Our privacy notices
Privacy notice for healthcare
When you are a patient of ours we collect data, including your personal identifiable data, so that we can provide you with treatment and care.
The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary for us to perform our statutory tasks, functions and duties.
Where the data contains special category data, such as health, disability or language preferences, diagnostic images, religious views or ethnicity, the lawful basis we use to process it is
- Article 9(2)(h) of the UK GDPR which also relates to our public task and to provide you with health or social care services.
- Article 9(2)(c) when it is necessary for us to protect you in an emergency such as treating after a road accident, in addition to, and:
- Article 9(2)(i) when it is necessary to protect people or society from risks of serious harm, such as serious communicable diseases.
What we do with the data
We’ll set up a digital health record to record your appointments, attendances, observations, diagnostic results or tests, any decisions, and any care and treatment given. We can also use it to enable secure digital access to your records via a portal if you choose to enable this feature. We may also set up a paper health record to store items that are not yet digital. We will also use it to deal with any subsequent issues that may arise, and to check on the level of service we provide. We may also set up a paper health record to store items that are not yet digital. We will also use it to deal with any subsequent issues that may arise, and to check on the level of service we provide.
To support the care and services we provide you, it is your responsibility to:
- Give correct and complete information;
- Manage and protect the communication methods which you provide us, notably where registered for multiple family members;
- Update your contract preferences, when moving into adult services;
- Update your information and circumstances, should it change.
For more information, please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
This privacy notice was last reviewed in October 2024.
Privacy notice for NHS app
Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
To support the care and services we provide you, it is your responsibility to:
- Give correct and complete information;
- Manage and protect the communication methods which you provide us, notably where registered for multiple family members;
- Update your contract preferences, when moving into adult services;
- Update your information and circumstances, should it change.
For more information, please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
This privacy notice was last reviewed in October 2024.
Privacy notice for health research and planning
If you are a patient at our hospital, your health records can help with planning and improving health and care services as well as researching and developing treatments for serious illnesses.
What we do with the data
The information you provide to us may be used in clinical trials, wider clinical research and national registries for example cancer registration data is used to support cancer epidemiology, public health, service monitoring and research.
The information you provide to us may be used anonymously in audits, reports or presentations. This information is presented in aggregated form, which means the information can never be used to identify you.
This means that our people and professional research bodies and organisations including university and hospital researchers, medical royal colleges and pharmaceutical companies researching new treatments may have access to this data where there is a lawful basis to do so.
Your choices
You have a choice about whether or not you wish to for your information to be used in this way. If you would like to know more about how this information is used, please visit the understanding patient data website: https://www.nhs.uk/your-nhs-data-matters/. If you choose to stop your confidential patient information being used for research and planning, your data might still be used in some situations.
- When required by law
If there's a legal requirement to provide it, such as a court order. - When you have given consent
If you have given your consent, such as for a medical research study. - When there is an overriding public interest
In an emergency or in a situation when the safety of others is most important. For example, to help manage contagious diseases like COVID-19 and stop them spreading. - When information that can identify you is removed
Information about your health care or treatment might still be used in research and planning if the information that can identify you is removed first. - When there is a specific exclusion
Your confidential patient information can still be used in a small number of situations. For example, for official national statistics like a population census.
For more information, please see the ‘sharing your data’ section via this link >
This privacy notice was last reviewed in May 2024.
Privacy notice for workforce
During the course of our workforce function, we collect and process personal data of various individuals, including applicants, employees, workers (including agency, casual, and contracted staff), volunteers, trainees, and those carrying out work experience.
If you're thinking about volunteering, taking part in a training program, or doing work experience with us, we might use something called a charter, a memorandum of understanding or similar, to help explain what's expected from both sides. This document describes what you'll be doing, the kind of help and training you can expect from us, and the rules we all need to follow. While this document isn't a contract like employee’s sign, it's still an important document. It helps make sure that everyone understands their roles and responsibilities, and it sets out a clear and open relationship between you and us. It's our way of welcoming you and helping you understand how we'll work together.
