Fair processing notice
Our Data Protection Guarantee
In order to comply with data protection legislation, this notice has been designed to inform you of what you need to know about the personal information we process. This is your assurance that we are complying with our legal obligation to you and a good opportunity for you to understand or exercise your information rights.
We are legally required to tell you:
- What personal information we use
- Why we need your personal information
- The lawful basis for processing your personal information i.e. legitimate reasons for collecting, keeping, using and sharing it
- How we use, store, protect and dispose of your personal information
- How long we keep it for and who we may share it with
- About your information rights
- How to report a compliant or concern
Your Personal Information
When we mean personal information, we are referring to any information that can identify a specific person, either on its own or together with other information. The obvious examples are name, address and date of birth; however this could include other forms for data, such as email address, car registration, specific physical feature, NHS number, pictures, images and so forth.
This also includes Pseudonymisation which is the use of a random set of numbers or letters to generate a unique identifier (pseudonym), which can be matched with additional information (such as a ‘key’) to identify you. This does not reveal your identity, but allows the linking of different data. This is commonly used in research, where your identify is linked with a random number for the purpose of publishing research findings, the key is never shared but used to link your research data to you.
Most of the personal information we process is confidential or sensitive because of the nature of our business activities (health and social care). This could be used in a discriminatory way and is likely to be of a private nature, so greater care is needed to ensure this is processed securely. Confidential or sensitive information includes:
- your racial or ethnic origin of the data subject
- political opinions
- religious beliefs or other beliefs of a similar nature
- Trade Union membership
- physical or mental health or condition
- sexual life
- alleged commission of or proceeding for any offence
Anonymised data is not personal information. This is any information that cannot reasonably identify you, so it cannot be personal, confidential or sensitive. Anonymisation requires the removal of personal information that might identify you. This process allows personal information to be converted into an unidentifiable format to support processing your personal information without compromising data protection requirements or posing privacy risks. This is always the first thing we consider when we need to use your personal information, opting to use your personal information only when absolutely necessary.
We may collect and use the following personal information about you:
- contact details
- medical history
- financial details
- learning needs analysis
- employment records
- criminal records
or any other information which may be confidential or sensitive, which you have:
- provided to the Trust
- through a third party,
- other health and social care professionals
- local authorities
- voluntary organisations
- relatives or those who care for you
Processing Personal Information
Barking, Havering and Redbridge Hospitals NHS Trust (BHRUT, the Trust) is responsible for:
- implementing and providing NHS services for administrative, direct care, and research purposes
- meet a legal and regulatory requirement.
This may require the use of personal data of our data subjects (staff, patients, service users or any individual whom the Trust hold information on). This is why data protection legislation under the Data Protection Act 2018 and General Data Protection Regulation 2016 (GDPR) requires the Trust to process your personal information:
- Fairly and lawfully with transparency
- For explicitly specified and legitimate purpose
- Adequately, relevant and limited to the specified purpose
- Ensuring its accuracy and integrity
- No longer than is necessary
- In ways that comply with the law
- With adequate safeguards in place when agreed to be transferred outside of the UK
The personal information we collect may be used for any of the following specific purposes:
- Health care for patients – diagnosis, treatment and referral
- Accounting, financial management and auditing
- Commissioning and procuring services
- Education and training
- Consultancy and Advisory services
- Human resources and staff administration
- Crime prevention and prosecution
- Health administration and services management
- Business activity information and databank administration
- Contractual arrangements for data processing by third parties on behalf of the Trust
- Occupational Health referrals
- Research, national surveys
- Advertising, marketing and public relations or insurance
- Security services e.g. CCTV monitoring, confidentiality audits
Without your personal information, we cannot:
- Direct, manage and deliver the health care you may require
- Ensure we have accurate and up to date information to assess and provide what you require
- Provide the appropriate level of assistance or adequate guidance
- Refer you to a specialist or another service
- Protect the general public or promote public health
- Manage, develop or improve our services
- Investigate complaints or proceed with legal actions for claims
- Employ you to join our workforce
- Procure products and services
- Commission business activities
- Comply with a court order
- Comply with regulatory requirements
- Meet some of our legal obligations
- Compile statistics to review our performance
- Educate and train our workforce
- Standardise best practice across the Trust
- Undertake clinical trials and research studies you have or your next of kin has consented to
- Complete occupational health checks you have consented to
- Keep you and other service users safe on our premises
Lawful Basis for Processing your Personal Information
We do not rely on consent to use your personal information as a ‘lawful basis for processing’. This is following appropriate guidance from the Information Governance Alliance of the Department of Health (DoH), NHS England, NHS Digital and Public Health England (supported by the Information Commissioner's Office (ICO) and the National Data Guardian's Office). We rely on the following specific provisions under Article 6 (Lawful Processing) and 9 (Processing of Special Categories of Personal Data) of the GDPR:
- Article 6 (1c) ‘processing is necessary for compliance with a legal obligation…’
- Article 6 (1e) ‘a task carried out in the public interest or in the exercise of official authority vested in the controller.’
- Article 9 (2b) ‘carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law’
- Article 9 (2h) ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis,
- the provision of health or social care or treatment or the management of health or social care systems and services’
- Article 9 (2i) ‘processing is necessary for reasons of public interest in the area of public health. This could be protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices’
This means that the Trust will:
- Use your personal information to provide you with your care or for legitimate administrative purposes without seeking your consent. However, you do have the right to say no to our use of your personal information but this may have an impact on our ability to provide appropriate care or services. Please speak to your healthcare professional, the team providing your care or contact our Data Protection Officer.
- collect and use your personal information to provide care and run our hospitals but will not use it for anything else that is not considered by law to be for this purpose
- use enough of your personal information that will be relevant and necessary to carry out various tasks within the delivery of your care and running our services
- Keep your personal information accurate and up to date when using it and if it is found to be wrong, make it right, where appropriate, as soon as possible
- Keep your information in a way that will identify you for as long as legally required, whilst ensuring your rights
- Have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.
We will always secure your unambiguous, freely given, specifically expressed and fully informed consent to share your personal information, if we do not have a lawful basis to do so. In circumstances where it is not practical to inform you of the intended use, we are informing you through this notice.
We never use your personal information for advertising, marketing and public relations or insurance purposes without your consent.
You reserve the right to restrict, refuse or withdraw consent at any time, where there’s no lawful basis for processing your personal information without your consent. We will fully explain the possible consequences to you, which may affect the care or service you receive from the Trust.
Retention and Disposal of Personal Information
Your personal information may be written down (manual), digitised or held on computers (electronic) centrally within or outside of the Trust. These may be paper records, scans, photographs, slides, CCTV images, microform (i.e. fiche/film), audio, video, emails, computerised records on IT systems, or scanned documents etc. which we process securely in accordance with data protection legislation.
In addition, the following are bound by a legal duty of confidential in their professional code of practice and/or under contractual obligations.
- NHS staff
- anyone that works for or volunteers
- third party organisations (suppliers, service providers and data processors)
We follow national guidelines in the current national retention and disposal schedule for the Records Management Code of Practice for Health and Social Care 2016. This is referenced in our Trust Health Records Management Policy and Corporate Records ManagementPolicy. This determines how long we must store your personal information for and when, or if to dispose of it securely.
Keeping your Personal Information Safe
We are committed to keeping your information secure and have operational policies, procedures and technical measures in place to protect your information whether it is in a hardcopy, digital or electronic format.
We are registered to the Information Commissioner’s Office: registration number Z8284051
All of the Information Systems used by our Trust are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by the Trust are influenced by a number of sources including the 10 National Data Guardian Standards and guidelines produced by NHSDigital and other government standards.
Mandatory training and regular audits are in place to ensure that only authorised personnel with the absolutely necessary need to know your personal information can use it. We have also implemented best practice and information security controls to reduce the risk of unauthorised access to your personal information. If any of your personal information is to be processed overseas (i.e. outside the EU) a full risk assessment would be undertaken to ensure the security of the information.
When there are data protection breaches, for example
- unauthorised access
- inappropriate use
- failure to secure and keep personal information secure or accurate
These are reported and investigated, with appropriate action (disciplinary, legal, lessons learned, re-training etc.) taken.
You can email our Data Protection Officer to find more information about how we keep your information safe or for copies of our Trust policies and procedures.
Sharing Personal Information
We may need to share your personal information with another organisations. For example:
- NHS organisations
- health and social care organisations
- public bodies (Social Services, Probation Service, Police, Regulatory Authorities)
- third party providers commissioned to process personal information on our behalf, when anonymisation or pseudonymisation is not viable.
This is because of our duty to share which is equally as important as our duty of confidentiality. We also may also share your personal information for planning services across the NHS. This is vital to delivering better healthcare and improving our services.
New models of service delivery are being implemented across the NHS. There is closer working with GPs and other health and social care providers, facilitated by the use of electronic patient record systems to share your personal information. As a university hospitals Trust, teaching may not be effective or possible without sharing your personal information.
You have the right say no and to opt-out of or restrict this sharing. Your right to opt-out for reasons other than direct care (e.g. planning and research purposes) is managed through the National Data Opt-Out Programme (search online or contact NHS Digital on 0300 303 5678 to find out more).
When we are required by law to report certain personal information to the appropriate authorities, formal permission has to be given. This is done by our:
- Caldicott Guardian (Associate Medical Director for Standards)
- Data Protection Officer (Head of Information Governance)
- Senior Information Risk Owner (Director of Information Management and technology)
Acting as the 'conscience' of the Trust, they actively supports work to enable information sharing where it is appropriate to share, and advise on options for lawful and ethical disclosure of personal information.
Your personal information will only be shared if there is a lawful basis to do so and under contractual agreements (for third parties), with strict conditions to keep it confidential and secure in the same way that the Trust must comply with its legal obligation to you. We have a legal process in place known as a Data Protection or Privacy Impact Assessment which is required when a new or change to an existing process, product, project, system or service is proposed, which will use or access your personal information. An information sharing agreement is also drawn up to ensure information is shared in a way that complies with relevant legislation, especially with non-NHS organisations.
However, your right to confidentiality is not absolute which means that we will not require your consent to share your personal information:
- If there is a concern that you are putting yourself at risk of serious harm
- If there is concern that you are putting another person at risk of serious harm
- If there is concern that you are putting a child at risk of harm
- If we have been instructed to do so by a Court
- If the information is essential for the investigation of a serious crime
- If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
- If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
Control of Patient information (COPI) Notice due to Covid-19:
From 17 March 2020 the Department of Health and Social Care have taken action to manage and mitigate the spread of Covid-19. One of the main actions taken will require the sharing of confidential patient information amongst health organisations and other appropriate bodies for the purpose of protecting public health.
You can find more about what personal information we share, to whom and for what purpose by contacting our Data Protection Officer.
Your Information Rights
You have the right to:
- Be informed about the processing of your personal information by the Trust (done through this notice)
- Access the information we hold about you (paper, digital or electronic copies)
- Ask the Trust to correct or complete your personal information
- Ask the Trust to erase your personal information under certain circumstances, if the Trust does not have a lawful basis to process it.
- Ask the Trust to restrict the processing of your personal information under certain circumstances
- Ask the Trust to move, copy and transfer your personal information which you have provided to the Trust, , in a portable, common used/machine readable format and securely, for your own purpose
- Ask us not to process your personal information
- Ask us not to use your personal information for public interests, direct marketing, automated decision-making, profiling, research or statistical purposes
- Receive a response to your access or change request within a calendar month*
*The Trust may extend the time limit to respond to your request by two calendar months if your request is complex or where a number of requests have been received from you. However, the Trust will acknowledge your request within one calendar month of receiving it and explain if/why an extensive is required.
Your rights are not absolute; we may refuse to comply with your request under certain circumstances permitted by law.
