Patient and Public Privacy Notice
This Privacy Notice explains what we do with your personal information where we are providing, or have provided, care to you. It tells you:
- the information we collect about you
- how we store this information
- how long we retain it
- who we may share it with
- for which legal purpose we may share it
You can read the different sections of the Privacy Notice in the drop down menus below.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
Download the full Privacy Notice
You can download a copy of our Privacy Notice: Privacy Notice 24032021 VFINAL.pdf [pdf] 673KB
Why we collect personal data about you
Why we collect personal information about you
The staff caring for you need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care.
Health records comprise of information relating to your physical and/ or mental health, created to support your care. Health records consist of both electronically-held information, such as radiology images and test results, and paper records which have been scanned.
Your records will information from throughout your contact with the Trust, including referral and discharge letters, observation charts, outpatient/inpatient clinical notes, and relevant information from people who care for you and know you well such as health professionals and relatives/ carers.
Our legal basis for processing personal information
The ways in which we use your information are governed by law.
Clinical (direct) care
When your information is used for your care and administrative purposes related to your care it is processed for the purposes of “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under the GDPR Article 6(1)e and the “provision of health or social care or treatment or the management of health of social care systems and services” under the GDPR Article 9(2)h.
Secondary (indirect care) purposes
When there is a legal requirement that we provide specified data to NHS Digital for example, we rely on Article 6(1)cof the GDPR. In cases where the common duty of confidentiality cannot be satisfied through consent we seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.
In most instances we will rely on Article 6(1)e and Article 9(2)j of the GDPR if and when we use your information for research. If you have formally consented to take part in research, this will satisfy the common law duty of confidentiality. Where it has been impracticable to obtain your consent we will seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.
Personal information we need to collect about you & how we collect it
We collect personal information about you in a number of ways. This can be from referral details from your GP or another hospital, or directly from you or your authorised representative.
It is likely that we will hold the following basic personal information about you:
- Your name
- Your address (including correspondence)
- Your telephone numbers
- Your date of birth
- Your next of kin contacts
- Your GP details
We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred or maiden name.
In addition to the above, we may hold special category personal information about you which could include:
- notes and reports about your health, treatment and care, including:
- your medical conditions (physical and mental)
- results of investigations, such as X-rays and laboratory tests
- future care you may need
- personal information from people who care for and know you, such as relatives and health or social care professionals
- other personal information, such as smoking status
- your religion and ethnic origin
- whether or not you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status)
- where applicable, the date and cause of a person’s death in our hospitals
This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.
It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.
Security cameras are installed at various locations at Nottingham City Hospital, Queens Medical Centre and Ropewalk House to help prevent and detect crime, and for the protection of staff, visitors and patients and their property.
Body worn cameras may be used in line with the Trust CCTV Policy.
Requests for copies of recordings should be directed to the Data Protection Administration Office. The use of CCTV and any disclosure of images will be in accordance with the codes of practice issued by the Information Commissioner.
Who do we share your information with?
We may on occasions need to share relevant personal information with other NHS organisations.
Some examples are:
- The Trust participates in the Nottinghamshire Health and Care Portal. The portal enables providers to electronically share health and social care information, such as hospital and GP attendances, test results, medication and care plans with other Nottinghamshire health and social care providers. With explicit consent, health and social care professionals, or staff who are supervised by health and social care professionals, will be able to access information to better coordinate and provide care. Access is strictly controlled and the shared record is hosted by Nottingham University Hospitals NHS Trust in a secure data centre.
- With the explicit consent of the patient, Macmillan holistic needs assessments are shared with the patient’s GP and community teams.
- The Trust manages the Nottingham Treatment Centre on the Queens Medical campus and holds records of your previous attendances at the Centre.
- When children and young people attend NUH information may be shared with relevant health care professionals e.g. Health Visitor, School Nurse.
Who might we share your information with?
We may need to share information with other non-NHS organisations from which you receive care, such as Social Services or private care homes. However, we will not disclose information to third parties unless there are specific circumstances, such as when the health or safety of others is at risk, where current legislation permits or requires it or where we have explicit consent.
There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
There may also be situations where we are under a duty to share your information due to a legal requirement. This includes, but is not limited to:
- Disclosure under a court order.
- Sharing with the Care Quality Commission for inspection purposes.
- Sharing with the police for the prevention or detection of crime.
- Where there is an overriding public interest to prevent abuse or serious harm to others.
- Where the law requires it.
- To comply with Confidentiality Advisory Group approvals under Section 251 of the NHS Act 2006, which permits the collection of health information for patients with specific conditions without consent for the benefit of research and other important activities.
- Examples include the National Cancer Registry, the Trauma Audit and Research Network, the National Congenital Anomaly, Rare Disease Registration Service, and the NHS Patient Survey Programme. If you wish to opt out of your information being used for these purposes, please contact the Trust’s Data Protection Officer.
- Notifications of:
- new births
- diagnosis of infectious diseases such as meningitis or measles (but not HIV or AIDS) which may put other people at risk
The personal information we collect about you may also be used to:
- remind you about your appointments and send you relevant correspondence
- review care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research, for example Friends and Family test
- support the funding of your care, e.g. with commissioning organisations
- prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
- help train and educate healthcare professionals
- report and investigate complaints, claims and untoward incidents
- review your suitability for research studies or clinical trials
- contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
- contact you with regards to Trust membership
- contact you to provide spiritual, religious and emotional support to all patients, regardless of faith, as part of our holistic approach to patient care
Where possible, we will always look to anonymise/ pseudonymise personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.
The Data Protection Act gives individuals certain rights in relation to their personal data, including the right to:
- Request access to personal data we hold about you, e.g. in health records
- Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.
- Refuse/ withdraw consent to the sharing of your health records (in certain circumstances);
- In limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
- Request your personal information to be transferred to other providers on certain occasions.
- Object to the use of your personal information
- In certain circumstances you may also have the right to "object" to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment.
- Challenge any decisions made without human intervention (automated decision making).
- Ask us to restrict the use of your information where appropriate
How we maintain your records
Your personal information is held in both paper and electronic (including audio recordings, electronic databases etc.) formats, for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.
We hold and process information in accordance with Data Protection legislation. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
- Maintain full and accurate records of the care we provide to you.
- keep records about you confidential and secure.
- provide information in a format that is accessible to you.
Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the Trust's Record Management Policy This varies depending on the type of information. Typically, your health record is destroyed or deleted 8 years following the end of treatment, or death. Records for some patients, e.g. children’s records, are kept much longer. Our policy on the Retention and Disposal of Health Records is available here.
We will always try to keep your information confidential and only share information when absolutely necessary. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How do I update the personal information you have about me?
It is essential that we have your correct details to ensure the appropriate care, treatment and follow up is provided to you. If you change your name, address, phone number, or GP, please let our staff know so that your records can to be updated. You should also tell us if any of your information we hold is incorrect.
If you have any questions or concerns regarding how your data is being processed, please contact the Data Protection Officer.
Post: Data Protection Officer, Data Protection Administration Office, Nottingham University Hospitals, Queen’s Medical Centre, Derby Road, Nottingham, NG7 2UH
Tel: 0115 9249924 ext 83975/82264/85222/84227
If after exhausting our internal processes you believe that we have not complied with the data protection legislation you may wish to seek advice from the Information Commissioner.
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate)
Tel: 01625 545 700 (national rate)