Upon successful candidate application, if provided, we will use your personal e-mail address to enable us to create and activate your IT account(s). We do not use personal email for any other business purposes unless there is a legitimate and lawful basis for doing so.
The lawful basis we rely on, for processing any workforce personal data, including that of volunteers, trainees, and those carrying out work experience, is Article 6(1)(b) of the UK GDPR, which relates to the processing which is necessary to perform an agreement or to take steps at your request before entering into a formalised relationship, such as a charter.
If you provide us with any data about reasonable adjustments you require under the Equality Act 2010, the lawful basis we rely on for processing this data is article 6(1)(c) to comply with our legal obligations under the Act.
The lawful basis we rely on to process any data you provide as part of your application which is special category data, such as health, religious or ethnicity data is article 9(2)(b) of the UK GDPR, which relates to our obligations in employment and the safeguarding of your fundamental rights. Also, Schedule 1 part 1(1) of the DPA 2018 which again relates to processing for employment purposes.
We process data about applicant criminal convictions and offences. The lawful basis we rely to process this data are Article 6(1)(e) for the performance of our public task. In addition we rely on the processing condition at Schedule 1 part 2 paragraph 6(2)(a).
What we do with the data
We’ll use it for the following purposes:
- Accounting and auditing
- Accounts and records
- Business management and planning
- Crime prevention and prosecution of offenders
- Education
- Health administration and services
- Information and databank administration
- Invite individuals for vaccines
- Invite employees to take part in the NHS Staff Survey
- Pensions administration
- Sharing and matching of employee personal information for national fraud initiative
- Staff administration and management (including payroll and performance)
- Business system user administration and management.
How long we keep the data
For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
What are your rights?
For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
Do we use any data processors to achieve our purposes
Yes, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
This privacy notice was last reviewed in August 2023.
Privacy notice for external organisations
We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business. If this relates to interactions regarding our health and social care functions, the lawful basis is article 6(1)(e) of the UK GDPR.
If the interactions relate to suppliers, goods and services contracts, buildings management, IT services etc., the legal basis is article 6(1)(c) of the UK GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as an organisation.
We may also process information where we need to protect your interests (or someone else’s interest) or where it is required in the public interest or for an official purpose.
Do we use any data processors to achieve our purposes?
We are obliged by law to carry out safety checks for commercial visitors and suppliers visiting our sites. Any personal information provided to us as part of the vetting process will be held in the SEC³URE portal. We use IntelliCentrics UK Ltd.’s for this and their privacy notice can be viewed here .
We have authorised Hertfordshire NHS Procurement Hub to handle our contract affairs and are contractually forbidden to unlawfully process or sell any of the data collected on our behalf.
This privacy notice was last reviewed in August 2023.
Privacy notice for occupational health services
During the course of our occupational health function, we collect and process personal data of various individuals to promote and maintain the physical, mental, and social health to ensure they can perform their duties effectively and safely.
The lawful basis we rely on, for processing any occupational health personal data, is Article 6(1)(b) of the UK GDPR, this basis relates to processing that is necessary to perform an agreement or to take steps at your request before entering into a formalised relationship. Article 6(1)(c) of the UK GDPR, this basis pertains to processing that is required to comply with a legal obligation to which we are subject, such as health and safety regulations. And, Article 6(1)(f) of the UK GDPR, this basis involves processing that is necessary for the purposes of our legitimate interests, such as ensuring workplace safety and compliance.
Where the data contains special category data, such as health, disability or language preferences, diagnostic images, religious views or ethnicity, the lawful basis we use to process it is, Article 9(2)(h) of the UK GDPR which also relates to our public task and to provide you with health or social care services. And, Article 9(2)(i) when it is necessary to protect people or society from risks of serious harm, such as serious communicable diseases.
What we do with the data
We’ll use it for the following purposes:
- Accounts and records.
- Health administration and services.
