Patient privacy notice
Introduction
- We respect your privacy and are committed to protecting your personal data.
- This privacy notice sets out details of the data that we may collect from you and how we may use that information as a patient.
- This privacy notice also tells you about your privacy rights and how the law protects you. We have a legal duty under the Data Protection Act 2018 (“DPA 2018”) and General Data Protection Regulation (Regulation EU 2016/679) ("the GDPR") to handle your information in certain ways.
- This privacy notice is provided in a layered format so you can click through to the specific areas set out below.
- Please take your time to read this privacy notice carefully.
About us
In this Privacy Policy we use "we" or "us" or "our" or "Berkshire Healthcare" to refer to Berkshire Healthcare NHS Foundation Trust (which is a statutory public benefit corporation established under the National Health Service Act 2006 (as amended)).
Our data protection officer and how to contact us
Berkshire Healthcare NHS Foundation Trust ("Berkshire Healthcare") is the data controller for the information we collect about you.
The Data Protection Officer ("DPO") for Berkshire Healthcare is the Associate Director of Information Governance. If you have any questions about this privacy notice, please contact the Data Protection Officer using the details set out below:
Email information.governance@berkshire.nhs.uk
Postal address:
Information Governance Team
Berkshire Healthcare NHS Foundation Trust
London House
London Road
Bracknell
RG12 2UT
Call 0300 365 6565
Changes to this privacy notice and your duty to inform us of changes
This privacy notice was last updated on 24 May 2018 and historical versions can be obtained by contacting us. It is important that the personal data we hold about you is accurate and current. This is of particular importance if you are a patient.
Please keep us informed if your personal data changes during your relationship with us.
Complaints about how we handle your information
You have the right to make a complaint at any time to the Information Commissioner's Office ("the ICO"), the UK supervisory authority for data protection matters
Call 0303 123 1113
We would however appreciate the chance to listen to your concerns before you approach the ICO, so please contact us in the first instance. Your feedback helps us to continue improving our services.
You can find our complaints policy, and details about how to send a complaint to us on our website.
Contact us to make a complaint
This privacy notice aims to explain:
- Why do we collect data about you?
- What data do we collect about you?
- How do we collect your information?
- What are the purposes for which your data is used?
- Who do we share your data with?
- How long do we keep your data for?
- What are your rights?
Why do we collect data about you?
- In general terms, we collect and process your data for the purposes of healthcare. We will collect and process data for other purposes, including those which are incidental to the provision of healthcare and for research purposes
- As a patient, we want to provide you with the highest quality of healthcare. To do this we need to keep certain records about you, your health and the care we have provided, or plan to provide to you
What data do we collect about you?
- As a patient, we may use “sensitive personal information” (otherwise known as "special categories of data") about you, such as information relating to your physical and mental health
- If you provide personal information to us about other individuals you should inform the individual about the content of this privacy notice. We will process such information in accordance with this privacy notice
Personal information
As a patient of Berkshire Healthcare, the personal information we hold about you may include the following:
- Name, address, date of birth. We will collect your name, address and date of birth to enable us to send you letters about your care such as appointment letters and visit you if you require appointments at your home, such as with our District Nursing Services
- Telephone numbers. We will collect contact telephone numbers for you which will be used to contact you about your care
- Next of kin / emergency contact. We may collect details of your next of kin as a person you would like to be contacted in an emergency
Sensitive Personal Information
As a patient of Berkshire Healthcare, the sensitive personal information we hold about you may include the following:
- Details of your current or former physical or mental health. This may include information about any healthcare you have received or need, including about clinic and hospital visits and medicines administered. We provide further details below about our handling of such information
- Details of services you have received from us
- Information relevant to your continued care from other people who care for you or know you well, such as other health professionals and relatives
- Details of your race and/or ethnicity
- Details about any disabilities
- Details about your language preferences
- Details of your religion
- Details of any genetic data or biometric data relating to you
- Data concerning your sex life and/or sexual orientation
The confidentiality of your medical information is of paramount important to Berkshire Healthcare. We therefore make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health. In doing so, Berkshire Healthcare complies with UK data protection law, including the Data Protection Act 2018 (DPA 2018) and the GDPR, and medical confidentiality guidelines issued by professional bodies such as the General Medical Council and the Nursing and Midwifery Council.
How do we collect your information?
