• Safe & Effective
  • Kind & Caring
  • Exceeding Expectation
What Happens to my Information?

Data Controller: Royal Wolverhampton NHS Trust

The General Data Protection Regulation 2016 (GDPR) is biggest change in data protection law for 20 years. It applies from 25th May 2018 and will allow greater transparency and control over the way in which your personal data is used. Personal information can be anything that can be used to identify you.  This notice is a statement by the Trust to detail the ways in which we use, disclose, and manage your information. It fulfills a legal requirement to inform you as the patient as to what happens with your personal information and what rights you have in relation to such data.  

The Trust provides its services from the following locations:

  • New Cross Hospital- Secondary and Tertiary Services, Maternity, Emergency Department, Critical Care and Outpatients.
  •    
  • West Park Hospital- Rehabilitation Inpatient and Day Care Services, Therapy Services and Outpatients.
  •   
  • More than 20 Community sites - Community Services for Children and Adults, Walk in Centres and Therapy and Rehabilitation Services
  •     
  • Cannock Chase Hospital– General Surgery, Orthopaedics, Breast Surgery, Urology, Dermatology, and Medical Day Case Investigations and Treatment (including Endoscopy).
  •    
  • Primary care vertical integration GP Partnerships – As of 1st July 2018, nine GP Practices are now part of the Trust which will see RWT directly responsible for the delivery of care as listed below

Our Vertical Integration practices

At RWT we aim to provide you with safe and effective care to the highest standards. To do this your doctor and the team of health professionals caring for you will keep records about your health and any care you receive from the trust. This is called your Health Records and may be stored in a paper form or on computer systems. This may include:

        
  • Basic details as your name, address, date of birth, NHS number, gender, next of kin, and ethnicity
  • Details of your hospital appointments/visits
  • Notes and reports about your health, treatment and care 
  • Results of x-rays, scans and laboratory tests 
  • Relevant information from people who care for you and know you well, such as health professionals and relatives    

It is very important that your personal details are accurate and up to date and we will often check with you at appointments or visits that these details are correct.

Why do we collect information about you?
To help in providing you with care:

  • Accurate up to date information helps us provide the right care
  • Full information is available should you see another doctor, or be referred to a specialist or another part of the NHS

To help the NHS:

  • Prepare statistics on NHS performance
  • Audit NHS services
  • Monitor how we spend public money
  • Plan and manage the health service
  • Teach and train healthcare professionals
  • Conduct health research and development

Return to top

As a data controller the Trust must establish and publish the lawful basis that is relied on for processing personal data and data that is special categories (sensitive data). The following table indicates for the main processing legal basis that the  Trust is relying on for processing activities.

Generally most of the processing we carry out is to deliver your care and is covered by the following legal provisions;

  • For the performance of a task carried out in the public interest or in the exercise of official authority, to delivery you a heath care service   
  • For medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

 The table details other reasons we may process and the reasons under the law that support this.

       
Type of processing GDPR Article 6 Condition for personal data GDPR Article 9 Condition for special categories (sensitive data) Statutory basis or other relevant conditions
Lawful basis for direct care and administrative purposes           

All   health and adult social care providers are subject to the statutory duty to  share information about a patient for their direct care. This would also include

(a) preventive or occupational medicine, 

(b) the assessment of the working capacity of an employee,
(c) medical diagnosis,

(d) the provision of health care or treatment,

(e) the provision of social care, or

(f) the  management of health care systems or services 

(g) waiting list management 

(h) performance against national targets 

(i) activity monitoring 

(j) local clinical audit

6(1)(e)   ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’   9(2)(h)   ‘…medical diagnosis, the provision of health or social care or treatment or   the management of health or social care systems…’   

6(1)(d) is available in life or death situations but should not be necessary for   health or social care organisations to use in the performance of its tasks. This might apply in a situation where an organisation needs to act to prevent harm being caused by a patient or service user, to someone who has no relationship with the organisation.         
NHS Trusts National Health Service and Community Care Act 1990 

NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers 

251B of the Health and Social Care Act 2012 
Lawful basis for commissioning and planning purposes

Most national and local flows of personal data in support of commissioning are established as collections by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).
Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it,

6(1)(c) ‘…for compliance with a legal obligation…’
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’ Commissioners may receive personal data in support of commissioning where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as ‘section 251 support’. This support does not remove the need for GDPR compliance.

