Patient Privacy Notice
At Birmingham Community Healthcare NHS Foundation Trust (BCHC), we collect and use information about you to provide safe, effective, and personalised care. We are committed to keeping your records accurate, confidential, and secure.
This notice explains how we use your information, your rights, and how we meet our legal obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
What information we collect
We may collect the following information about you:
- Personal details: name, address, contact details, NHS number, GP details
- Health records: diagnoses, treatment details, test results, reports
- Medication and allergies
- Emergency contact or next of kin
- Sensitive data: ethnicity, religion, sexual orientation, or criminal convictions (if relevant to care)
We may also receive information about you from other health and care providers to support your care.
We may also collect information to monitor our compliance with our legal obligations relating to equality and diversity.
This information is kept in both paper and electronic formats. To assist with the delivery of care, the Trust is moving towards wholly electronic patient records to facilitate the sharing of your information for your direct care.
When you arrive for an appointment, staff may check your details with you to ensure that our records are accurate. To assist with this, it is important that you notify us of any changes to your personal details (for example, address, contact number, next of kin).
Why we're allowed to use your data
We are legally allowed to use your data because:
- We are a public body delivering healthcare (NHS Act 2006, Health and Social Care Act 2012)
- We have a legal duty to provide care and maintain records
- Health data is classed as "special category data," which we process for reasons of public interest, medical diagnosis, or care provision
- We do not need your consent to use your information for care. However, if we need to use it for anything unrelated (like research or feedback), we may ask for your consent.
Who uses your information?
BCHC is the Data Controller, which means we decide how and why your information is used. Our staff use your data to deliver care, and we may also share it with trusted organisations when necessary. These partners are legally required to keep your data secure and confidential.
Legitimate interests
We may contact you for:
- Feedback about your care (surveys)
- Participation in research or clinical trials
- Services that may benefit your care
We may also have a legitimate business interest to provide your information to a third party, such as our solicitors or other professional advisers in defence of any legal claim against the Trust.
We may also need to provide your records or information to a third party where this is a legal obligation or regulatory requirement on us to do so, such as for the purposes of a review of patient care being undertaken by the Care Quality Commission (CQC) or other external regulatory body, or for the prevention and detection of crime or fraud.
How we use your information
We use your data to:
- Provide safe and effective care
- Support appointments and referrals (electronically and by paper), including if you need to be referred to another health professional or another part of the NHS or if you move to a different area
- Keep accurate medical records
- Monitor care quality and improve services
- Investigate complaints or incidents
- Receive payment for your care
- Arrange payment for the person who treats you
- Teach and train staff
- Support health research and development
- Audit NHS accounts and performance
- Prepare statistics or other performance data on the quality of care being delivered by the Trust
- Review the performance of contracts we have any other care providers
- Contact you for your participation with patient satisfaction surveys, patient experience groups and health research and development projects
- To monitor how we spend public money
Shared Care Record
We participate in the Birmingham and Solihull Shared Care Record, which allows professionals involved in your care to view relevant health and care information across local organisations. This includes professionals in:
- Birmingham and Solihull
- Coventry and Warwickshire
- Herefordshire and Worcestershire
Learn more at Birmingham and Solihull ICS Privacy Notice
Who we share information with
We may share your data with:
- GPs and other NHS trusts
- Social care providers
- NHS England and Department of Health
- Child Health Information Service (West Midlands). This is a regional programme covering the wider West Midlands area to support the transfer of child clinical records across the area
- The Health Research Authority (HRA). The HRA have published their own privacy statement for patients
- Legal bodies, auditors, or regulators (e.g. Care Quality Commission)
We only share what is necessary. Anyone receiving your information must keep it confidential.
If you have made a claim for compensation through the Infected Blood Compensation Authority (IBCA), BCHC may provide IBCA with relevant information from your medical records to support your claim. You can read more about how IBCA uses your information in the Infected Blood Compensation Authority Privacy Notice.
We may also share your data when required by law, for example:
- Preventing or detecting serious crime
- If ordered by a court
- When reporting infectious diseases
- Where there’s a serious risk of harm to you or others
We ensure all organisations we work with meet strict data protection standards. If your data is transferred outside the UK/EEA, we use approved safeguards.
Your rights
You have rights regarding your personal data:
- Access: see the information we hold about you (Subject Access Request)- see section ‘Accessing Your Information’
- Correction: ask us to fix incorrect or incomplete information
- Object: request that we stop using your data in some cases
- Withdraw consent: if you've given consent for something specific, you can withdraw it (in some cases)
- Data portability: ask to transfer your data to another provider (in some cases)
Please note, some rights may not apply to healthcare data.
Contact our Information Governance Team to find out more:
- Email: bchc.informationgovernance@nhs.net
- Phone: 0121 466 7058
What if I object to your processing of my information?
After having viewed your records, if you believe any information is inaccurate or incorrect, please inform us of this in writing and we will take steps to rectify any inaccuracies as quickly as possible and within one month maximum.
You can also ask us to erase personal data where this is inaccurate; however, this does not apply to data which is being processed for the purposes of delivering healthcare.
You can also opt out of data use for non-care purposes at NHS National Data Opt-Out
Accessing your information
You have the right to apply for access to the information we hold about you, free of charge, whether it is stored electronically or on paper. This is known as a Subject Access Request (SAR).
Submit a SAR or contact our IG team for help or to request formats like Braille or large print.
We may restrict access to information that:
- Refers to another person
- Might cause serious harm
- Is related to crime prevention
Keeping your information safe
We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in hard copy or electronic format. We protect your data by:
- Staff training on confidentiality and data protection
- Access controls (for example, smartcards, passwords)
- Keeping records of who accesses data
- Investigating any inappropriate access
- Secure storage of all paper and electronic records
- Following data protection laws and NHS guidance
Caldicott Guardian and Data Protection Officer
Caldicott Guardian
Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that the organisation promotes the confidentiality of patient records and how they are handled within the organisation.
The Trust’s Caldicott Guardian is Dr Robi Deddie, Medical Director.
Data Protection Officer (DPO)
As a public authority, the Trust is required to appoint a Data Protection Officer, whose role it is to ensure that the Trust has in place appropriate mechanisms and procedures to protect your information and to ensure that personal data is processed lawfully within the Trust.
The Trust’s DPO is Michael Morgan-Bullock, Head of Legal and Information Governance:
- Email: bchc.dpo@nhs.net
- Post: Data Protection Officer, Information Governance, BCHC, 3 Priestley Wharf, Holt Street, Birmingham B7 4BN
Questions or concerns
If you have any concerns about how your information is being processed, please contact the Trust’s Data Protection Officer in the first instance using the details provided above.
You can also raise concerns directly with the UK’s information regulatory authority, the Information Commissioner’s Office (ICO):
- Website: www.ico.org.uk
- Phone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF