Data Protection - Our Privacy Notice
The General Data Protection Regulation came into force on 25 May 2018, giving you more control over your personal data and to be kept informed about how your information is used. GDPR has now been brought into UK law and is known as the UK GDPR.
A Privacy Notice is a statement by the Trust to patients, service users, visitors, carers, the public and staff, that describes how we collect, use, retain and disclose personal information which we hold.
North West Anglia NHS Foundation Trust recognises the importance of protecting personal and confidential information in all that we do and takes care to meet its legal and regulatory duties.
This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and with whom and for which legal purpose we may share it. This notice may be updated at any time. To find out more about our Privacy Notice, please select the relevant section below.
Who we are
North West Anglia NHS Foundation Trust (the Trust) employs nearly 7000 staff and was formed on 1 April 2017. The Trust runs three hospitals – Peterborough City Hospital, Hinchingbrooke Hospital and Stamford and Rutland Hospital - and provides radiology and outpatient services at The Princess of Wales Hospital, Ely and Doddington Hospital near March. In addition, the Trust provides radiology services at North Cambs Hospital in Wisbech. Our Trust serves approximately 700,000 residents living in Cambridgeshire, South Lincolnshire and the neighbouring counties. All three main hospital sites deliver inpatient and outpatient services.
The Trust is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you.
The Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and UK GDPR and our registration number is Z6661010.
For further information about the Trust, please refer to the Our Trust section of this website.
Cambridgeshire and Peterborough Integrated Care System (ICS)
Like other NHS organisation across the country, we have recently become part of the Cambridgeshire and Peterborough Integrated Care System (ICS)
What is an ICS?
Integrated Care Systems, or ICSs, are partnerships between organisations that meet health and care needs across an area. In our case our Integrated Care System covers all of Cambridgeshire and Peterborough.
By working together under one umbrella organisation, different parts of the health and care system are better able to improve the health and wellbeing of local communities, reducing health inequalities and putting patients at the heart of everything we do.
What does this mean for patients?
Rather than providing healthcare and social care in separate, and sometimes isolated, parts of the system, the ICS approaches each patient’s health and social care needs as a whole. This will help us offer better, more consistent treatment to our patients. Among other things, the ICS will help us achieve this by:
- Delivering care as close as possible to homes of the communities we serve – where possible, local providers will be empowered to design and deliver care on a local level
- Introducing a shared care record which will allow us to understand the patient’s needs as a whole
- Using public health data to inform decisions across the system
You can find more information here Cambridgeshire & Peterborough Integrated Care System | CAPCCG Website (cpics.org.uk)
Personal Information We Need To Collect About You And How We Obtain It
Personal information about you is collected in a number of ways. This can be from referral details from your GP or another hospital, directly from you or your authorised representative.
We will likely hold the following basic personal information about you:
- Personal details (such as your name - including any maiden name, date and place of birth, gender, occupation, overseas status and marital status)
- Contact details (such as address - including correspondence, telephone numbers and email address)
- Information about your family and others (such as next of kin contacts and carers/representatives)
- Security information (such as CCTV footage)
Some of the information which we collect may be special categories of personal data (also called sensitive personal data). The special categories of personal data about you which we may collect include notes and reports about your health, treatment and care, including:
- Your medical conditions
- Results of investigations, such as xrays and laboratory tests
- Future care you may need
- Personal information from people who care for and know you, such as relatives and health and social care professionals
- Other personal information such as smoking status and any learning disabilities
- Your religion, race, sex life, sexual orientation and ethnic origin
- Whether or not you're subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status).
It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.
How And Why We Use Your Personal Information
We use the types of personal data listed above for a number of purposes, each of which is processed in accordance with a "lawful basis". In accordance with the data protection laws, we need a "lawful basis" for collecting and using information about you. There are a variety of different legal bases for using personal data which are set out in the data protection laws.
We have set out below the different purposes for which we collect and use your personal data, along with the lawful bases we rely on to do so.
Your records are used to directly, manage and deliver healthcare to you to ensure that:
- The staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
- Staff have the information they need to be able to assess and improve the quality and type of care you receive.
- Appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.
The personal information we collect about you may also be used to:
- Remind you about your appointments and send you relevant correspondence.
- Review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement;
- Contact you to complete the Friends and Family Test (FFT). You may be contacted by employees of the Trust, or a contractor acting on its behalf;
- Support the funding of your care, e.g. with commissioning organisations;
- Prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies;
- Help to train and educate healthcare professionals;
- Report and investigate complaints, claims and untoward incidents;
- Report events to the appropriate authorities when we are required to do so by law;
- Review your suitability for research study or clinical trial;
- Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients.
