, this person is known as the senior information risk owner. Our senior information risk owner Phil Holland, who is also the chief information officer.

How long we keep data

We only keep information for as long as necessary and in accordance with the Records Management Code of Practice 2021 - NHSX 

How we destroy data

We only keep information for as long as necessary and destroy any unnecessary duplicate records, copies of records which are no longer required and records which have met their retention period, had an appraisal and have no continuing value. The destruction of records is an irreversible act. We only destroy information in accordance with the Records Management Code of Practice 2021 - NHSX and use the following destruction methods:

Paper records

Identifiable, confidential or sensitive information is disposed of in confidential waste bins and then cross shredded. The shredding of this information is securely carried out onsite using an accredited mobile shredding company. A certificate and waste transfer note is issued once the shredding has been completed.

Electronic records

Electronic data is carefully and systematically handled to minimise the risk of illegal and/or unauthorised access to information. Electronic files must be properly sanitised and purged before they can be considered satisfactorily disposed of. Ours and backup tapes must be auditable in respect of the information they hold.

Information technology hardware and infrastructure

All information technology hardware components including computers and laptops are destroyed by an accredited computer and it asset disposal company. Data destruction and IT recycling certificates are issued once the work has been completed.

Found everything you are looking for?

If you need further help or guidance in relation to personal data or data protection, then please find helpful and reliable information from our information regulator, the Information Commissioner’s Office, by visiting Home | ICO.

Links to other websites

Our privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to our privacy notices

We keep our privacy notices under regular review.

As new services are offered or as existing services are improved, we may need to update this page. Therefore, we encourage you to review this page from time to time to stay informed about how we are protecting the information you provide.

Website cookies

Please be aware that restricting cookies may impact on the functionality of our website. We will not use cookies to collect personally identifiable information about you.

However, if you wish to restrict or block the cookies which are set by our websites, or indeed any other website, you can do this through your browser settings. The ‘Help’ function within your browser should tell you how.

Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your machine as well as more general information about cookies.

Open Government Licence v3.0

 Contains public sector information licensed under the Open Government Licence v3.0