For example, where your personal information:
- Was provided by someone else who hasn’t given permission for you to see it
- Relates to criminal offences
- Is being used to detect or prevent crime
- Could cause physical or mental harm to you or someone else
Your request must be made in writing and we will require proof of identity before we can disclose any personal information. You can find out more about accessing your personal information by contacting our Subject Access Requests Team or writing to us:
Subject Access Team
Health Records Department
1st Floor Blue Zone,
Telephone: 01708 435 000
Report a complaint or concern
We try to meet the highest standards when processing personal information. You should let us know when we get something wrong by contacting the Complaints Department or our Data Protection Officer or writing to us:
1st Floor Neutral Zone,
Telephone: 01708 435 000
Information Governance Department
Queens Hospital Stores
4 Lyon Road
Telephone: 01708 435 000
You may prefer to contact the Information
Commissioner’s Office (ICO):
Telephone: 0303123 1113
The ICO will not normally consider an appeal until you have exhausted your rights of redress and complaint to the Trust.
Access your health records (Subject Access Request)
Data protection legislation gives individuals or their authorised representative the right to apply for copies of any personal information held about them by the Trust.
If you wish to access your personal information held at any of the Trust’s health centres, clinics or other sites, please email firstname.lastname@example.org
If you are seeking copies of your child’s health records, you will also need to supply proof of your child’s identity and your parental responsibility. Access to health records legislation allows us to share health records of a deceased person with authorised representative(s) or any person who may have a claim arising out of that person’s death. If you are requesting personal information about someone who has died you will need to supply a copy of their death certificate and proof that you are the executor or a beneficiary within the last will and testament.
You can also request health records by post to:
Subject Access Team
Health Records Department
1st Floor Blue Zone, Queen’s Hospital
Fair processing notice for maternity patients
Controller’s contact details: Barking, Havering and Redbridge University Hospitals Trust
Data Protection Officer’s contact details: Head of Information Governance (email: Bhrut.email@example.com)
Purpose and legal basis for processing
We collect information about you (your personal data) for the Maternity Services Data Set (MSDS), to help achieve better outcomes of care for mothers, babies and children. The data set collects information about the mother’s demographics (e.g. postcode, date of birth, ethnic category), booking, diagnosis and admission details, as well as details about screenings and tests and labour/delivery. The data set also collects details about the baby’s demographics (e.g. date and time of birth, sex) and relevant tests prior to discharge from maternity services.
What we do with it
The data is securely sent to NHS Digital which is the central organisation that receives the same data from all NHS-funded maternity services across England. NHS Digital removes all identifying details and combines the data we send with the data sent by other care providers, forming the MSDS.
The data set is used to produce anonymised reports that only show summary numbers of, for instance, patients referred to different maternity services. It is impossible to identify any individual patient in the reports, but the reports do help us to improve the care we provide to you and other patients.
No information that could reveal your identity is used in national reports.
The benefits of the MSDS to you as a patient include:
- making sure maternity services are available to all patients and measuring the respective care delivered
- better care, through monitoring progress to allow future services to enable maternity care provided is mother and child-centric
- informing patients about the care offered at different hospitals
- more personalised and better organised care for patients through understanding what care is needed nationally, for example understanding how the antenatal care provided can affect outcomes for both mother and baby
The data held in the MSDS may also be linked to data held by NHS Digital from various other data sets and collections. This includes (but not limited to) the Community Services Data Set (CSDS) and Mental Health Services Data Set (MHSDS). The MSDS data may also be linked to external data sources such as Office for National Statistics (ONS) data and data from the National Neonatal Data Set. More information about the data sets and collections that NHS Digital hold and that may be used for linkage can be found on the NHS Digital website. Linkage is carried out in order to investigate the relationship between care in maternity services and subsequent activity, This could be health visiting and school nursing activity, as well as referrals to neonatal units, mental health services, and other services.
For more information about how NHS Digital uses your personal data, please read their website:
Alternatively, you can call 0300 303 5678. More information about the Maternity Services Dataset (MSDS) can be found at the NHS Digital website.
We keep your data for 25 years in line with national recommendations. You have a right to object to the processing (use) of your personal data in some circumstances by letting us know. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. This will not affect your treatment in any way.
You also have the right to have inaccurate personal data rectified. You can also request the restriction or suppression of your personal data in specific circumstances. For example if you feel that the data held is inaccurate. Please contact us on firstname.lastname@example.org
Your right to complain
If you wish to raise a complaint concerning our handling of your personal data, please visit our Feedback and Complaints pages. You also have a right to raise a concern with the Information Commissioner's Office at any time. Their contact details are: