What is a ‘Privacy Notice’?
This privacy notice is issued by St George’s University Hospitals NHS Foundation Trust as a healthcare provider and covers the information we hold about our patients and other individuals that may use our services.
A separate privacy notice is available for information we collect about staff as part of our responsibilities as an employer.
Why have we issued this privacy notice for our patients and service users?
To illustrate our commitment to openness and accountability, we recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties, including compliance with the following:
- Data Protection Act 2018 (DPA 18)
- EU General Data Protection Regulations 2016 (EU GDPR)
- UK General Data Protection Regulations 2021(UK GDPR)
- Human Rights Act 1998
- Access to Health Records Act 1990
- Freedom of Information Act 2000 (FOIA)
- National Health Service Act 2006
- Health and Social Care Act 2012, 2015
- Public Records Act 1958 & 1967
- UK Policy Framework for Health and Social Care Research
- Copyright Design and Patents Act 1988
- Re-Use of Public Sector Information Regs 2004
- Computer Misuse Act 1990
- Common Law Duty of Confidentiality
- NHS Care Records Guarantee for England
- Social Care Records Guarantee for England
- International information Security Standards
- Information Security Code of Practice
- NHS Records Management Code of Practice 2021
- Accessible Information Standards
Who we are and what do we do?
We are a Foundation Trust and the largest healthcare provider in southwest London providing healthcare services.
We provide a wide range of health services including acute and specialist care, cardiothoracic medicine and surgery, neurosciences and renal transplantation, complex pelvic trauma and a full range of community services.
With nearly 9,000 dedicated staff caring for patients, we serve a population of 1.3 million across southwest London.
We are governed and monitored by a number of different organisations, including:
- Department of Health
- Information Commissioner’s Office
- Care Quality Commission
- NHS England / Improvement
Our consultants, doctors, nurses, healthcare professionals and registered support staff are also regulated and governed by professional bodies including numerous royal colleges.
Why have we issued this privacy notice?
This privacy notice explains how and why we use the information you share with us
What information do we collect?
The information that we collect about you may include the following:
- Name, NHS number, address, telephone, email, date of birth and next of kin
- Any contact we have had with you through appointments, attendances and home visits
- Details and records of treatment and care, notes and reports about your health, including medications, allergies or health conditions
- Results of x-rays, scans, blood tests, etc
- Other relevant information from people who care for you and know you well, such as health professionals, relatives and carers.
We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, Power of Attorney Status / Deputyship under the Mental Capacity Act (Health and Personal Welfare) and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).
What is our lawful basis for collecting and processing your personal data
Every Controller must have a lawful basis to process both Personal Data and Sensitive Personal Data. These are commonly described as Article 6 (Personal Data) and Article 9 (Special Personal Data).
The lawful basis for the Trust as a public authority and in our function as provider of health and care services, are as follows:
Article 6 Legal Basis
- We may need to provide health services necessary to protect vital interests of a patient’s life or another natural person. The legal basis we rely on in this circumstance can be found under UK GDPR Article 6(1) (d).
- As a public authority, the collection and use of your personal data is necessary for the provision of quality care and is in the public interest and exercising our official authority as a healthcare provider. This is known as our “legal basis” for the collection and processing of personal data under current data protection regulations Article 6(1) (e) of the GPDR.
Article 9 Legal Basis
Special category data such as health data is personal data which the GDPR deems more sensitive, and therefore requires additional privacy. In addition to the above, the following are the lawful basis relied upon in the processing of special category data.
- In the protection of the vital interests of vulnerable people from harm, the lawful basis relied on can be found in Article 9(2)(c) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law…’
- For the processing of special category data to manage legal claims against the Trust, court instructions or other judicial functions, the legal basis we rely on in these circumstances can be found under UK GDPR Article 9(2) (f)
- For the processing of special category data for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, the legal basis we rely on in this circumstance can be found under GDPR Article 9(2) (h).
- Where we collect personal data for the purpose of research, the legal basis relied upon is Article 9(2) (j)“the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes….”
There is also other legislation in place that determines our functions, and which may allow us to process data outside of the provisions identified above. These will be identified in the specific processing notices where required.
Why do we collect your information?
We collect personal and confidential information about you to support with the delivery of appropriate healthcare and treatment. This includes researching new treatments and how we deliver better healthcare. In order to provide you with high quality care, we must keep records about you, your health and the care that we provide, or plan to provide to you. It is important for us to have a complete picture as this information enables us to provide the right care to meet your individual needs.
How do we collect information?
Information is collected in a number of ways, via your healthcare professional, referral details from your GP or directly given by you.We may also receive relevant personal data from other sources such as your employer, other health and social care professionals and family and friends.
How do we use your information and why is this important?
We use your information to ensure that:
- The right decisions are made about your care
- Your treatment is safe and effective; and
- We can work well with other organisations that may be involved in your care.
- To ensure that we provide relevant health services and manage the services we provide effectively.
This is important because having accurate and up-to-date information will assist us in providing you with the best possible care. It also ensures that all information is readily available if you see another health professional or specialist within our trust or another part of the NHS.
There is also the potential for your information to help improve health care and other services across our trust and the wider NHS.
Therefore, your information may also be used to help with:
- Ensuring that our services can be planned to meet the future needs of patients
- Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care
- Evaluating and improving patient safety
- Training other healthcare professionals
- Conducting clinical research and audits, and understanding more about health risks and causes to develop new treatments and disease prevention
- Preparing statistics on NHS performance and monitoring how we spend public money
- Supporting the health of the general public
- Evaluating Government and NHS policies
Some of this information will also be held centrally by the NHS where it is used for statistical purposes in order to plan ahead. This is known as Secondary Use. Strict security measures are taken to ensure that individual patients cannot be identified.