The commissioning of individually tailored services, or for example the approval of individual funding requests should operate on the basis of consent for confidentiality purposes.

Lawful basis for research 6(1)(f)’…legitimate interests…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…’ 9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable  and specific measures to safeguard the fundamental rights and interests of the data subject …’

A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support.
Lawful basis for regulatory and public health functions 

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or
(ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

6(1)(c) ‘…necessary for compliance with a legal obligation… 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices… Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008
Lawful basis for safeguarding 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ 9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’ Children Acts 1989 and 2004, and the Care Act 2014
Lawful basis for employment purposes 6(1)(b) ‘For the performance of a contract to which the ‘individual’ is a party’

Or

6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’ Safeguarding Vulnerable Groups Act 20069 as a basis for Disclosure and Barring Service (DBS) checks and other processing of such data

Return to top

We may share information about you with the following agencies in order to support the delivery of your care:

  • Department of Health and other NHS bodies
  • Clinical Commissioning Groups (CCG’s)
  • Other providers involved in your care- such as hospitals
  • General Practitioners (GP’s) in Wolverhampton and out of areas you are not from Wolverhampton.
  • Ambulance Service
  • Mental health services
  • Social services

We may also share your information, with your consent and subject to strict sharing protocols about how it will be used with:

  • Education services
  • Local authorities
  • Voluntary sector providers
  • Private sector

We may also share your information with others that need to use records about you to carry out the following:

  • Check the quality of treatment of advice we have given you
  • Protect the health of the general public
  • Manage the health service
  • Help investigate any concerns or complaints you or your family have about your healthcare

This will be done with protocols or agreements in place to govern the sharing of data to ensure it is adequate and relevant to the purpose listed above.

Some information we have to share is used for statistical, research or audit purposes, and in these instances we take strict measures to ensure that individual patients cannot be identified and where appropriate anonymisation and pseudonymisation techniques will be used to protect your identity.

Anyone who receives information from us also has a legal duty to keep it confidential and secure.

If you do not wish personal data that we hold about you to be used in the way that is described in this notice, please discuss the matter with us. You have the right to object in certain circumstances, such as where you have given consent to the processing or have entered into a contract you have given consent, but this may affect our ability to provide you with care or advice. 

Return to top

The Trust will collect data about you in a numbers of ways. The main method of collection is from you directly.

Face to face:
Most of the information we hold about you will be collected from you at the time you engage with the service. Any data provided will be used for the reasons listed in this notice and will only relevant data will be requested and recorded.

Telephone calls: 
The information you disclose over a telephone call may be recorded by the Trust either to support your care or as a record of the conversation. Ordinarily we will inform you if we record or monitor any telephone calls you make to the Trust. This is to increase your security, for our record keeping of the phone call and for training and quality purposes.

Emails:
If you email us we may keep a record of your contact and your email address for our record keeping

Other organisation: 
We may receive information from other organisation’s that are also required by law to share information with us about you, to help us have a full picture of your needs and provide you with care.

Referrals – We may receive referrals or a transfer of your notes to specific specialties as a result of your care being transferred to our organisation. This can be from another Trust, your GP or any health or social care provider initiating a referral. 

Direct access – The Trust and its staff may, on a need to know basis have access to specific clinical systems from other organisation such as the summary care record, other Trust clinical systems in order to access information about you that is relevant to your care delivery. All systems are auditable and access is on a need to know basis


Return to top

Below is a list of the rights you have in relation to your data and when they apply. To make an application for any of the below rights please contact the Data Protection team rwh-tr.dataprotectionteam@nhs.net in the first instance. All rights should be considered within 30 calendar days from date of receipt, but may be extended if complex. 

access

The Right of Access
You have the right to request a copy of any information held by the Trust as well as any supplementary information.  See How do I request my information? for details on how to request your information. 

