Your Patient Information - Privacy Notice

Salisbury NHS Foundation Trust Privacy Notice (for Patients)

Salisbury NHS Foundation Trust collects information about you when you are referred by your GP for treatment and during your clinical consultation. We also collect information when you voluntarily complete customer surveys, provide feedback and speak to a member of our team.

As a healthcare provider we need to hold information about our patients to help ensure that they receive proper, necessary and effective treatment. We firmly believe that information should be held securely and should only be available on a ‘need to know’ basis. The information includes:

your full name, date of birth and address, phone number, email address
your next of kin contact details
medical test results, symptoms and diagnoses
details of contact we have had with you, such as referrals
details of the services you have received
patient experience feedback and treatment outcome information you provide
notes and reports about your health and any treatment you have received or need, including clinic and operational visits and medicines administered

Working in Partnership with Your GP

As a trusted Healthcare partner the Salisbury NHS Foundation Trust (SFT) clinical staff have been granted read only access to a limited view of your GP electronic patient record when supporting your care. This access has been granted by the Wiltshire Clinical Commissioning Group (Wiltshire CCG) for the majority of GP practices who are using the TPP SystmOne electronic patient record system.

In conjunction with your GP practice we will ensure access to your GP electronic record is strictly controlled and monitored. If you wish to prevent the hospital from accessing your GP electronic record please contact your GP practice who can arrange.

The patient leaflet and responses to commonly asked questions for the TPP SystmOne electronic patient record system provides further details as to how your medical information is managed and shared. To access these, ‘click’ on the links below:

TPP SystmOne Frequently Asked Questions

TPP SystmOne Support

Legal Basis for Sharing of Information

As a healthcare provider we access your healthcare information to provide direct care in accordance with Schedule 2 and 3 of the Data Protection Act 1998, and with effect from 25th May 2018 Articles 6 and 9 of the EU General Data Protection Regulations.

The information we hold about you helps us to:

provide a good basis for all health decisions made by you and your healthcare professional
make sure your care is safe and effective
work effectively with others providing you with care

We may also use your information to:

analyse how visitors use our website to improve services;
assess the quality of care we give you
protect the health of the general public
monitor NHS spending
manage health services
help investigate any concerns or complaints you or your family have about your healthcare
report infectious diseases
help with accounts and auditing
secure clinical funding from your GP and the Clinical Commissioning Group
report fraudulent claims for NHS treatment

Specialist Cancer Drug Funding:

The Specialist Cancer Drug Funding procedures require Salisbury NHS Foundation Trust to submit patient information to NHS England and NHS Improvement (NHS E & I) on the prior approval system (currently Blueteq) to obtain funding for specialist drugs.

These procedures have been designed to:

provide patients with faster access to the most promising new cancer treatments
drive stronger value for money for taxpayers in drugs expenditure
offer those pharmaceutical companies that are willing to price their products responsibly, a new fast-track route to NHS funding for the best and most promising drugs via an accelerated NICE appraisal process, and a new CDF managed access scheme.

Who is this information shared with?

Requests for specialist cancer drugs are shared with Public Health England (PHE). This information is collected, used and shared for the purposes of public health with the aim of

making the public healthier and reducing differences between the health of different groups by promoting healthier lifestyles, advising government and supporting action by local government, the NHS and the public
protecting the nation from public health hazards
preparing for, and responding to, public health emergencies
improving the health of the whole population by sharing our information and expertise, and identifying and preparing for future public health challenges
supporting local authorities and the NHS to plan and provide health and social care services such as immunisation and screening programmes, and to develop the public health system and its specialist workforce
researching, collecting and analysing data to improve our understanding of public health challenges, and come up with answers to public health problems.

For more information about Public Health England and the specialist cancer drug funding please visit:

https://www.england.nhs.uk/cancer/cdf/

Opting out of your information being shared with Public Health England

PHE supports patients to opt out from the cancer registration process should they wish. To support this, PHE provides all cancer centres with patient information leaflets on cancer registration. These leaflets should be made readily available to patients. If you would like to request copies of the leaflet, please email NDRengagement@phe.gov.uk or you can find more information, and access the leaflet from the National Disease Registration Service webpage

Opting out of your information being shared with Public Health England

Overseas Patients and Patients Not Ordinarily Resident in the UK

Please refer to our additional privacy notice here :

Overseas patient information may be used to?