Anonymous statistical information may also be passed to organisations with a legitimate interest in health care and its management, including universities, community safety units and research institutions.
Where it is not possible to use anonymous information, personally identifiable information may be used for essential NHS purposes such as research and auditing. This will only be done with your consent, unless the law permits the information to be passed on to improve public health or the research has been approved by the Confidentiality Advisory Group (CAG – a national body comprised of ethicists, data protection experts as well as lay people).
How do we keep your information safe and maintain confidentiality?
Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
Under the Data Protection Act 2018, strict principles govern our use of information and our duty to ensure it is kept safe and secure.
Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
Every NHS organisation has a senior person that is responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian, and within our Trust this role sits with Dr Carolyn Johnston, Deputy Chief Medical Officer, Consultant Anaesthetist. Dr Johnston is supported by the Trust Data Protection Officer and the Head of Information Governance. You can find more details here.
Do we share your information with anyone else?
We work with a number of other NHS organisations and, independent treatment centres and clinics in order to provide you with the best possible care. To support this, your information may be securely shared with other organisations.
For your benefit, we may also need to share some of your information with authorised non-NHS authorities and organisations involved in your care. This might include organisations such as local councils, social services, education services, the police, voluntary and private sector providers, and private healthcare companies. However, any sharing of information will always be governed by specific rules and laws.
In addition, information about you may be used for research purposes. In most instances the information will be made anonymous so that you cannot be identified. If this is not possible, we will ask your permission or request approval from the Health Research Authority’s Confidentiality Advisory Group. Please note: Should you not wish information about you to be used for research, please speak to your clinical team who are treating you.
The Trust has implemented the National Data Opt Out system managed by NHS England. This allows you to register a wish NOT to have your personal confidential data used for secondary purposes. Please see (NHS England NDOO) for further details to register you wishes or change them
We outsource a limited number of administration and IT support services to external organisations. These companies are based within the European Economic Area and all services are provided under specific contractual terms, which are compliant with UK data protection legislation
Only organisations with a legitimate requirement will have access to your information and only under strict controls and rules. We will not sell your information for any purpose and will not provide third parties with your information for the purpose of marketing or sales.
Mandatory information sharing
Sometimes we are required by law to disclose or report certain information which may include details which identify you. However, this is only done after formal authority by the Courts or by a qualified health professional.
This may include reporting a serious crime or identification of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information is released.
There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure we are legally compliant.
Clinical training, research and audit
Some health records are needed to teach student clinicians about rare cases and diseases. Without such materials, new doctors and nurses would not be properly prepared to treat you and others. It is also possible that individuals, such as student nurses, medical students and healthcare cadets, are receiving training in the service that is caring for you. If staff would like a student to be present, they will always ask for your permission and you have the right to refuse without this effecting the care or treatment that you are receiving.
We also undertake clinical research and audits within the trust to benefit and advance healthcare and its management in the UK. Your permission may be required for some of this work. If you agree to be involved, a full explanation will be given, and your consent will be obtained before proceeding. Your consent may not be required if the information being used has been anonymised. This means that it cannot be used to identify an individual person. For more information on the specifics of information management in the health can social care setting please click here.
How long do we keep your information?
Health records must be retained in accordance with the periods stipulated in the Information Government Alliance: Records Management Code of Practice for Health and Social Care 2021. The retention of records is dependent on various factors such as type of service, continuity of care, litigation, last hospital attendance etc. and is set by NHS England.
Health Records will be retained in line with the Trust retention policy generally for a period of 8 years after your last contact with the Trust.
However, in some specific cases, records may be kept in perpetuity, if required. Decisions to retain records for longer than the periods stipulated must be approved by Trust senior management.
What are your rights?
We would like to stress that, at all times:
- You have the right to know how we will use your personal information
- You have the right to see your health record (your medical notes). This is known as a Right of Access
- You have the right to object to us making use of your information
- You can ask us to change or restrict how we use your information and we will agree if possible.
- You have the right to ask for your information to be changed if it is incorrect, and erased, under certain conditions.
- You have the right to opt out from your personal information being used for research or planning purposes via the National Opt out Scheme. More information on the National Opt out Scheme can be found here uk/your-nhs-data-matters
How can you get access to the information that we hold about you?
Under the terms of the Data Protection Act 2018, the UK GDPR , you or a person acting on your behalf have the right to request access to the information that we hold about you.
If the subject is deceased, access to these records may be provided under the Access to Health Records Act 1990.
Before any disclosure is made we will need to receive proof of your identity and appropriateness for access (proof the applicant is entitled to have access). This is to protect your confidentiality.
Please send or email your completed application form and all relevant paperwork to the address or email below:
Subject Access Team
Health Records Department
St George’s University NHS Foundation Trust
Tel: 0208 725 0508
Business Hours: 10am to 3pm – Monday to Friday excluding English Bank Holidays
How can you make a complaint?
You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We would recommend contacting our Information Governance team initially to talk through any concerns that you have.
It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS) before (or without the need to start) a more formal process:
Post: Complaints and Improvements Department, St George’s University Hospitals NHS Foundation Trust, St George’s Hospital, Blackshaw Road, London. SW17 0QT
Phone: 020 8725 2453
Alternatively, you can contact the trust’s Head of Patient Experience who investigates complaints from patients and their relatives:
Post: St George’s Healthcare NHS Trust, St George’s Hospital, Blackshaw Road, London. SW17 0QT
Phone: 020 8672 1255
If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office (ICO):
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113
You can also find details of our registration with the Information Commissioner online here.
Our ICO registration number is Z6900098
Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.