 

rectification

Right to Rectification
If you believe your information may be inaccurate or incomplete you can make a request to have your information reviewed. 


erase

The Right to Erasure
The right to erasure is also known as the ‘right to be forgotten’ introduces a right for you to have personal data erased.  Generally this right is not available with health care data. Where this right is available for specific processing you will be notified. 


restrict processing

The Right to Restrict Processing 
The right to restriction allows you to request the restriction or suppression your personal data. This right is closely linked with the right to rectify and the right to object and will only apply if: 

  • you contests the accuracy of your personal data and the accuracy is being verified by the trust; 
  • the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and you oppose erasure and requests restriction instead; 
  • the personal data is no longer needed but we need to keep it in order to establish, exercise or defend a legal claim. 
data_Portability.png

The Right to Data Portability 
The right to data portability allows you to obtain and reuse your personal data across different services. The process should allow for moving, copying or transfer of personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability is not an absolute right and generally will not apply to your health care record unless: 

  • The processing is based on the your consent or it in the performance of a contract; 
  • When processing is carried out by automated means.

 

object
The Right to Object

The right to object to processing means that data should cease to be processed. This right applies only where data is obtained with your consent. In most cases we rely on our legal basis to process your data and not consent and therefore for care purposes this right may not apply. If your data is used for any other reason this right may apply, but would have to be assessed on an individual basis.

profiling3.png

Use of profiling
Profiling is automated processing of personal data to evaluate certain things about an individual.  The Trust may use profiling techniques for health care planning purposes.  An example of this type of processing is the process of risk stratification of patients based on frequency of attendance. 


Return to top

You have a right to see or have copies of any information held by the Trust that relates to you free of charge. We have the right to charge an administration fee in situations where repeated requests are received for the same information or the request is excessive. You will be required to prove your identity when making requests.

Subject Access Requests under GDPR rules (post 25th May18) will be processed within 30days. However, once our teams have established the volume of records requested there may be a requirement to extended this up to a further 2 months. We will contact you within 30days should this be the case.

To request access to health records please complete a Subject Access Request form, link provided below and forward on to: 

Data Protection Team 
Health Records Library 
Location B19 
New Cross Hospital 
Wednesfield Road 
Wolverhampton 
WV10 0QP

Email: rwh-tr.dataprotectionteam@nhs.net 

Telephone: 01902 307999 Extension 5544 

Subject Access Request form  (PDF, 176Kb)   

Subject Access Request form  (Word, 43Kb)

Subject Access Request form for time of birth requests only  (PDF, 327Kb) 

Subject Access Request form for time of birth requests only  (Word, 39Kb)


Return to top 

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary. 

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required. For more information please see the Record Management Code for Practice for Health and Social Care 2016, retention schedules


Return to top

Data Protection Officer (DPO): Raz Edwards
Email: rwh-tr.IG-Enquiries@nhs.net   
Address: New Cross Hospital, Wolverhampton Road, Heath Town, Wolverhampton WV10 0QP

The Data Protection Officer is a point of contact for advice and guidance in relation to your rights.  The DPO is responsible for monitoring the Trusts compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2016 as any policies the Trust has in relation to the protection of personal data.   The DPO shall perform their duties in an independent manner with due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. 

If you have any questions about your care or a complaint, please speak to the health professional with your care in the first instance.If this is not resolved to your satisfaction you can contact the  Patient Advice and Liaison Service (PALS).

If you have any concerns about how your information is being processed or any of the rights as detailed above, please contact the Trust in the first instance through:

Data Protection Team
Health Records Library
Location B19
New Cross Hospital
Wednesfield Road
Wolverhampton
WV10 0QP

Email: rwh-tr.dataprotectionteam@nhs.net

Telephone: 01902 307999 Extension 5544

You also have a right to complain directly to the Information Commissioner’s Office if you feel the Trust has not responded effectively to any of the above.

Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Telephone: 0303 123 1113                   

https://ico.org.uk/



Return to top
A Teaching Trust of the University of Birmingham