Privacy Notice

Last updated on 12 January 2021 from https://surreyandsussex.nhs.uk/patients-visitors/privacy-notice/

COVID-19 privacy notice

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice which is available below.

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk here and some FAQs on this law are available here.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Should you have any further queries on the uses of your information, please contact our Data Protection Officer, Dipa Bhella sash.data.protection@nhs.net

 

Privacy notice

We aim to provide you with the highest quality care. To do this, we must keep records about you and the care we provide for you.

Medical records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and secure at all times in line with Data Protection Laws.

All our staff are trained to handle your information correctly and protect your privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes, and is not sold on to any other third parties. Your information is not routinely processed overseas, and if it is we undertake to inform you.

Sometimes your care may be provided by members of a care team, which might include people from other organisations such as health; social care; education; or other care organisations.

Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care.

Information collected about you to deliver your health care is also used to assist with:

• Making sure your care is of a high standard.

• Assessing your condition against a set of risk criteria to ensure you are receiving the best possible care.

• Preparing statistics on our performance for the Department of Health & Social Care and other regulatory bodies.

• Helping train staff and support research.

• Supporting the funding of your care.

• Reporting and investigation of complaints, claims and untoward incidents.

• Reporting events to the appropriate authorities when we are required to do so by law.

• Creating statistical information to look after the health and wellbeing of the general public.

• Planning services to meet the needs of the population including sharing information with local health and care providers to review and improve patient routes through health and social care services.

The legal basis for the processing of data for these purposes is that the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health & Social Care. Data Protection law says it is appropriate to do so for health and social care treatment of patients, and the management of health or social care systems and services.

If we need to use your personal information for any reason beyond those stated above, we will discuss this with you. You have the right to ask us not to use your information in this way. However, there are exceptions to this which are listed below.

• the public interest is thought to be of greater importance for example:

o if a serious crime has been committed

o if there are risks to the public or our staff

o to protect vulnerable children or adults.

• we have a legal duty, for example registering births, reporting some infectious diseases, wounding by firearms and court orders

• we need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (appointed by the NHS Health Research Authority)

Data Protection laws gives individuals rights in respect of the personal information that we hold about you. These are to:

1. Be informed why, where and how we use your information.

2. Ask for access to your information.

3. Ask for your information to be corrected if it is inaccurate or incomplete.

4. Ask for your information to be deleted or removed where there is no need for us to continue processing it.

5. Ask us to restrict the use of your information.

6. Ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.

7. Object to how your information is used.

8. Challenge any decisions made without human intervention (automated decision making)

We will share necessary data with our health and social care partners if we have recorded that you have a need for support with the communication as a routine part of our referral, discharge and handover process.

To request copies of your personal information, please contact our Subject Access Request Team on 01737 768511 or email sash.sars@nhs.net

Please visit our website for further details on any information in this leaflet. Should you have any further queries on the uses of your information, please speak to one of the following:

• Your healthcare professional

• The Patient Advice Liaison Service (known as PALS) sash.pls@nhs.net

• Our Data Protection Officer, – Dipa Bhella sash.data.protection@nhs.net

Should you wish to lodge a formal complaint about the use of your information, please contact our complaints team sash.complaints@nhs.net

If you are still unhappy with the outcome of your enquiry you can write to: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF - Telephone: 01625 545700.

What is a privacy notice?

A privacy notice is a statement that describes how Surrey and Sussex Health Care NHS Trust collects, uses, retains and discloses personal information. Different Organisations sometimes use different terms and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

• Why we need your data
• Our legal reason for collecting your information
• How it will be used and
• Who it will be shared with

 

This information also explains what rights you have to control how we use your information.

The law determines how organisations can use personal information. The key laws are: the Data Protection Act the Human Rights Act 1998 (HRA), relevant health service legislation, and the common law duty of confidentiality.

The data controller responsible for your personal data is Surrey and Sussex Healthcare NHS Trust.  The Trust is registered with the Information Commissioner’s Office.

Registration number: Z720627X

Your individual rights

Data Protection laws gives individuals rights in respect of the personal information that we hold about you.  These are:

• To be informed why, where and how we use your information.
• To ask for access to your information.
• To ask for your information to be corrected if it is inaccurate or incomplete.
• To ask for your information to be deleted or removed where there is no need for us to continue processing it.
• To ask us to restrict the use of your information.
• To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
• To object to how your information is used.
• To challenge any decisions made without human intervention (automated decision making)

 

National data opt out policy

A secure and accessible tool for people to opt-out of their confidential patient information being used for reason other than their individual care and treatment is available.  This means patients have more control over how their information is used and gives them the opportunity to make informed choices about whether they wish their confidential patient information to be used just for their individual care and treatment or also used for research and planning purposes.

Further information is available at https://www.nhs.uk/your-nhs-data-matters.

From March/April 2020 when necessary, the Trust will apply the policy to its data.

You can also opt-out of the national screening programmes.  Further information is available at https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes

How do I access information you hold about me?

Under the Data Protection Legislation living individuals have a number of rights relating to the personal information that organisations hold about them. One of these is the right to view or obtain copies of the information that we hold about you, including your medical records. This is known as a subject access request or SAR.

More information on how to access information we hold about can be found on the Access to information page on our website https://surreyandsussex.nhs.uk/patients-visitors/access-information/

Consent and withdrawing consent

The possible consequences of refusing consent will be fully explained to the patient at the time of application of consent and could include delays in receiving care.

In those instances where the legal basis for sharing of confidential information relies on the patient’s explicit or implied consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.

In instances where the legal basis for sharing information without consent applies then the patient has the right to register their objection to the disclosure, and the Trust is obliged to respect that objection.

In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.

Our obligations

We have a duty to:

Ensure your information is accurate and up to date

We aim to ensure that all information we hold about you is accurate and, where necessary, kept up to date.

Our staff will check with patients that we have the most accurate and up to date information. However, where patients identify information held by us which is inaccurate, they are asked to notify us either in person when they attend an appointment, or by contacting your own GP.

Store your medical information

Records are retained in accordance with national guidance from the Department of Health and Social Care and the Records Management Code of Practice for Health and Social Care 2021. Records including confidential information are securely destroyed in line with this code of practice.

More information on the retention of records in the NHS can be found on the NHS Digital website https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/

Keep your information about you secure and confidential

All staff working for the NHS are bound by the Common Law Duty of Confidentiality which means only staff involved with your care are entitled to access information relating to you. This is detailed within the confidentiality agreements signed by staff working at the Trust and is included within mandated annual training provided to staff.

All clinical staff are bound by strict professional codes of conduct which incorporate confidentiality clauses. Further information can be found on the British Medical Association (BMA), General Medical Council (GMC) and Nursing and Midwifery Council (NMC) websites.

We audit staff access to patient information to ensure they continue to abide by the Common Law Duty of Confidentiality.

We also ensure all staff are trained on both Information Governance and Data Security on an annual basis to ensure they know and understand how to keep your information secure and confidential at all times.

Provide information in a format that is accessible to you

For support in accessing patient information or for a translation of this document, an interpreter or a version in large print, Braille or audio; please contact the patient advice and liaison service (PALS) office on 01737 231 958 or at https://surreyandsussex.nhs.uk/contact-us/compliments-and-complaints/

Data protection officer

The data protection officer for the Trust is Dipa Bhella, information governance manager. Should you have any further queries on the uses of your information please contact on  01737 768 511 or email sash.data.protection@nhs.net

Information Commissioner’s Office

You can also contact the Information Commissioner’s Office, the UK’s independent body set up to uphold information rights.

Information Commissioner’s Office 
Wycliffe House
Water Lane
Wilmslow, Cheshire
 SK9 5AF

Website: https://ico.org.uk/for-the-public/
Helpline: 0303 123 1113 (local rate) or 01625 545 745