The lawful basis on which we rely in order to use the information which we collect about you for the purposes set out above is that using your information in this way is necessary in the exercise of official authority vested in the Trust. The source of this official authority includes the Health and Social Care Act 2016.
We may also rely on the lawful basis that using your information in this way is necessary for us to comply with legal and regulatory obligations to which we are subject.
In limited circumstances, we may also process your personal data based on you providing your consent.
Where possible, we will look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/share the minimum information necessary.
Online outpatient video consultations
- You may be asked by a clinician if you would like to use our video consultation service for your next outpatient follow up appointment.
- It is your responsibility to let us know if your details have changed in any way. This would include details like your home address, details of who your GP is and any name changes. Not doing this could result in a delay in your treatment. If your personal details are in any way incorrect please email the correct information to email@example.com
- For further information please visit the Online video consultation section on the Outpatients page on the Trust’s webpage.
How And Why We Use Your Sensitive Information
A lot of the information which we collect will be special categories of personal data (also called sensitive personal data). This will mostly consist of information about your health but may also include information about, for example, your ethnic background or race.
Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
We will use your particularly sensitive personal information in the provision of healthcare on the basis that it is necessary for reasons of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
Who We Share Your Information With And Why
We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies, etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.
We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. We will share your personal information with these third parties where required or permitted by law, where necessary for the provision of health and social care or with your explicit consent.
There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
We may provide information to non-NHS partner organisations that act as ‘data processors’ and with whom we have binding confidentiality agreements to carry out an agreed service for the Trust.
There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).
For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.
The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will be used for the purposes explained to you and where required will be based on your consent.
The Trust has partnered with DrDoctor to introduce a brand new patient portal and text message reminder service designed to make it easier for you to manage your outpatient appointment. For information on how your information is used and how you can opt out of this service please see the Trust DrDoctor website page.
How We Maintain Your Records
Your personal information is held in both paper and electronic forms for specified periods of time, as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.
We hold and process your information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and any associated legislation. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
- Maintain full and accurate records of the care we provide to you;
- Keep records about you confidential and secure;
- Provide information in a format that is accessible to you.
Use of email
Some services in the Trust provide the option to communicate with parents via email. Please be aware that the Trust cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk. Further information can be found in our Information Governance policies.
Your Duty To Inform Us Of Changes
It is your responsibility to let us know if your details have changed in any way to ensure that our records are accurate and up to date. This includes details like your home address, details of who your GP is and any name changes. Not doing this could result in a delay in your treatment. If your personal details are in any way incorrect please email the correct information to firstname.lastname@example.org.
How We Comply With Data Protection Laws
We comply with data protection law. At the heart of data protection laws are the "data protection principles" which say that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- Relevant to the purposes we have told you about and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the purposes we have told you about; and kept securely.
What Are Your Rights?
Under certain circumstances, by law you have the right to:
- Request access to the personal data we hold about you, e.g. in health records. The way in which you can access your own health records is explained on our Accessing your medical records page.
- Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.
- Refuse/withdraw consent to the processing of your health records: Under the Data Protection Act 2018, we are authorised to process your health records ‘for health or social care purposes'. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research). Consent forms you are asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal. Once we have received notification that you have withdrawn your consent, we will make every reasonable effort to no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
- Request your personal information to be transferred to other providers on certain occasions.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to the use of your personal information: In certain circumstances you may also have the right to ‘object’ to the processing of your information where the processing would be for a purpose beyond your care and treatment (e.g. as part of a local/regional data sharing initiative). You may be able to 'opt out' of the processing of your personal information for purposes other than your care and treatment. Further information can be found on the following website: https://digital.nhs.uk/national-data-opt-out
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
If you wish to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please write to:
- Peterborough or Stamford Hospitals: post to Access Services Team, Department 012, Peterborough City Hospital, Bretton Gate, Peterborough, PE3 9GZ
- or email email@example.com
- Hinchingbrooke Hospital: post to Access to Health Records Department, Hinchingbrooke Hospital, Hinchingbrooke Park, Huntingdon, PE29 6NT
- or email firstname.lastname@example.org
National data opt-out programme
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.
The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.
You can view or change your national data opt-out choice any time, by visiting: www.nhs.uk/your-nhs-data-matters.
Our Data Protection Officer
Our Data Protection Officer is responsible for overseeing what we do with your information and monitoring our compliance with data protection laws.
If you have any concerns or questions about our use of your personal data, you can contact our Data Protection Officer by writing to:
- Information Governance Team
North West Anglia NHS Foundation Trust
Peterborough City Hospital
Edith Cavell Campus
- Or email email@example.com
The Information Commissioners Office
The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation. You can find their website here.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the ICO at: