Patient Privacy Notice
Coronavirus (COVID-19) – update to our Patient and Public Privacy Notice
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
In light of the current pandemic the Trust wishes to make its patients and the wider public aware as to how it will be using personal data concerning patients in its care. It is publishing this update to its existing Privacy Notice on a temporary basis whilst the current outbreak is ongoing.
Coronavirus (COVID-19) – who we will share information with:
Information about Trust patients’ coronavirus (COVID-19) status may be shared with NHS and other partners involved in their care and treatment, along with:
- NHS England
- Public Health England
- the Department of Health
- Other government departments where it's legally required, or where it's necessary for the protection of public health or management of the outbreak.
We may also use the details we have for you to send you urgent updates by phone, text or email, or by post if necessary as required.
The lawful basis is GDPR Article 6(1)(c), compliance with a legal obligation, or Article 6(1)(e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).
The exemptions in GDPR Article 9(1)(g) and 9(2)(h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems. The conditions in paragraphs 2 (management of health care systems), 3 (public health) and 6 (statutory and government purposes) of schedule 1 of the Data Protection Act 2018 are engaged.
In addition, existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital, NHS England and Improvement, Arms Length Bodies (such as Public Health England), local authorities, health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak.
The Secretary of State for the Department of Health and Social Care has served notice under the Health Service (Control of Patient Information) Regulations 2002 requiring health and social care organisations to share and disseminate confidential patient information with other organisations where that information is required to be processed for a purpose relating to the Covid-19 outbreak. This notice will continue until 31 March 2022, prior to which it will be reviewed. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.
What information do we collect from you?
- Records which this Trust may hold about you may include the following:
- Details about you, such as your address and next of kin
- Any contact the Trust has had with you, such as appointments, clinic visits, emergency appointments, etc
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations, such as laboratory tests, x-rays, etc
- Relevant information from other health professionals, relatives or those who care for you.
During this period of emergency we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves.
We may also need to collect data from you for the purposes of research into the UK’s Covid-19 response which may involve providing that data to third parties for the purposes of undertaking analytics and other data monitoring techniques to process your data. All the data held by the NHS and any third parties working with the NHS as part of its Covid-19 response is subject to strict controls that meet the requirements of data protection legislation.
National Data Opt-Outs
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected.
Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests.
As part of its response to the wider outbreak the Trust will continue to comply with all its other obligations concerning the processing of your data in accordance with the Data Protection Act 2018 and GDPR.
How we manage and protect information about you
Birmingham Community Healthcare NHS Foundation Trust (BCHC) collects information about you to help us give you the best possible care. Our aim is to maintain full and accurate records of the care we provide for you and keep this information confidential and secure.
This privacy notice has been updated to reflect some of the changes in data protection legislation brought about by the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act 2018. It also tells you how you can access information relating to your healthcare.
What information do we collect?
We collect information about you such as your name, address, NHS number, GP and contact details (including your email address and mobile number where you have provided these) alongside any health related information required for the delivery of health care services, for example:
- Details and records of treatment and care, including notes and reports about your physical or mental health
- Results of X-rays, blood tests and diagnosis;
- Information on medication or any allergies;
- Any other relevant contact details, for example a family member.
We may also collect personal sensitive information such as your ethnicity, religion, sexuality, and any criminal convictions (where relevant) so that we can build up a complete picture of you in order to enable our staff to provide you with the best care possible and to effectively deliver your treatment and care needs.
We may also receive written or electronic information about you from other health and social care providers in order to support the care you receive from us. This will enable us to provide the appropriate care and treatment that you need. We also collect information to monitor our compliance with our legal obligations relating to equality and diversity.
This information may be recorded in writing (i.e. in your medical notes), or electronically on a computer or other electronic device, or a mixture of both. To assist with the delivery of care, the Trust is moving towards wholly electronic patient records in order to facilitate the sharing of your information for your direct care.
When you arrive for an appointment, staff may check your details with you to ensure that our records are accurate. To assist with this, it is important that you notify us of any changes to your personal details (e.g. address, contact number, next of kin).
Who processes your information?
