Control of Patient Information Notice during the Covid-19 outbreak
Due to the recent Covid-19 outbreak, the Trust would like to inform patients and their families and carers that NHS England and NHS Improvement have been given legal notice by the Secretary of State for Health and Social Care to support the processing and sharing of information to help the COVID-19 response under Health Service Control of Patient Information Regulations 2002 (COPI). This is to ensure that confidential patient information can be used and shared appropriately and lawfully for purposes related to the Covid-19 response. This notice applies to all providers of healthcare.
It also includes the dissemination of information to other organisations that require the information for the same purposes.
The effect of the COPI Notice is that any processing of your information which is undertaken due to these purposes will be deemed lawful irrespective of any limitations which the common law duty of confidentiality would ordinarily impose.
The Notice will be reviewed on or before 30 September 2020 and may be extended by further notice in received by the Trust writing. If no further notice is received, it will expire on 30 September 2020.
More information can be found here
Who are we?
Hampshire Hospitals NHS Foundation Trust serves a population of approximately 570,000 across Hampshire and parts of West Berkshire.
Hampshire Hospitals NHS Foundation Trust employs around 6,000 staff and has a turnover of over close to £400 million (2017/18). There are over 15,000 public and staff members. As a Foundation Trust it is directly accountable to its members through the governors. The Council of Governors represent the interests of their constituencies and influence the future plans of the Foundation Trust.
The Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and our registration number is Z5599447.
For further information please refer to the ‘About Us’ page on our website.
Data Privacy and Confidentiality at Hampshire Hospitals
Hampshire Hospitals NHS Foundation Trust takes your data privacy and confidentiality very seriously. The Trust complies fully with the General Data Protection Regulations (GDPR) and Data Protection Act 2018 at all times and maintains the highest standards in Data Security and Protection. Data Protection Impact Assessments (DPIAs), Risk Assessments and Data Flows are used by the Trust to assess risks and identify the legal basis for collection, use, sharing and any other processing of data. These documents are approved by the Data Protection Officer.
Incorrectly Addressed Correspondence
Our patients don’t always remember to tell us when they have moved address. If you receive correspondence at your address that is for someone else, please return it immediately to:
Data Protection Team
2nd Floor Ashley Wing
Royal Hampshire County Hospital
If you need to notify the Trust of a change of address, please either contact your consultant or clinical care team or contact the Customer Care team (making sure you include your NHS number or hospital number):
Mark Gittins, Data Protection Officer
Telephone: 01962 824285
Data Security and Protection team
Why and how we collect personal information about you?
Your doctor and other health professionals caring for you keep records about your health and any treatment and care you receive. These records help to ensure that you receive the best possible care from us. The information may be written down on paper (manual records), held on a computer or a mixture of both. The records may include:
- basic details about you, such as name, address, telephone, email, date of birth and next of kin
- contacts we have had with you, such as visits to a health professional
- details and records about your health, treatment and care you receive
- relevant information from other health professional, relatives or those people who care for you and know you well
- information based on the professional opinion of the staff caring for you
Every NHS organisation has to collect information on the ethnic origins of its patients. This is a mixture of information about your culture, language, history, religion, nationality and upbringing. We only use it to make sure our services meet the needs of all members of the community. You don’t have to give us information about your ethnic origin if you do not want to.
We have a duty to make sure that your information is accurate and current. Information Quality Assurance Assessments are undertaken to help us improve the quality of information we record about you. You may also request that any incorrect information held on your records is corrected.
Information is collected in a number of ways; via your healthcare professional, in referral details from your GP or information directly given by you.
Patients should note that calls to the Trust may be recorded for training and monitoring purposes.
It is not always easy to understand formal communications. If you find this information difficult to take in, please do not hesitate to contact a member of our staff and we will take the time to talk it through with you.
The link below will help you in understanding more about the patient data which we hold here.
What do we do with your personal information?
Your information is used to ensure that:
- staff caring for you have accurate and up to date information to help them assess and decide the best possible care and treatment needed for you
- we can contact you in relation to your care and treatment
- treatments and services meet the needs of local communities
- information is available should you need another form of care, for example if you are referred to a specialist or another part of the NHS
- there is a good basis for looking back and assessing the type and quality of care you have received
- your concerns can be properly investigated should you need to complain
In addition to supporting the care you receive, your information may also be used to help us to:
- remind you about your appointments and send you relevant correspondence
- look after the health of the general public
- review the care we provide to ensure it is of the highest standard
- support the funding of your care, e.g. with commissioning organisations who pay for NHS care
- teach and train health care professionals (if you do not want your information to be used in this way, please let us know. It will not affect your treatment in any way)
- conduct research approved by the Local Research Ethics Committee (your personal details will not be disclosed outside of the Trust without your consent)
- conduct audits
- investigate complaints, legal claims or untoward incidents
- make sure our services can meet patient needs in the future
- prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
- monitor the way public money is spent
- contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
If you do not want certain information recorded or shared with others, please talk to the person in charge of your care. There are however some aspects of your care which we are obliged to record.
Everyone working for the NHS has a legal duty to maintain the highest level of confidentiality. Generally your information will only be seen by those providing or administering your care.
You may be receiving care from other people as well as the NHS such as private healthcare companies or social services. We may need to share information about you so we can all work together for your benefit.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it and usually only with your consent.
Hampshire Hospitals NHS Foundation Trust is a research active organisation and you may be offered opportunities to participate in research studies and trials. You can find out more about how patient information may be used for research on the Health Research Authority (HRA) webpage here. The HRA is the government body that protects and promotes the interests of patients and the public in health and social care research.
When we pass on any information we will ensure it is kept confidential and secure. A few administrative processes require information that may identify you, however wherever possible, processes will use anonymised information.
There may be other circumstances when we must share information from your patient record with other organisations without your consent. Examples of this include but are not limited to:
- Concerns that you are putting yourself or another adult person at risk of harm
- Concerns that you are putting a child at risk of harm
- Where we have been instructed to do so by a Court
- Where the information is required for cost recovery
- Where the information is essential for the detection and prevention of a crime
- Where your information is required for investigation into fraud or other certain unlawful activities
- Where you are subject to the Mental Health Act (2007) and if there are circumstances in which your ‘nearest relative’ must receive information even if you object
- Where your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
Recording of phone calls
The Trust may record calls to patients in certain circumstances. Recording of calls is necessary to protect the interests of patients and staff and is undertaken to ensure that the Trust is able to provide the best care in a safe and secure environment. Calls are deleted when they are no longer needed.
Care and Health Information Exchange (CHIE)
CHIE is a local health and social care record which collects information from participating Health and Care organisations i.e. GP practices, community providers, acute hospitals and social care providers.
From your patient record, the Trust shares your name, address, contacts i.e. your next of kin, diagnosis, allergies and alerts as well as information about your appointments, care plans, immunisations, progress notes, assessments, inpatient events and referrals, with CHIE. If you do not want your information shared with CHIE, please discuss this with your healthcare professional.
How long do we keep your information?
All records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care Act 2016 (the Code). The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.
What is our legal basis for processing personal information about you?
Personal information we hold about you is deemed to be ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority’ and necessary for ‘medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems’ as set out in Article 6(1)(e) and 9(2)(h) of the General Data Protection Regulations (GDPR).
We recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties, including compliance with the following:
- Data Protection Act 2018
- General Data Protection Regulations 2018
- Human Rights Act 1998
- Access to Health Records Act 1990
- Freedom of Information Act 2000
- Health and Social Care Act 2012, 2015
- Public Records Act 1958
- Copyright Design and Patents Act 1988
- Re-Use of Public Sector Information Regs 2004
- Computer Misuse Act 1990
- Common Law Duty of Confidentiality
- NHS Care Records Guarantee for England
- Social Care Records Guarantee for England
- International information Security Standards
- Information Security Code of Practice
- Records Management Code of Practice
- Accessible Information Standards
What are your rights?
The NHS wants to make sure you and your family have the best care now and in the future. Your health and adult social care information supports your individual care. Please see NHS Choices for further information.
If we need to use your personal information for any reasons beyond those stated in the sections above, we will discuss this with you and ask for your explicit consent. The General Data Protection Regulations gives you certain rights, including the right to:
- Request access to the personal data we hold about you, e.g. in health records. For details about how to request this see ‘Access to your health records’ on our website.
- Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.
- Refuse/withdraw consent to the sharing of your health records. We are authorised to process, i.e. share, your health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research).
- Request your personal information to be transferred to other providers on certain occasions.
- NHS Digital, on behalf of NHS England assesses the effectiveness of the care provided by publicly-funded services. We have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations. You have the right to object to us sharing your information to NHS Digital for planning and research purposes – this will not affect your care in any way. For information about how you can Opt-Out of sharing your data with NHS Digital please see the National data opt out programme.
- Every effort is made to keep your information confidential and only share information when absolutely necessary.
Contacting us about your information
If you have any questions or concerns regarding the information we hold on you and the use of your information, or you would like to discuss this further, please contact the Data Protection Officer at:Information Governance Team
2nd Floor Ashley Wing
Royal Hampshire County Hospital
Who is responsible for your data?
Chief Financial Officer
Senior Information Risk Owner (SIRO)
Dr Tamara Everington
Haematology Consultant & Chief Clinical Information Officer
Caldicott Guardian (CG)
Data Protection Officer (DPO)
If you wish to contact any of the above please email: Information.Governance@hhft.nhs.uk
Contacting us if you have a complaint or concern
We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously.Customer Care Team
Basingstoke and North Hampshire Hospital
Call: 01256 486766
Further details are available on our website here.
If you remain dissatisfied with the Trust’s decision following your complaint, you may wish to contact:Information Commissioner’s Office
SK9 5AF Their web site is at ico.org.uk. The Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to Hampshire Hospitals NHS Foundation Trust.
Improving Services through Research
The Trust promotes research with a view to improving future care. Researchers can improve how physical and mental health can be treated and prevented. If you are happy for your personal confidential information to be used for both your individual care and treatment and research and planning, you do not need to do anything.
However, if you do not want your personal confidential information used for any research and planning you have the right to opt out. Visit the National Data op out guidance here. If you choose to opt out you can still consent to your data being used for specific individual research and or planning purposes.
For further details on how your information is used in research please visit the Health Research Authority - patient information, health and care research.