- Information and databank administration.
- To invite individuals for appointments.
- To monitor and manage your health and safety in the workplace.
- To assess and manage occupational risks and exposures.
- To provide you with appropriate medical support and accommodations.
- To comply with legal obligations, such as health and safety regulations.
How long we keep the data
For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
What are your rights?
For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
Do we use any data processors to achieve our purposes
Yes, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
This privacy notice was last reviewed in November 2023.
Privacy notice for the recording of events and productions
The recording of events and productions may be captured with video and photographs. In these situations, we will display signage so that you know what we are doing. If you don't want to be filmed or photographed, please let our data protection officer know.
In the event that production companies are producing video content, we may notify individuals expected to attend during the filming window about the production, so that they can decide whether to participate. We rely on legitimate interests for this processing and are able to offer an opt-out option.
Production companies authorised to create video content will never have access to patient information.
Privacy notice for My Care Record
The Princess Alexandra Hospital NHS Trust is part of My Care Record, an approach to improving care by joining up health and care information. Health and care professionals from other services will be able to view information from the records we hold about you when it is needed for your care. Please see www.mycarerecord.org.uk for more information.
Privacy notice for CCTV
CCTV operates inside and outside our buildings on our sites.
The lawful basis we rely on to process your personal data is article 6(1)(f) of the UK GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
What we do with the data
The purpose for processing this information is for safety and security reasons.
How long we keep the data
We keep CCTV footage for 31 days. However, it may be necessary to retain footage, the retention will be determined by the purpose for which the CCTV needs been used. For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
What are your rights?
If we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
Do we use any data processors to achieve our purposes
Yes, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
This privacy notice was last reviewed in August 2023.
Privacy notice for IT security
We collect data including personal identifiable data of prospective, current and former staff of those register for the use of Information Technology services owned and provided by the us.
This includes employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.
The lawful basis we rely on for processing your personal data is article 6(1)(b) of the UK GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. Failure to provide such personal data may mean that we cannot perform the agreement with you and would not have access to the services which you have requested.
The lawful basis we rely on to process your personal data where monitoring occurs, is Article 6(1)(f) which allows us to process personal data when it’s necessary for our legitimate interests. For example, in order to maintain the integrity of our IT systems and the continuity of our services.
What we do with the data
We will use it so we can facilitate and provide you with the Information Technology services being requested.
We will also use it to monitor our networks to help maintain the security of our infrastructure, network and systems for instance identify suspicious activity, suspicious such as suspicious credential activity and when credential(s) or e-mail addresses have been compromised or are being used outside of the UK, cyber crime is a global threat. Cyber criminals and the technical infrastructure they use are often based overseas.
If you are provided a mobile device we will also use it to define which applications can be present and to locate or secure the device if lost or stolen.
How long we keep the data
For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
What are your rights?
If we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
Do we use any data processors to achieve our purposes
Yes, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
This privacy notice was last reviewed in August 2023.
Privacy notice for the use Wi-Fi
Wi-Fi is available on site for our visitors. We collect device data of those that connect to the Wi-Fi services owned and provided by us.
The lawful basis we rely on to process your personal data is article 6(1)(f) of the UK GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
What we do with the data
The purpose for processing this information is to provide you with access to the internet whilst visiting our site. Additionally, we will log information about the sites visited, duration, and date sent/received.
How long we keep the data
For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
What are your rights?
If we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
Do we use any data processors to achieve our purposes
No, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
This privacy notice was last reviewed in August 2023.
Privacy notice for telephone call recording
We record all incoming and outgoing telephone calls for the purposes of quality assurance, training, and to support compliance with regulatory requirements related to patient safety, quality of care. The lawful basis we rely on to process personal data is Article 6(1)(f) of the UK GDPR, which allows us to process personal data when this is necessary for our legitimate interests, and Article 9(2)(f) when necessary for the establishment, exercise, or defence of legal claims.
