Privacy Notice - Doncaster and Bassetlaw Teaching Hospitals

Skip to content

Confidential information about you

Doncaster & Bassetlaw Teaching Hospitals NHS Foundation Trust (DBTH) collects, stores and processes large amounts of personal data every day, such as medical records, personal records and computerised information.

This makes the DBTH a Data Controller. As a Data

Controller, the Trust is registered with the Information Commissioners Office (ICO). Details of our registration can be found here.

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of all of the personal and sensitive information for which we are responsible whether it is on a computer system or on paper.

At board level, we have a Senior Information Risk Owner who is accountable for the management of all of our information assets and any associated risks and incidents.

We also have a Caldicott Guardian who is responsible for advising on all aspects of the management of your personal information and its use.

To comply with UK GDPR, we have appointed a Data Protection Officer (DPO) who ensures that the Trust is accountable and complies with UK General Data Protection Regulation (UK GDPR) and current Data Protection Legislation.

Our data protection officer is:

Roy Underwood

Doncaster Royal Infirmary

Armthorpe Road

Doncaster

DN2 5LT

email: dbth.dpo@nhs.net

Why issue a privacy notice?

Doncaster & Bassetlaw Teaching Hospitals NHS Foundation Trust recognises the importance of protecting personal and confidential information in all that we do and takes care to meet its legal and regulatory duties.

This notice is one of the ways in which we can demonstrate our commitment to our Trust Values and Vision and being transparent and open.

This notice also explains what rights you have to control how we use your information.

What are we governed by?

The key pieces of legislation/guidance we are governed by are:

Data Protection Legislation
UK General Data Protection Regulations (UK GDPR)
Human Rights Act 1998 (Article 8)
Access to Health Records Act 1990
Freedom of Information Act 2000
Health and Social Care Act 2012, Health and Social Care (Safety and Quality) Act 2015
Public Records Act 1958
Copyright Design and Patents Act 1988
The Re-Use of Public Sector Information Regulations 2015
The Environmental Information Regulations 2004
Computer Misuse Act 1990
The Common Law Duty of Confidentiality
The Care Record Guarantee for England
The Social Care Record Guarantee for England
International Organisation for Standardisation (ISO) – Information Security Management Standards (ISMS)
Information Security Management – NHS Code of Practice
Records Management – Code of Practice for Health and Social Care 2016
Accessible Information Standard (AIS)

Who are we governed by?

Our consultants, doctors, nurses, healthcare professionals and registered support staff are also regulated and governed by professional bodies including numerous royal colleges.

Why and how we collect information

We may ask for or hold personal confidential information about you which will be used to support delivery of appropriate care and treatment. This is to support the provision of high quality care.

These records may include:

Basic details such as name, address, date of birth, and next of kin.
Contact we have had, such as appointments and home visits.
Details and records of treatment and care, including notes and health reports
Results of medical imaging, x-rays, blood tests, etc.
Information from people who care for you and know you well, such as health professionals and relatives.

It may also include personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions. It is important for us to have a complete picture, as this information assists staff involved in your care to deliver and provide improved care, deliver appropriate treatment and care plans, to meet your needs.

Information is collected in a number of ways; via your healthcare professional, referral details from your GP, or directly given by you.

How your information helps

Your information can help:

To help inform decisions that we make about your care.
To ensure that your treatment is safe and effective.
To work effectively with other organisations who may be involved in your care.
To support the health of the general public.
To ensure our services can meet future needs.
To review care provided to ensure it is of the highest standard possible.
To train healthcare professionals.
For research and audit.
To prepare statistics on NHS performance.
To monitor how we spend public money.

There is also potential to use your information to deliver care and improve health and care services across the NHS and social care.

Where we need to have your explicit consent, we will ask you for it, and you will be properly informed.

This is particularly important where the patient is a child, here you will find that we have provided Privacy Notices and information on our website to help you and your child, and children over 13, to make properly informed decisions about their treatment and their personal information.

Information can be further used to help:

Improve individual care.
Understand more about disease risks and causes.
Improve diagnosis.
Develop new treatments and prevent disease.
Plan services.
Improve patient safety.
Evaluate Government, NHS and Social Care policy.

Your rights

UK GDPR provides the following rights for individuals:

The right to be informed – we will tell you what we do with your information. We do this through notices like this one, through service information leaflets, and though our trust website: Doncaster and Bassetlaw Teaching Hospitals NHS Foundation Trust
The right of access – see section on Subject Access Rights below
The right to rectification – we will correct any personal information that is inaccurate or rectify any data that is incomplete
The right to erasure; the right to be forgotten might not apply to your health data (see UK Data Protection Legislation)
The right to restrict processing – we will only restrict the processing of your personal data where it is clinically safe to do so
The right to data portability – we will provide copy notes and copy images however, any other copy eData will only be provided where and when our eData Systems allow us to extract a full and accurate copy of the data held which is about you
The right to object – your objection will be considered in relation to your particular situation
Rights in relation to automated decision making and profiling

Our lawful basis for processing

Accurate and up-to-date information assists us in providing you with the best possible care. If you see another healthcare professional, specialist or another part of the NHS, they can readily access the information they need to provide you with the best possible care.

Everyone working within the NHS has a legal duty to keep information about you confidential, including anyone in the NHS who receives confidential information from us.

This includes:

Public task: the data processing is necessary to perform a task in the public interest, or our official functions, which have a clear basis in Law. Article 6 (e) – GDPR/DPA 18 – The processing is necessary for the purpose of preventative or occupational medicine, the assessment of the working capacity of employees, medical diagnosis, the provision of health or social care or treatment or management of health or social care system. Article 9 (2) (h)) – GDPR/DPA 18 – The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection Law. Article 9 (2) (b)) – GDPR/DPA 18

Personal data are used lawfully by many people in the course of their work. We employ over 6,500 staff covering a considerable range of clinical expertise and specialisms, across 3 Main Hospital sites and a number of local Outpatient Service clinics, including

Doncaster Royal Infirmary (DRI)
Bassetlaw Hospital (BH)
Mexborough Montagu Hospital (MMH)
Outpatient Services at Retford Hospital

Where possible, when using information to inform future services and provision, non-identifiable information will be used.

How information is retained and kept safe

Information is retained in secure electronic and paper records and access is restricted to only those who need to know. It is important that information is kept safe and secure, to protect your confidentiality.

There are a number of ways in which your privacy is shielded; by removing your identifying information, using an independent review process, adhering to strict contractual conditions and ensuring strict sharing or processing agreements are in place.

UK GDPR and Data Protection Legislation regulates the processing of personal information. Strict principles govern our use of information and our duty to ensure it is kept safe and secure. We will always carry out a Data Protection Impact Assessment (DPIA) whenever a new information system or data flow is being considered. Technology allows us to protect information in a number of ways, in the main by restricting access. Our guiding principle is that we are holding your information in strict confidence. How do we keep information confidential? Everyone working for the Trust is subject to the Common Law Duty of Confidentiality and Data Protection Legislation.

Information provided in confidence will only be used for the purposes to which you are aware, unless there are other circumstances covered by the law.

Under the NHS Confidentiality Code of Conduct, all staff are required to protect information, inform you of how your information will be used and allow you to decide if and how your information can be shared. This will be noted in your records. All Trust staff are required to undertake annual training in data protection, confidentiality, IT/cyber security, with additional training for specialist, such as healthcare records, and IT staff.

If clinical staff would like a student to be present, they will always ask for your permission before that meeting or episode of care. The treatment or care you receive will not be affected if you refuse to have a student present during your episode of care. Occasionally, for assessment purposes, students may request that their supervisor be present. You may refuse this if it makes you feel uncomfortable.

Who will the information be shared with?

To provide best care possible, sometimes we will need to share information about you with others. We may share your information with a range of Health and Social Care organisations and regulatory bodies. You may be contacted by any one of these organisations for a specific reason; they will have a duty to tell you why they have contacted you. Information sharing is governed by specific rules and law, and this will be strengthened under UK GDPR.

Sharing with non-NHS organisations

For your benefit, we may also need to share information from your records with non-NHS organisations, from whom you are also receiving care, such as social services or private healthcare organisations. We will not disclose any health information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires the disclosure of information.

We may also be asked to share basic information about you, such as your name and parts of your address, which does not include sensitive information, from your health records. Generally, we would only do this to assist them to carry out their statutory duties (such as usages of healthcare services, public health or national audits). In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Privacy Notice, under the UK GDPR & Data Protection Legislation. Where patient information is shared with other non-NHS organisations, an information sharing agreement may be drawn up to ensure information is shared in a way that complies with relevant legislation.

