Hospital Policy

Personal information

Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.

All clinicians and health and social care professionals caring for patients keep records about patients’ health and any treatment and care being provided. These records help to ensure that patients receive the best possible care, they may be paper or electronic and may include:

• Basic details such as name, address, email address, NHS number, date of birth, next of kin, etc.
• Contacts with the Trust i.e. appointments or clinic visits.
• Notes and reports about patients health’ treatment and care – A&E visits, in patient spells or clinic appointments.
• Details of diagnosis and treatment given.
• Information about any allergies or health conditions.
• Results of x-rays, scans and laboratory tests.
• Relevant information from people who provide care and support to the patient outside of the hospital i.e. health care professionals and relatives.

More sensitive information

The UK GDPR gives extra protection to more sensitive information known as ‘special category data’. Information concerning health and care falls into this category and needs to be treated with greater care. Data that relates to criminal offences is also considered particularly sensitive.

We process the following more sensitive data (including special category data):

• data concerning physical or mental health (for example, details about your appointments or diagnosis)
• data revealing racial or ethnic origin
• data concerning a person’s sex life
• data concerning a person’s sexual orientation
• genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
• biometric data (where used for identification purposes)
• data revealing religious or philosophical beliefs
• data relating to criminal or suspected criminal offences

Sometimes it is necessary for us to share information with other healthcare professionals and service providers to help with the provision and management of patient care. The Trust will only do this where it is considered necessary, and patients will be notified where appropriate.

There may be other circumstances when the Trust are legally obliged to share information with other agencies. In these rare circumstances we are not required to seek consent.

Examples of this are:

• other public and private healthcare, social and welfare organisations
• central and local government organisations
• police forces and security organisations
• public and private service providers, suppliers of medical equipment and support systems
• public and private auditors and audit bodies
• legal representatives
• survey and research organisations
• professional advisers and consultants

The reasons why we would share your information can include:

• notification of births and deaths
• an emergency (when there is risk of loss of life or limb)
• to control infectious diseases (such as meningitis or tuberculosis)
• child protection
• when required by a formal court order
• for the prevention or detection of a crime

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

The Trust may sometimes use service providers who process information in other countries, both within and outside the European Economic Area (EEA), because of this it may sometimes be necessary for personal data to be transferred overseas. However, before any transfer is made Calderdale and Huddersfield Foundation Trust will make sure that appropriate safeguards are in place so that the transfer of the data, its processing, storage and retention are securely controlled and in full compliance with the requirements of the UK GDPR.

Personal information

Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is:

• We have your consent - this must be freely given, specific, informed and unambiguous.
• We have a legal obligation - the law requires us to do this, for example where NHS England or the courts use their powers to require the data.
• We need it to perform a public task - a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law.

More sensitive data

The General Data Protection Regulation (UK GDPR) 2018 and the Data Protection Act (2018) requires the Trust to process:

Sensitive personal data (Health Records) under 9(2)(h) – “Necessary for the reasons of preventative or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” and occasionally 9(2)(c) “when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”

Personal data under 6(1)(e) “Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Trust (Data Controller)” and occasionally 6(1)(d) “when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category):

• We need it for employment, social security and social protection reasons (if authorised by law).
• We need for a legal claim or the courts require it.
• There is a substantial public interest (with a basis in law).
• To provide and manage health or social care (with a basis in law).
• To manage public health (with a basis in law).
• For Archiving, research and statistics (with a basis in law).

Research

The types of research currently undertaken at the Trust are varied, from complex clinical trials, qualitative health service research, registries, post-marketing surveillance to trainee doctors and students doing low risk, own account studies. Areas of research include:

• Cancer
• Cardiovascular
• Dermatology
• Dietetics
• Endocrinology
• ENT
• Gastrointestinal
• Health Service & Delivery
• Haematology
• Hepatology
• Maternity
• Musculoskeletal
• Neurological
• Ophthalmology
• Paediatrics
• Physiotherapy
• Renal & Urogenital
• Respiratory
• Sexual Health
• Stroke
• Surgical
• Transplant
• Trauma & Orthopaedics

Call recording

Telephone calls to the Trust are routinely recorded for the following purposes:

• To make sure that staff act in compliance with Trust procedures.
• To ensure quality control.
• Training, monitoring and service improvement
• To prevent crime, misuse and to protect staff

Common law duty of confidentiality

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.

In our use of health and care information, we satisfy the common law duty of confidentiality because:

• you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
• we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
• we have a legal requirement to collect, share and use the data
• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case-by-case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

Confidentiality affects everyone: Calderdale and Huddersfield NHS Foundation Trust collect’s, stores and uses large amounts of personal and sensitive personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

At Trust Board level, we have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.

We will always hold your information securely.

To prevent unauthorised disclosure or access to your information we have implemented strong physical and electronic safeguards.

We also follow stringent procedures to ensure we work with all personal data in line with the UK GDPR legislation.

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will:

• securely dispose of your information by shredding, (using a cross-cut shredder, pulping, or incineration). This can be done on site, or via an approved contractor. A brief description should be kept of everything that has been destroyed, when, and by whom. There are two ways of permanently destroying digital information and these are either: overwriting the media a sufficient number of times or the physical destruction of the media.
• archive the records if there are any independent inquiries which have requested that large parts of the health and social care sector do not destroy any records that are, or may fall into the remit of the inquiry
• hold information which can’t be destroyed if it is the subject of a request under the DPA 18) and/or FOIA or any other legal process, such as an inquest following a death.

The Care Record is a shared system that allows Health or social care professionals within the Calderdale and Huddersfield Health and Social Care community to appropriately access the most up-to-date and accurate information about patients to deliver the best possible care.

Under The General Data Protection Regulation (UK GDPR) 2018 your data is processed under the following lawful processing:

Personal data under 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

or 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;”

The UK GDPR gives you a specific right to withdraw your consent at any time.

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information (known as a subject access request).

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at:

Access to Health Records Office
Calderdale Royal Hospital
Salterhebble
Halifax
HX3 0PW
Telephone: 01422 222 065
Email: accesstodata@cht.nhs.uk

Calderdale and Huddersfield Foundation Trust is one of many organisations working in the health and care system to improve care for patients and the public.   

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. 

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided 
• research into the development of new treatments  
• preventing illness and diseases 
• monitoring safety 
• planning services 

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this when allowed by law. 

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. 

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.

We employ surveillance cameras (CCTV) on and around our sites in order to:

• protect staff, patients, visitors and Trust property
• apprehend and prosecute offenders, and provide evidence to take criminal or civil court action
• provide a deterrent effect and reduce unlawful activity
• help provide a safer environment for our staff
• assist in traffic management and car parking schemes
• monitor operational and safety related incidents
• help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance
• assist with the verification of claims

You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Requests should be directed to the address below and you will need to provide further details as contained in the section ‘How you can access your records’. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems.

We reserve the right to withhold information where permissible by the General Data Protection Regulation (UK GDPR) 2018 and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to the UK GDPR.

The Freedom of information Act 2000 provides any person with the right to obtain information held by the Calderdale and Huddersfield NHS Foundation Trust, subject to a number of exemptions. If you would like to request some information from us, please visit the Freedom of information section of our website.

If you have any concerns about our use of your personal information, you can make a complaint to us at:

Huddersfield Royal Infirmary
Trust Headquarters
Acre Street
Lindley
Huddersfield
West Yorkshire
HD3 3EA

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:    

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

If you have a concern about any aspect of your care or treatment at this Trust, or about the way your records have been managed, you should contact the Patient Advice& Liaison Service (PALS).

The Patient Advice Liaison Service (PALS)

PALS can provide help in many ways. For example, it can:

• help you with health-related questions
• help resolve concerns or problems when you're using the NHS
• tell you how to get more involved in your own healthcare

PALS can also give you information about:

• the NHS
• the NHS complaints procedure, including how to get independent help if you want to make a complaint
• support groups outside the NHS

PALS also helps to improve the NHS by listening to your concerns and suggestions.

Phone: 0800 0130018

Email: patientadvice@cht.nhs.uk