- As a patient, we will collect personal data from you in a number of different ways as is explained below
Directly from you
As a patient, information may be collected directly from you when:
- you submit a query to us including through our website, by email or by social media
- you correspond with us by email, telephone or social media
- you enrol as a patient with Berkshire Healthcare for the provision of healthcare services
- you use those services
- you complete forms (whether in electronic or hard copy form) regarding the provision of healthcare services
From your use of our website
- We will not use cookies to collect personally identifiable information about you
From other healthcare organisations
- As a patient, information may be collected from other healthcare organisations as follows:
- medical records from your family doctor, your GP
- medical records from other NHS organisations (including Oxford University Hospitals NHS Foundation Trust, Royal Berkshire Hospital NHS Foundation Trust and Frimley Health NHS Foundation Trust)
- Medical records include information about your diagnosis, clinic and hospital visits and medicines administered
From third parties
Information may be collected from third parties as follows:
- You are referred to us for the provision of services including healthcare services
- We liaise with your current or former family, employer, health professional or other treatment or benefit provider
- We liaise with your insurance policy provider
- We deal with experts (including medical experts) and other service providers about services you have received or are receiving from us
- Government bodies, including local authorities and the police
From publicly available sources
- Information may be collected from publicly available sources including information obtained through internet search engines results and social media sites
- In general, we may process your data for a number of different purposes. For each purpose we must have a legal ground for such processing. When the information that we process is classed as a special category of personal data, which is the most sensitive form of personal data from a legal perspective, we must have a specific additional legal ground for such processing.
Generally we will rely on the following legal grounds:
- Taking steps at your request so that you can enrol as an NHS patient or non-NHS patient in order to receive healthcare and related services from us
- For the purposes of providing you with healthcare. We will rely on this for activities such as supporting your medical treatment or care and other benefits, supporting your doctor, nurse, carer or other healthcare professional and providing other services to you
- We have a legitimate interest to process your personal data and this interest is not overridden by your privacy rights. We will rely on this for activities such as quality assurance, maintaining our business records and developing and improving our products and services. More detailed information about our legitimate interests is set out below
- We have a legal or regulatory obligation to process your data
- We need to use your personal data to establish, exercise or defend our legal rights
- It is in the public interest, in line with any laws that apply
- You have provided your consent to our use of your personal data. Ordinarily, we will only ask you for permission to process your personal information if there is no other legal reason to process it. You have the right to withdraw your consent at any time
Legitimate interests
We may process your data for a number of legitimate interests in circumstances where these interests are not overridden by your privacy rights. We will rely on this for activities such as quality assurance, maintaining our business records and developing and improving our products and services. Taking into account your privacy rights, our legitimate interests include:
- To manage our relationship with you and third parties who provide services for us
- To keep our records up to date
- To monitor how well we are meeting your clinical and non-clinical performance expectations
- To take part in, or be the subject of, any transfer or termination of functions in respect of Berkshire Healthcare
You will find details of our legal grounds for each of our processing purposes below.
Purpose 1: To set you up as a patient on our systems including carrying out any regulatory checks or checks required by law
Legal grounds:
- Taking the necessary steps so that you can enrol as an NHS patient with us for the delivery of healthcare-related services
Additional legal ground for sensitive personal data:
- The use is necessary for reasons of substantial public interest
- The use is necessary for the purposes of preventative or occupational medicine
Purpose 2: To provide you with healthcare and related services
Legal grounds:
- Providing you with healthcare and related services
Additional legal ground for sensitive personal data:
- The use is necessary for reasons of substantial public interest
- The use is necessary for the purposes of preventative or occupational medicine
- The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent
Purpose 3: Communicating with you and resolving any queries or complaints that you might have. Communicating with any other individual that you ask us to update about your care
Legal grounds:
- Providing you with healthcare and related services
- We have a legitimate interest to use your data which does not overly prejudice you
Additional legal ground for sensitive personal data:
- The use is necessary for the purposes of preventative or occupational medicine
- The use is necessary in order for us to establish, exercise or defend our legal rights
Purpose 4: Complying with our legal or regulatory obligations
Legal grounds:
- The use is necessary in order for us to comply with our legal obligations
- We have a legitimate interest to use your data which does not overly prejudice you
Additional legal ground for sensitive personal data:
- The use is necessary for the purposes of preventative or occupational medicine
- The use is necessary in order for us to establish, exercise or defend our legal rights
- The use is necessary for reasons of substantial public interest
Purpose 5: Providing improved quality, training and security (for example, in relation to recorded or monitored phone calls to our contact numbers)
Legal grounds:
- We have a legitimate interest to use your data which does not overly prejudice you
Additional legal ground for sensitive personal data:
- The use is necessary for the purposes of preventative or occupational medicine
- The use is necessary in order for us to establish, exercise or defend our legal rights
- The use is necessary for reasons of substantial public interest
Purpose 6: Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (for example, tax or legal advice)
Legal grounds:
- We have a legitimate interest to use your data which does not overly prejudice you
- Purpose 7: For medical research purposes
- Legal grounds:
- We have a legitimate interest in helping with medical search and have put appropriate safeguards in place to protect your privacy.
Additional legal grounds for sensitive personal information:
- The processing is necessary in the public interest for statistical and scientific research purposes.
- You have provided your consent.
We may disclose your information to the third parties listed below for the purposes described in this privacy notice.
- A doctor, nurse, carer or any other healthcare professional involved in your treatment.
- Other members of support staff involved in the delivery of your care, like receptionists and porters.
- Anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin, carer, or your legal adviser.
- NHS organisations, such as other NHS foundation trusts.
- Other healthcare providers.
- Third parties who assist in the administration of your healthcare, such as insurance companies.
- Your GP or those GPs involved with your care.
- Our regulators, including the Care Quality Commission, and for the purpose of our clinical audits.
- Other bodies involved in the management of the NHS, including the NHS Counter Fraud Authority.
- Government bodies, including departments (such as the Department for Work and Pensions) and local authorities.
- Schools and other educational providers in connection with healthcare related matters.
- Emergency services, including police forces.
- HM Prison Service and the National Probation Service.
- The police and other third parties where reasonably necessary for the prevention or detection of crime.
- Our third party services providers such as auditors, lawyers and document management providers.
- Selected third parties in connection with any transfer or termination of our functions.
Where we regularly share information, we are required to have in place information sharing agreements. We provide further details on our information sharing agreements on our General Privacy Notice .
As a patient, we may share your information to a digital clinical application which is accessible by our partner organisations (such as Royal Berkshire Hospital) as part of the "Share Your Care" projects. Our sharing will be carried out without your consent. You have the right to opt out of having your information shared in this way. For more information on Share Your Care please visit www.shareyourcareberkshire.org.
[In some circumstances we may also anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.]
International transfers
We do not transfer your personal data outside the European Economic Area ("EEA").
- We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this privacy notice and in order to comply with our legal and regulatory obligations.
- As a patient of Berkshire Healthcare, information relating to your current or former healthcare will be retained in accordance with our medical retention policy which is available on request. In summary, we will retain medical information in accordance with the Records Management Code of Practice for Health and Social Care 2016 published by Information Government Alliance (IGA) on behalf of the Department of Health and Social Care (see here [insert link]).
- Non-clinical information is retained in accordance with our retention policy which is available on request.
- Where your records are stored electronically Berkshire Healthcare has ensured that the storage facilities are secure and in line with Information Security principles (ISO27001) within the United Kingdom or EEA.
Under certain circumstances, you have rights under data protection law in relation to your personal data. These are:
- To be informed why, where and how we use your information – this is detailed in this privacy notice statement.
- To ask for access to your information – You can request a copy of the information we hold about you by downloading this form. The information will be assessed and may have information provided by third parties or about third parties removed before it is given to you. The Berkshire Healthcare Subject Access Request policy is available by contacting the DPO at the address on this page.
- To ask for your information to be corrected if it is inaccurate or incomplete. – If you think any information about you held by Berkshire Healthcare is incorrect, please discuss this with the service you are accessing either in person when attending an appointment, or contact the DPO. We will discuss the changes with you and write to you to explain our decision.
- To ask for your information to be deleted (also known as the right to be erasure) or removed where there is no need for us to continue processing it. In some circumstances, we must delete your personal information if you ask us to but in many other circumstances where we have a valid legal reason to retain your personal information we do not have to comply with requests to delete personal information.
- We will not usually delete healthcare related data before the expiration of any relevant retention period (see above). We may also need to retain data for regulatory purposes. We do not have to comply if we need to retain your personal information in case you make a legal claim against us.
- To ask us to restrict the use of your information. In some circumstances, we must "pause" our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of your personal information. For example, we do not have to comply if we need to use your personal information to defend a legal claim against us.
- To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information. In some circumstances, we must transfer personal information that you have provided to us to you or, if this is technically feasible, another individual or organisation of your choice. The information must be transferred in an electronic format.
- To object to how your information is used. – Where your identifiable information is used for research or statistical purposes you can object to it being processed for this purpose. Please make requests in writing to the Data Protection Officer or to the Berkshire Healthcare service you have used advising what changes you would like. Berkshire Healthcare does not participate in direct marketing and will never pass your information to anyone for this purpose.
- To challenge any decisions made without human intervention (automated decision making) –Information about your health may be entered into clinical applications to provide health recommendations but we will never carry out automated decision making that prevents healthcare or requires you to enter into a legal contract.
- To withdraw consent where Berkshire Healthcare has relied on this as a condition for processing.
If you wish to exercise any of the rights set out above, please contact us using the details here.
Fee
- You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
- We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
- We are obliged by law to respond to all legitimate requests within one month unless your request is particularly complex or you have made a number of requests. In this case, we can take an extra two months to respond to the request and consider charging a fee. If this is the case, we will notify you and keep you updated.
The National Data Opt-Out is a service that enables you to register to opt out of your confidential patient information being used for purposes beyond your direct care and treatment.
The national data opt-out applies to the use of confidential patient information for research and national NHS planning purposes.
The national data opt-out does not apply where:
- Data is shared for your individual or direct care
- There is a risk to public health or data is required for monitoring and control of infectious diseases, for example during an epidemic
- There is an overriding public interest, for example: reporting of gun wounds in line with GMC guidance
- There is a legal requirement to share information, for example: investigations by regulators of professionals (e.g. General Medical Council investigating a registered doctor’s fitness to practice) NHS fraud investigations notification of food poisoning
- You have consented to take part in a specific project
- Anonymised data is used
You can change your national data opt-out choice at any time.
Further details about opting-out can be found on the NHS Digital Website.
Visit the NHS Digital website to learn more about the National Data Opt-Out service