Non-NHS organisations may include, but are not restricted to social services, education services, local authorities, the police, voluntary sector providers and private sector providers. You have the right to withdraw consent for us to share your personal information You have the right to refuse/withdraw consent to information sharing at any time. We will fully explain the possible consequences to you, which could include delays in you receiving care.

Data breaches

In spite of our best efforts and structured data security and protection training for all trust staff, sometimes things do go wrong. We will always report these breaches in line with UK GDPR and Data Protection Legislation.

Contacting us about your information

You can contact the Doncaster & Bassetlaw Teaching Hospitals NHS Foundation Trust, Data Protection Officer by using the Contact Us section of our website: Doncaster and Bassetlaw Teaching Hospitals NHS Foundation Trust

If you have any questions or concerns regarding the information we hold on you, or the use of your information please contact the Information Governance team. Email: dbth.dpo@nhs.net

Can I access my information?

Under the UK GDPR & Data Protection Legislation, an individual may request access to information (with some exemptions) that is held about them by an organisation.

For more information on how to access the information we hold about you please contact: dbth.casenoterelease@nhs.net

Your NHS number. Keep it safe

Every person registered with the NHS in England and Wales has their own unique NHS number. It is made up of 10 digits for example 123 456 7890. Your NHS Number is used by healthcare staff and service providers to identify you correctly. It is an important step towards improving the safety of your healthcare.

Always bring your NHS number with you to all hospital appointments if you can, or quote it if you need to telephone the hospital for any enquires. This will allow staff to check that they have the right patient details by checking this against your NHS number. To improve safety and accuracy always check your NHS number on correspondence the NHS sends to you.

If you do not know your NHS number, contact your GP. You may be asked for proof of identity, for example a passport or other form of identity. This is to protect your privacy. Once you have obtained your NHS Number, write it down and keep it safe.

SMS text messaging

Your contact details are important to us; ensuring that we can contact you in regard to appointment bookings, appointment cancellations, and as a means of reminding you of your forthcoming appointments and treatment. The contact information we store will only be used by us in relation to trust business, and we will not pass on your contact details to any other party other than the third party company used to deliver our appointment reminder service. As a data controller themselves, they also have a duty to keep your information safe and secure and only to use for the contracted purpose.

Sending to other countries

Sometimes your data may be processed outside the UK. In most circumstances it will remain within the European Economic Area (EEA) and it will be afforded the same protection as in the UK through the GDPR. Whenever processing has to take place outside the EEA, we will ensure that lawful data protection and security measures are in place within the contracting process.

How long we keep your information

All personal information will be kept in line with the retention periods detailed in the Health Records Code of Practice for Health & Social Care Records 2016.

Further information

Further information can be found on the NHS Choices website.

Where any contact details are given for members of Trust staff, notice is hereby given, under the UK GDPR & Data Protection Legislation on behalf of the individual or individuals that this personal information may not be used for the purposes of direct marketing.

Contacting us if you have a complaint or concern

We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention, and we take any complaints we receive very seriously. You can submit a complaint through the Trust’s Complaints Procedure, or you can write to: Patient Advice and Liaison Service, Doncaster Royal Infirmary, Armthorpe Road, Doncaster. DN2 5LT / Email: dbth.pals@nhs.net

If you remain dissatisfied with the Trust’s decision following your complaint, you may wish to contact: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF. Their web site is at Information Commissioner’s Office

The Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint with the Trust.

Copyright

Our copyright and database right material is licensed for use and re-use under the Open Government Licence (OGL). To view this license, visit Open Government Licence or write to: Information Policy Team, The National Archives, Kew, Richmond, Surrey. TW9 4DU

Use of information expressly made available under this license indicates your acceptance of the terms and conditions as set out in the OGL. When you use our information under the OGL, you should include the following attribution: [Insert name of information resource, Doncaster & Bassetlaw Teaching Hospitals NHS Foundation Trust, date of publication], licensed under the Open Government License https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/

For information: where the copyright is owned by another person or organisation, you must apply to the copyright owner to obtain their permission to use/re-use.

Content out of date? Information wrong or not clear enough? Report this page.