Establish your identity and your entitlement to free NHS treatment
Ensure that the information we hold about you is valid and up to date
Record outstanding NHS debts and provide this to the Department of Health & Social Care
Determine your immigration status using Home Office services
Prevent, detect and prosecute fraud and other crime
Provide translation and interpretation services

How long do we keep your personal information for?

The NHS has a comprehensive set of guidelines, which govern the length of time that we may keep your records for, which are called the NHS Retention Schedules. Salisbury NHS Foundation Trust will comply with the NHS Retention Schedules. There may be occasions where the Trust will be obliged to vary from the NHS Retention Schedules, for examples, in response to a Court Order or other equivalent legal requirement. Information about the NHS Retention Schedules may be found via the NHS Digital Website at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-SocialCare-2016

The national data opt-out:

NHS Digital is developing a new system to s0upport the national data opt-out which will give you more control over how your identifiable health and care information is used. The system will offers you and the public the opportunity to make an informed choice about whether you wish your personally identifiable data to be used just for your individual care and treatment or also used for research and planning purposes.

What information does the national data opt-out apply to..?

How do you opt out?

By contacting NHS Choices website or telephone contact center: https://www.nhs.uk/pages/home.aspx

Need more information?

Visit the National Data Opt-out web pages: https://digital.nhs.uk/national-data-opt-out

You can also use the opt-out postal service or phone the helpline to access more information:
NHS Digital Contact Centre Tel: 0300 303 5678

GDPR Compliance Statement

The Trust collects stores and processes personal information about prospective, current and former staff to ensure compliance with legal or industry requirements.

The processing of employee personal information is necessary for the purpose of employment and social security and social protection law.

The Trust is not required to seek your explicit consent to process your personal information for employment purposes, taxation, fraud, internal and external investigations, and statutory or regulatory reporting purposes requiring identification.

How we use your employee information?

Your personal information is processed for the purposes of:
Staff administration and management (including payroll and performance)
Pensions administration

Business management and planning

Accounting and Auditing Accounts and records
Education
Health administration and services
Information and databank administration

Employee information and publicity

Your personal information will not be used for internal and external publications without your explicit written consent.

Sharing of employee information

The Trust will not routinely disclose any information about you without your express permission. However, in order to enable effective staff administration and comply with our obligations as your employer, we will share the information which you provide during the course of your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) and Care Information Services (smartcard) Systems.

There are a number of circumstances where we must or can share information about you to comply or manage with:
Disciplinary/ investigation processes; including referrals to Professional Bodies, e.g. NMC and GMC;

Legislative and/or statutory requirements;
A Court Orders which may have been imposed on us;
NHS Counter Fraud requirements;
Request for information from the police and other law enforcement agencies for the prevention and detection of crime and/or fraud if the crime is of a serious nature.

Employee Monitoring

The Trust’s Informatics Department is committed to maintaining the privacy, dignity and confidentiality of service users at all times. We adhere to the principles of data protection legislation, Department of Health and NHS Digital policies, procedures and codes of practice.

The Informatics Department uses your personal information to create and manage IT user accounts, monitor system access and performance.
System generated audit trails are also used to improve internal processes, identify account and system issues, and establish if inappropriate access and/or use of IT equipment/resources have occurred.

Audit trails may also be released to patients requesting details of employees who have accessed their medical record.

Registration Authority Smartcards

If you hold or register for a NHS Registration Authority (RA) Smartcard your personal information including your driving license and passport numbers will be recorded along with a photographic image within the NHS Digital’s Care Identity Service (CIS) System.

All users issued with a Smartcard have the ability to update certain aspects of their record on the CIS database as well as change their pin code and, when necessary, renew their own Smartcard certificates. (Certificates last two years and can be self-renewed within 90 days leading to the expiry date – after this time please contact your local Registration Authority).

All Informatics staff adhere to a strict code of ethics in relation to the confidentiality of all personal and sensitive data.

All personal and sensitive information is treated as sensitive (‘special category’) personal data, in respect of data protection legislation and can be shared by the recipient only, with the individual’s consent and with others who have a legitimate need to know.

Your information may be released without your knowledge or consent in exceptional circumstances dictated in the professional codes of ethical behaviour and statute law i.e. the prevention and detection of a serious crime, fraud, malpractice allegation, court order or the vital interests of yourself or another (life or death).

NHS Mail

The Trust utilises the NHS Mail email system as our main communication system. As a member of staff you are accepting you will work within the NHSmail acceptable use policy v3 September 2018. This occurs when you register for the service. This is your promise to all NHSmail users and the public and patients we serve, that you will be mindful of the importance of the information that they share over NHSmail.

NHS Mail Data Retention and Information Management Policy

Information is stored in the NHSmail service for a variety of reasons and is retained in accordance with our policies. The NHSmail Data Retention and Information Management Policy this defines the scope of data held and details the recovery of data. The process to request this is available in the NHSmail Access to Data Policy on the NHSmail portal help pages.

Our responsibilities for data protection are explained in the Transparency Information document located within the General Data Protection Regulation section of the NHSmail portal help pages.

Sharing of employee information

Limited personal information about you may also be shared with third party organisations in order to permit access to externally located/hosted systems i.e. Lorenzo, and TPP SystmOne (GP system).

Secondary Purposes

The Informatics department will use your personal information to create anonymised, pseudonymised and statistical compliance reports.

External IT Monitoring

NHS Digital now provides national monitoring of all internet activity through NHS devices to local organisations such as hospitals and GP surgeries. This means that all internet activity is monitored to quickly identify any abnormalities so that immediate action can be taken to address any potential problem as quickly as possible. NHS Digital will be able to identify the affected device and user in real time so that alerts can be provided nationally and locally in order to minimise the threat to the NHS, staff and patients.

The SFT process will be that whenever an alert is received Informatics will immediately retrieve the device and commence erasing any data and rebuilding the device, please be aware that any information stored locally on the machine will be removed with immediate effect.

Appropriate action will be taken over any inappropriate or malicious breaches detected in line with the Trust policies and procedures.

We are committed to keeping your personal information secure. We have put in place physical, electronic and operational procedures to safeguard and secure the information we collect. All our employees and partner organisations are legally bound to respect your privacy and the confidentiality of your information. Access to your information is strictly controlled and only accessible to employees on a need to know basis.

CCTV (closed circuit television) is utilised to protect the safety of our patients, staff and members of the public. The Trust's security services, including the use of CCTV, are internally managed.

Performance

Salisbury NHS Foundation Trust is registered with the Information Commissioner’s Office which is the regulator for data protection and privacy and electronic communications. Our registration number is: Z6613850

Salisbury NHS Foundation Trust is registered with the Department of Health (DOH) and our security and confidentiality compliance is assessed annually by the completion of the Data Security and Protection Toolkit (DPST).A full copy of our data protection registration details can be accessed via the link: Register of Data Controllers

This is an online system which allows organisations’ information security, data protection, and confidentiality processes and procedures to be assessed against national standards required by NHS Digital and the Care Quality Commission. To access details of the Trusts compliance please visit: https://www.dsptoolkit.nhs.uk/organisationsearch

Your Information as a Foundation Trust Member – Privacy Notice

What information do we collect?

We only record the information you provided us with and consented to, when you became a member, these include:

Name
Address
Date of Birth
Gender (optional)
Email (optional)
Telephone / Mobile Number (optional)
Ethnicity (optional)
What type of involvement you wanted to have

Why do we need this information?

We record this information for a number of reasons, all connected with your membership;

Contact information
Date of birth, gender and ethnicity are also used anonymously to assess the diversity of our members
Level of involvement to help us contact you about things that may interest you.
We will only use the information we hold about you for the purpose of which you agreed to become a member, this will differ depending on what type of member you requested to become. Below is a list of the different types of memberships and the information you may receive:

Receive regular information about services provided by the Trust and be invited to meetings. This will include emails, or postal communication, about our Trust and our services and can be in the form of updates, newsletters invitations to public meetings.
Respond to surveys, consultations and suggestions for changes. We will keep you informed about our Trust and our services, as per above, and share opportunities to partake in surveys, consultations etc.
Invited to workshops and focus groups (events). Unless you opted to receive regular information and updates, you will only be contacted for the purpose of inviting you to workshops and focus groups.
Interested in becoming a Governor. You have opted to be fully informed and therefore your information will be used for all the above.
Elected Governors. You will have opted to be fully informed as per above and, in addition, will receive invitations to attend members council meetings and receive the relevant agendas/papers for this. You will also be invited to attend as observers to a number of key meetings.

How long will your membership information kept for?

We will only keep your details for the length of time that you are a member. If you were to let us know that you would no longer like to be a member, we will delete your data

Your data will be stored on our secure internal membership database.

If we hold information about you as a patient you have the right to:

1. Be informed:

Individuals, which include patients and staff, have the right to be informed about the collection and use of their personal data.

2. Right of access

You have the right to find out what information we hold about you as a member of staff or as a patient. This is called a right of access. You exercise this right by asking us for a copy of the information we hold about you.

We are required to supply this information to you within 30 calendar days from the date the Trust received the request.

3. The right to get your data corrected

You have the right to have any inaccurate personal information about you corrected within 30 calendar days month.

You can make this request verbally and in writing.

In certain circumstances the Trust can refuse the request for rectification.

4. Your right to get your personal information deleted

You have the right to ask the Trust to delete any personal information we hold about you in certain circumstances. This is known as the ‘right to be forgotten’.

This right is not absolute and can only apply in certain circumstances.

You don’t have to ask a specific person within the hospital. We do recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your concerns, providing evidence and stating your desired solution.

5. Right to limit how we use your information

You can limit the way the hospital uses your personal data if you are concerned about the accuracy of the data or how it is being used.
In certain circumstances you can make a request for the hospital to limit the use of your personal information. This could include:

Temporarily removing information from a system
Making it unavailable to users, or
Temporarily removing it from a website, if it has been published.

The Trust may refuse a request to limit the use of your information if we believe that your request is unfounded or excessive. We won’t do this without letting you know and if your request is ‘manifestly unfounded’. We may ask for a reasonable fee to cover administration costs.

6. Right to data portability

You have a right to get your personal information from the hospital in an accessible format, paper, electronic or CSV file.

You can also ask the hospital to transfer your electronic information to another healthcare provider if it is technically feasible.

How long will I need to wait for my data to be transferred?

The hospital has one month to respond to your request. We may need extra time to consider your request and this may take up to two months but we will let you know.

7. Right to object

You have the right to object to the use of your information in some circumstances.

Your request can be verbal or in writing. We recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your request./

8. Rights relating to decisions made about you by a computerised system.

Automated decisions

This is called automated decision making and profiling for example, completing an online aptitude test using a pre-programmed algorithm and or criteria when applying for a job vacancy with the hospital.

You can ask for information to understand the reasons behind the automated decisions. The request can be made verbally or in writing. We recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your request.

Profiling

Profiling means information about you is used to analyse or predict things like:

Your performance at work
Your personal financial status
Your health, personal preferences and interests.

You can object to the collection of profiling information if it includes direct marketing.

It will take the hospital a month to respond to your request, but in certain circumstances, we may need more time which can take up to an extra two months. We will let you know within the 30 days if it might take longer.

Raising a concern

You have a right to be confident that the hospital handles your personal information responsibly and securely.

If you would like to speak to someone, about any concerns you may have please call the Information Governance Office 01722 336262 or the Trust’s Data Protection Officer on 01722 425119.

You can also seek advice from or make a complaint to the Information Commissioner’s Office (ICO) who is the UK data protection regulator.

Your Patient Information - Privacy Notice

The Trust

Legal & Privacy

Join us on social media