This privacy notice explains how Royal Papworth Hospital NHS Foundation Trust (‘Royal Papworth Hospital’) processes the data that it holds on its patients, in line with relevant legislation, including but not limited to:
- The Data Protection Act 2018
- the General Data Protection Regulations 2018
- Access to Health Records Act 1990
- Freedom of Information Act 2000
- Health and Social Care Act 2015
- Common Law Duty of Confidentiality
- Records Management Code of Practice
- Human Rights Act 1998
Royal Papworth Hospital is a specialist cardiothoracic hospital, dedicated to providing the best possible care to its patients, who are referred from across the country. In order to provide this service and to provide ongoing care after discharge, whether to home, another hospital, or into the care of social services, we need to be able to process and share your data appropriately.
In order to ensure compliance whilst doing this, we are monitored by a variety of bodies including but not limited to:
- NHS England
- the Information Commissioner’s office
- the Department of Health
- the Care Quality Commission
- NHS Digital
How we collect your information
Your information can come to us in a number of different ways, including a referral from your GP or other healthcare organisation, or directly from you when collected here at the hospital or via a form we have asked you to complete. On rare occasions the information may come from other individuals, such as a next-of-kin, if you are admitted to us in a condition that leaves you unable to provide the information yourself.
What information do we collect?
The information we collect and hold about you may include, and is not limited to, any or all of the below:
Your name address and contact details, or those of the next-of-kin you wish us to use.
Records of any interaction you have had with the hospital with regards to attendances and appointments
Details of any care we have provided, care you have received from other healthcare organisations, and information regarding your health in general such as previously existing conditions and allergies etc
Other information that we have been provided with from third parties who have been involved in your care
This information may be in various formats including paper, electronic, or images such as x-rays or scans
We also collect other information about you such as, your sexuality, race, ethnic origin, religious beliefs, disability status and whether you have any additional support needs such as language assistance. This information is often vital to ensure that care is provided adequately, efficiently and in line with your wishes.
Why do we collect and store your information?
Your information is collected and stored in order to ensure that the health care we provide is appropriate and that follow-up care, medication provision, home care support etc is provided adequately and effectively. We have a clear legal basis (provision of healthcare) for the collection and storage of this data under the GDPR legislation.
The use of this data throughout the hospital is vital to ensure that the right decisions are made about your care, that your treatment is safe and effective, that ongoing healthcare provision is seamless and can be planned in advance to meet your needs.
This data is also important in helping us to evaluate patient safety and care, ensuring that our services can be planned to meet the service needs of future patients, to allow us to evaluate healthcare and develop new treatments, prepare statistics on NHS performance and how we spend public money. This allows evaluation of the NHS and associated government policies as a whole, which in turn supports the health programme for the general public.
Who do we share your data with?
There are occasions when we will need to share your data with others to ensure that the care we provide is the best it can be; however, this is governed by specific regulations to ensure that we do so safely.
For the provision of healthcare
It is unlikely that your care will solely be supplied by the Royal Papworth Hospital. We therefore may need to share your data with other NHS organisations such as your GP, your local hospital or other support organisations who are best placed to look after you once you leave our care.
We may also need to share your information with support organisations outside of the NHS, such as your local authority, social services, private healthcare companies and other support organisations in either the private or voluntary sectors.
If we are sharing your information outside of the NHS environment we will gain consent where possible and appropriate, and will ensure that those organisations have the correct security in place to keep your data safe.
Sharing with other organisations
In rare instances, where allowed or compelled by law, we may share your data to third parties such as the police (on receipt of a formal request for the detection or prevention of a serious crime), a court of law, or debt collection agencies if you are a private patient and have failed to settle your bill.
The Department of Health also requires us to send information which is held securely by them. This information is used to analyse the efficiency and financial stability of the NHS across the country. Similarly, we may be subject to independent audit which would require us to provide information on a random selection of patients to ensure the efficacy of our treatment and financial accounting. This data is supplied in anonymous format where possible but in some circumstances it must be in identifiable format, such as when the effectiveness of the patient journey throughout the NHS is being scrutinised.
Other uses for your data
Royal Papworth Hospital is a specialist environment noted for the development of innovative new technologies and treatments in the field of cardiothoracic medicine, and as such we encounter many rare and interesting health conditions within our patient demographic. In order to ensure that our patient care remains world-class and that the methods we use are disseminated throughout the NHS, we engage proactively in training medical staff. The information contained within your health record may be used to inform such teaching, including images videos or scans, however these will always be anonymous unless we have gained your explicit consent.
The Trust also has an active research and development department and there may be studies which you are eligible to participate in. You will never be entered into any study or research without your full knowledge and explicit consent.
Both internal and external audits are undertaken to ensure the care we provide meets the standards and guidelines we are tasked to comply with and this may require us to provide patient data; this data will be anonymized wherever possible and will only be provided in identifiable format when no other option is possible.
You have the right to opt out of your data being shared to other authorised professionals or to withdraw your consent; however this may lead to ongoing care being misinformed or some treatment options not being available to you. You may also opt out of your data being used for the mandatory audits described above by contacting the Health Records Department and stating your wishes.
Storing your data
We will ensure that your data is stored safely and in line with guidelines. We are legally obliged to retain health records for retention periods specified in the Records Management Code of Practice, which can be found here. The retention periods listed within this document are the minimum time frames we must adhere to; some records are kept for longer where there is a robust and documented reason to do so.
Subject Access Requests
You have the right to request access to any information that we hold about you. This is called a Subject Access Request and can be carried out by contacting the Health Records Department who will provide you with the appropriate form to complete. Once we have received your written request and proof of identification, the Trust is legally obliged to provide the information you have requested free of charge within one calendar month.
Using our website
If you provide us with information via our website, for example when submitting an FOI request, completing the CPD sign up form or giving us feedback, we will only use this information for the purpose for which it was provided, such as to provide you with a response or register you for training.
Foundation Trust Members
Becoming a Foundation Trust Member means that we will need to hold your name and contact details in order to communicate with you. We may need to share your data securely with our partners in order to for you to receive information about our annual elections or email newsletters with information about the hospital.
We are only legally allowed to process your data if you consent for us to do so. However, if you do not give your consent for us to hold your data we will not be able to communicate with you. If you provide your email address, we will send you occasional email newsletters with information about the hospital.
Once you become a Foundation Trust Member you will remain so until you ask to leave. If at any point you would like to opt out of being a Foundation Trust Member, please let us know and we will remove your data from our systems.
Queries or complaints
If you have any concerns regarding the data we hold about you or the methods we use for storing or processing that data, please address your questions in the first instance to the Information Governance Manager, who is also the Data Protection Officer for the Trust at firstname.lastname@example.org or contact the Patient Advice and Liaison Service on email@example.com
If after contacting one of the above you do not feel your issue has been adequately addressed you can contact the information Commissioner’s office, however they will not normally address a complaint until you have complained directly to the organisation concerned and allowed them to respond:
Information Commissioner’s Office
Wycliffe House, Water Lane,
Phone: 0303 123 1113