We may collect personal data such as your name, phone number, and any other information you provide during the call. If the call contains special category data, such as health information or other sensitive information, we will only process it if necessary to establish, exercise or defend legal claims.
We will only use the information collected during the call for the purposes stated above, and we will take appropriate measures to ensure its confidentiality and security. We will retain the recordings for as long as necessary to fulfil the purposes for which they were collected, and in accordance with our retention policy.
This privacy notice was last reviewed in May 2023.
Our suppliers and data protection legalisation
Under the General Data Protection Regulation, any processing of personal data by a processor must be governed by a contract that contains certain provisions. The trust, as data controller, will ensure the terms of all contracts involving personal data processing include terms pertaining to data protection and that all service delivery schedules and specifications reflect the roles and responsibilities of the data controller and the data processor in accordance with the regulations.
Organisations who are required to comply with the regulations may incur costs doing so, especially where new systems and processes are required. Nevertheless, these costs result from conducting business in the EU (European Union), and not from supplying the UK (United Kingdom) public sector. As a result, we expect our suppliers to manage their own compliance costs.
The trust will not accept liability clauses entitling the supplier to indemnity against fines under the regulations as the data processor. Data processors are now subject to the legal penalty regime, ensuring better performance and enhanced protection for personal data. Providing indemnification for fines, lawsuits, or court judgments undermines these principles.
Further information and guidance
Further guidance on contracts and data protection legalisation, please contact the Information Commissioner’s Office or visit:
Your data matters
Your data protection rights
Under data protection law, you have a number of very important rights, these are:
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances. It should be understood that in data protection law nothing can be erased from a health record but a correction may be added and a copy given to you. You can read more about this right here.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can read more about this right here.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.
Your choices
Text message appointment reminder service
We provide a text message appointment reminder service to patients who register their mobile number to deliver care. If you have the right to register a mobile number for a child, we will also provide the text message appointment reminder service to the registered number.
Important information: If the mobile is registered for multiple family members or patients, please be aware that for confidentiality reasons we do not include any identifiable information in the reminder message. Therefore, we recommend that you carefully check the specialty, time and date of your appointment before travelling to ensure the correct person attends the appointment and to avoid any disappointment. We also ask you to take care if you are considering using a mobile number which you do not own, such as a company mobile as the reminder message might be seen by friends, family, a colleague or unauthorised user.
You have a choice whether or not you wish for your mobile number to be used in this way. You can change your contact preferences at any time by contacting us directly. Call our booking service team on 01279 827391, which is open 8am to 8pm, Monday to Friday.
NHS national patient experience surveys
We carry out patient surveys to learn about the patient experience and the quality of the healthcare we provide. If you are selected to take part in a survey, your contact details will be used by researchers to carry out the survey. Each survey is carried out by the Care Quality Commission (CQC) and is used to measure and monitor the performance between hospitals and monitor NHS service improvements. To read more about the national patient survey programme, including the lawful basis for processing your data in this way, please visit https://www.cqc.org.uk/publications/surveys/surveys .
National Learning Disabilities Improvement Standards Survey
Our hospital is taking part in a patient survey for people with learning disabilities. We want to know what you think about the care you received from our hospital. Your answers will help us to work out what was good and what needs to change. If you are selected to take part in this survey, we will use your contact details to post the survey to you. Your returned feedback will then be anonymously shared with NHS Improvement. If you want to take part in the survey, please contact paht.learningdisabilities@nhs.net .
Opt-out of national patient experience surveys
You can opt out of national patient experience surveys at any time. If you wish to do so please email paht.pals@nhs.net with the words 'Survey Opt Out' in the subject line, giving your full name and a contact telephone number so that we can find out which surveys you may be contacted about. After this, you will not be contacted again.