BCHC is the data controller in respect of your personal data for the provision of health care services. This means that the Trust determines the purposes for which, and the manner in which your personal data may be processed. We may also engage in the processing of your data in order to deliver healthcare and carry out other functions to deliver our services, or we may engage other organisations to process your data on our behalf (see “Do we share information with anyone” below).
On what basis are we entitled to process your information?
As a public body, BCHC is lawfully permitted to process your information as there is a legal obligation for us to do so under various legislation, including the NHS Act 2006 and the Health and Social Care Act 2012, among others. It also processes your information as a public authority acting in the public interest. Information about your health or care is known as “Special Category Data” under the data protection legislation and the Trust is lawfully entitled to process this data as a public authority for the purposes of providing you with care and when undertaking health research. The Trust does not therefore need your consent to process your personal data. However, you do have the right to say “no” to our use of your information but this could have an impact on our ability to provide you with care.
There may be times where we may process your data in ways that are unrelated to your healthcare (described in the next section). This is known as a legitimate interest. These instances will be related to either our business or providing you with a service or benefit which we consider may be of assistance to you. For example, we may seek to contact you in relation to:
- undertaking a survey to understand your experiences of care you or a relative may have received, whether directly or via market testers acting on our behalf;
- in relation to whether or not you may wish to take part in any clinical trial or other research project;
- whether or not there are any products or services the Trust offers which we consider may be of interest or benefit to you.
We may also have a legitimate business interest to provide your information to a third party, such as our solicitors or other professional advisers in defence of any legal claim against the Trust.
We may also need to provide your records or information to a third party where this is a legal obligation or regulatory requirement on us to do so, such as for the purposes of a review of patient care being undertaken by the Care Quality Commission or other external regulatory body, or for the prevention and detection of crime or fraud.
How do we use the information we collect to help you?
We may use the information we collect to help us provide services to you in the following ways:
- Doctors, nurses or healthcare professionals involved in your care need accurate and up-to-date information about you to assess your health and deliver the care you need;
- To ensure information is available if you need to be referred to another health professional or another part of the NHS or if you move to a different area;
- To assess the type and quality of care you have received and require in the future;
- To support clinic and treatment appointments by sending you electronic and or paper based appointment reminders;
- To receive payment for your care;
- To ensure your concerns can be properly investigated if you are unhappy with the care you have received
Your information may also be used to help us:
- Review the care we provide to ensure it is of the highest standard;
- Audit NHS accounts and services;
- Arrange payment for the person who treats you;
- Prepare statistics or other performance data on the quality of care being delivered by the Trust;
- Review the performance of contracts we have any other care providers
- Investigate incidents, complaints or legal claims;
- Conduct health research and development;
- Make sure our services can meet patient needs in the future;
- Teach and train healthcare professionals;
- Contact you for your participation with patient satisfaction surveys, patient experience groups and health research and development projects;
- To monitor how we spend public money. Do we share information about you with anyone?
Birmingham and Solihull Shared Care Record- BCHC works with other health and social care organisations to share information that will form part of your Shared Care Record. The Shared Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other Health and care professionals in Birmingham and Solihull, Coventry and Warwickshire, and Herefordshire and Worcestershire when they are involved in your health or social care.
For more information on how your data is used on the Shared Care Record and how to exercise your rights please see the full Privacy Notice or copy and paste this link https://www.livehealthylivehappy.org.uk/birmingham-and-solihull-shared-care-record/
There are times when it is appropriate for us to share information about you and your healthcare with others. We may lawfully share your information with the following main partners:
- Other NHS trusts and other healthcare providers;
- Department of Health;
- NHS England;
- Child Health Information Service (this is a regional programme covering the wider West Midlands area to support the transfer of child clinical records across the area);
- NHS Digital – an organisation that utilises technology and information systems to support the delivery of patient care across the NHS;
- Health Research Authority – we share personal data with the HRA to support research in health and care. The HRA have published their own privacy statement for patients.
We may also need to share your information with other non-healthcare organisations, where it is required in compliance with legal duties. For example, where you are receiving care from a local authority, we would need to share your information with a social worker to support the provision of your care. Other occasions where we may need to share your information include:
- Reporting some infectious diseases;
- To help prevent, detect or prosecute serious crime;
- If a court orders us to do so;
- When you have expressly agreed – e.g. for an insurance medical;
- Registering births or deaths;
If there is an overriding concern that you may be putting either yourself, another person (including a health or social care professional) or a child at risk of harm.
Where we share information with non-healthcare organisations we may request that they enter into an information sharing agreement to ensure that the information we share with them is handled appropriately and complies with relevant legislation. The information from your patient record will only be used for purposes that benefit your care. In all cases where we must pass on health care related information, we will only share the minimum amount of information required. Anyone who receives information from us also has a legal duty to keep it confidential.
For any transfer of data outside the UK / EEA, we will make sure that appropriate safeguards are in place to ensure an appropriate level of protection of your data prior to any transfer. Any such transfer will need to be approved by the Trust’s Data Protection Officer.
If you need further information on how we might share your data please email our Data Protection Officer at the contact details below.
If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:
- request access to the personal data we hold about you, e.g. in health records (see "How You Can Access Your Personal Information" below)
- request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.
- object to the sharing of your health records and your personal information - under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records "for the management of healthcare systems and services"; however, under certain circumstances you may also have the right to "object" to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (see link to the National Opt-Out Programme below);
- In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time
- request your personal information to be transferred to other providers on certain occasions.
We will always try to keep your information confidential and only share information when absolutely necessary. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How You Can Access Your Information
You have the right to apply for access to the information we hold about you, free of charge, whether it is stored electronically or on paper. This is known as a Subject Access Request (SAR). We have a duty to provide your information in a format that is accessible to you (e.g. large print or Braille) and in a way that you can understand, explaining any abbreviations where necessary.
Your request must be made in writing and we may ask you to provide proof of identity before we can disclose personal information. Any request for a SAR should be emailed to firstname.lastname@example.org. Please include the words “Subject Access Request” in the subject line of your email.
In certain circumstances your right to see some details in your health records may be restricted, for example if the information refers to someone else who hasn’t given their permission, or could cause physical or mental harm to you or someone else (including any health or social care professional) were it to be disclosed; or if the information is being used to detect or prevent crime.
What if I object to your processing of my information?
After having viewed your records, if you believe any information is inaccurate or incorrect, please inform us of this in writing and we will take steps to rectify any inaccuracies as quickly as possible and within one month maximum.
You can also ask us to erase personal data where this is inaccurate; however, this does not apply to data which is being processed for the purposes of delivering healthcare.
You have the right to object to us sharing your information (although this right is not an absolute right – see below). You may also opt out of organisations using your data where it is being used for purposes other than care and treatment through the NHS National data opt-out service.
How We Keep Your Information Safe
We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in hard copy or electronic format. We protect your information in the following ways:
Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community. Staff are also obliged to undertake online training in data security and confidentiality on an annual basis to demonstrate that they understand and are complying with Trust policies on confidentiality.
Access controls - Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access. Staff only have access to patient identifiable information where it is relevant and necessary for them to do so.
Audit trails - We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.
Investigation - If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.
Records Management - All healthcare records are stored confidentially in secure locations.
Legislation - There are laws in place to protect your information, including the General Data Protection Regulation 2016 and the Data Protection Act 2018) and the Human Rights Act 1998. There is also a common law duty of confidentiality. Under the NHS Code of Conduct on Confidentiality all staff are required to protect information and only share what is necessary and proportionate and take steps to protect your confidentiality.
Caldicott Guardian - Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that the organisation promotes the confidentiality of patient records and how they are handled within the organisation.
The Trust’s Caldicott Guardian is Dr Doug Simkiss, Medical Director.
Data Protection Officer (“DPO”) – As a public authority, the Trust is required to appoint a Data Protection Officer, whose role it is to ensure that the Trust has in place appropriate mechanisms and procedures to protect your information and to ensure that personal data is processed lawfully within the Trust.
The Trust’s DPO is Michael Morgan-Bullock, Head of Legal Services, who may be contacted at the following details:
- Email: email@example.com
- Post: Data Protection Officer Information Governance Birmingham Community Healthcare NHS Foundation Trust 3 Priestley Wharf Holt St Birmingham B7 4BN
Information Commissioner's Office
To get further advice or to report a concern directly to the UK’s information regulatory authority you can do this by making contact with:
Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113.