Secondary uses
Under the Health and Social Care Act, we supply data, on a regular and continuous basis to NHS Digital, who are the Health and Social Care Information Centre for the NHS. This is because some of the information from your record may be useful for specific purposes beyond your individual care, for research and planning purposes, to improve health, care and services across the NHS. You have a choice about whether or not you wish to for your information to be used in this way. If you would like to know more about how this information is used, please visit the understanding patient data website: https://www.nhs.uk/your-nhs-data-matters/
Charitable marketing
We'd love to keep you updated with information and news of what we do. If you would like to hear from us, please tell us you are happy for us to contact you by contacting us. We will never share or pass on your information without your consent. When we contact you, we will only communicate with you by the methods that you have consented to. At any time, if you no longer want to hear from us or want to change your preferences, then please let us know by contacting the relevant charity office.
Fundraising office
Breast unit fundraising office
01279 827857
pah.breastunitcharity@nhs.net
NHS Staff Survey
All NHS staff are invited to take part in the national NHS Staff Survey. The survey offers a snapshot in time of how people experience their working lives, gathered at the same time each year. Its strength is in capturing a national picture alongside local detail, enabling a range of organisations to understand what it is like for staff across different parts of the NHS and work to make improvements.
For more information visit About | Working to improve NHS staff experiences | NHS Staff Survey (nhsstaffsurveys.com)
Our data protection registration details
We, in data protection terms, act as the 'data controller' of the information and personal data we collect from you. We are data protection registered with the Information Commissioner’s Office. Our data protection registration number is Z8759485.
About us
We are responsible for providing you with the right services, at the right time, in the right place. We provide a wide range of services including care and employment. We need to collect and use information about you to enable us to do this efficiently and safely.
We determine the purposes of the information and data we collect and hold. We take data protection and privacy seriously and have measures in place to protect the confidentiality, integrity and availability of the data we are responsible for.
We are open and clear about the data activities we carry out to ensure we are processing your information accordingly, securely and efficiently.
Sharing your data
We will never sell your information, nor share it with any third parties for the purposes of direct marketing.
To carry out our functions, we may need to share data with organisations such as:
- Education services
- Government departments
- Housing departments
- Local councils
- Sure start teams
- The police and judicial services
- Voluntary services
As a patient, your data will need to be shared with the health professionals who are directly involved in your care, but some of it will also need to be seen by administrative or financial staff and other health and care organisations such as:
- Ambulance trusts
- Provide
- Clinical Commissioning Groups
- Dentists
- Education services
- Fire and rescue services
- GPs
- Local Authorities
- NHS Business Services Authority
- NHS Digital (NHSD)
- NHS England (NHSE)
- NHS Improvement (NHSI)
- NHS Trusts/Foundation trusts
- Opticians
- Pharmacists
- Provide
- Contracted private sector health-care providers
- Voluntary sector providers
We use data processors who are third parties, who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
How we use artificial intelligence
Artificial intelligence (AI) assisted medical diagnosis
We use AI technology to support our Clinician's to identify cancer in scans. The AI technology reviews the images to identify potential findings immediately. The purposes of the AI are to know a decision was accurate rather than why it was made. The AI will not be solely diagnosing patients or replacing doctors and uses human intervention. If you have received medical imaging such as an MRI or a mammogram, then you have the right to express your point of view and discuss the decisions made.
Wayfinding
We are implementing AI technology to assist patients and visitors with navigation. This will be facilitated through an interactive kiosk located at the main reception. The technology’s function is to provide general wayfinding information and answer frequently asked questions. The technology is designed with privacy in mind, using controls and measures that do not retain or store any personal identifiable information. For example, if a visitor requests the location of a specific patient, such as “Where is Mr Smith?”, the system will recognise that a named entity has been requested. In this case, it will respond with a generic message directing the visitor to the appropriate location to find this information. It will not store the name or any other personal identifiable data.
How we use health data analytics
We use data to study and analyse the trends in patient care, this includes the care outcomes and on-going needs of patients who use our services. We also use data to make predictions around future capacity and demand for our services. This enables us to ensure that the right resources are available in the right place and at the right time.
The lawful basis we rely on to process the personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary for us to perform our statutory tasks, functions, and duties.
Where the data contains special category data, such as health, disability or language preferences, diagnostic images, religious views or ethnicity, the lawful basis we use to process it is:
- Article 9(2)(h) of the UK GDPR which also relates to our public task and to provide you with health or social care services.
- Article 9(2)(i) when it is necessary to protect people or society from risks of serious harm, such as serious communicable diseases.
What we do with the data
We use analytics to better understand the needs of our patients, and we can also predict the current and future demand for services, our ability to fulfil that demand. This understanding helps us to support patients in their own home and prevent unnecessary hospital stays. Data enables us to assess the quality and safety of the services we provide along with their effectiveness, which supports opportunities for clinical innovation.
How long we keep the data
For information about how long we hold data, please see the ‘How long we keep data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
What are your rights?
For more information on your rights, please see the ‘Your data protection rights’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
Do we use any data processors to achieve our purposes
Yes, for more information please see the ‘Sharing your data’ section at Privacy notice | Princess Alexandra Hospital (pah.nhs.uk)
This privacy notice was last reviewed in February 2023.
How we collect data
In most cases, the data we collect and store is provided directly by you for one of the following reasons:
-
It is necessary for you to be treated, or to have been treated.
-
You have requested information from us.
-
You applied for a position with us or for a job or secondment.
-
You are interested in attending or have attended an event or training session we offer.
-
You are representing your business or organisation.
-
You have contacted us with a complaint or query.
-
You have subscribed to one of our newsletters.
We also receive data indirectly, in the following scenarios:
-
From a GP or another health professional, such as a dentist or an ophthalmologist, if you are referred to us.
-
From other public authorities, regulatory agencies or law enforcement authorities.
-
If a complainant mentions you in their complaint correspondence.
-
If someone provides your contact information as a reference, next-of-kin, or an emergency contact.
-
If we have contacted an organisation about a complaint you have made and it gives us data in its response.
How we keep data safe
- All our staff including flexible, temporary, permanent, new starters, locum, student and contract staff members have contractual obligations of confidentiality, enforceable through disciplinary procedures.
- All staff will receive appropriate training on confidentiality with training refreshed annually.
- We ensure organisational, technical and security measures are in place. This includes implementing policies, undertaking data protection and privacy impact assessments, storing and holding paper information in secure locations, restricting access to information to authorised personnel, ensuring role-based access with audit trails is used, using encryption and mobile device management controls.
- We do not store or save any information on any hard drive of any computer or laptop provided or owned by the trust.
- Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing, this person is known as the Caldicott Guardian. Our Caldicott Guardian is Dr Fay Gilder, who is also the medical director.
- Each NHS organisation also has a senior person responsible and accountable for information risk, this person is known as the senior information risk owner. Our senior information risk owner Phil Holland, who is also the chief information officer.
How long we keep data
We only keep information for as long as necessary and in accordance with our internal policies and NHS Records Management Code of Practice 2021.
How we destroy data
We only keep information for as long as necessary and destroy any unnecessary duplicate records, copies of records which are no longer required and records which have met their retention period, had an appraisal and have no continuing value. The destruction of records is an irreversible act. We only destroy information in accordance with the Records Management Code of Practice 2021 - NHSX and use the following destruction methods:
Paper records
Identifiable, confidential or sensitive information is disposed of in confidential waste bins and then cross shredded. The shredding of this information is securely carried out onsite using an accredited mobile shredding company. A certificate and waste transfer note is issued once the shredding has been completed.
Electronic records
Electronic data is carefully and systematically handled to minimise the risk of illegal and/or unauthorised access to information. Electronic files must be properly sanitised and purged before they can be considered satisfactorily disposed of. Ours and backup tapes must be auditable in respect of the information they hold.
Information technology hardware and infrastructure
All information technology hardware components including computers and laptops are destroyed by an accredited computer and it asset disposal company. Data destruction and IT recycling certificates are issued once the work has been completed.