Privacy statement

In the NHS we aim to provide you with the highest quality health care.

To do this we must keep records about you, your health, and the care we have provided or plan to provide to you.

This Privacy Notice tells you about the information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. It also explains the choices you can make about how your information is used and how you can opt out of any sharing arrangements that may be in place.

The healthcare professionals caring for you, such as doctors, nurses, allied health professionals, and administration staff, keep records about your health and treatment so that they can provide you with the best possible care.

These records may be stored in paper form, electronically, in video and audio files.

Your health record may include:

• Basic details about you, such as your address, date of birth, and next of kin,
• Contact we have had with you, such as clinical visits,
• Notes and reports about your health,
• Details and records about your treatment and care,
• Results of x-rays, laboratory tests etc.

• health care professionals looking after you have accurate and up-to-date information about you to help them decide on any care you may require,

• full information is available should you see another doctor or be referred to a specialist or another part of the NHS,

• there is a good basis for assessing the type and quality of care you have received. This will lead to better care both for you and for other patients in the future

• your concerns can be properly investigated if you need to complain.

How your records are used to help the NHS

• paying your GP or hospital for the care you have received,

• the audit of NHS accounts, Service Evaluation and Clinical Audit of the quality of services provided,

• reporting and investigating complaints, claims and untoward incidents,

• planning services to ensure we meet the needs of our population in the future,

• preparing statistics on our performance for the Department of Health,

• reviewing our care to make sure that it is of the highest standard,

• teaching and training health care professionals,

• conducting health research and development – please see ‘Research’ below.

Records will be kept in line with the Department of Health Records Management Code of Practice which determines the minimum length of time that records should be kept for.

Under the UK General Data Protection Regulations (UK GDPR), all organisations must ensure they have a clear legal basis for processing information.

When your information is used for your care and administrative purposes related to your care, we rely on Article 6(1)e and Article 9(2)h of the UK GDPR.

For Research, in most instances, we will rely on Article 6(1)e and Article 9(2)j of the UK GDPR if and when we use your information for research. If you have formally consented to take part in research, this will satisfy the common law duty of confidentiality. Where it has been impracticable to obtain your consent we will seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.

For Secondary (indirect care) purposes, when there is a legal requirement that we provide specified data to NHS Digital for example, we rely on Article 6(1)c of the UK GDPR. In cases where the common duty of confidentiality cannot be satisfied through consent we seek approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.

• You have the right to know how we will use your personal information,

• You have the right to see your health record – see the section on Requesting a Copy of your Records below,

• You have the right to ask for the information we hold about you to be corrected if it is incorrect, or completed if incomplete, subject to certain safeguards,
• You have the right to ask for the information we hold about you to be erased, subject to certain safeguards,
• You have the right to ask us to change or restrict the way we use your information, and we have to agree, if possible,
• You have the right to request your personal information is transferred to other providers in certain situations,
• You have the right to object to us making use of your information other than for your care,
• You have the right to challenge any decisions made without human intervention (automated decision-making).

If you object to how we are using your information or wish us to restrict, erase or correct it, please first discuss this with the staff providing your care. You can also contact our Information Governance team at CRHFT.InformationGovernanceOffice@nhs.net. How we keep your information secure

Whenever information is used for your care, it will be handled in the strictest confidence. Chesterfield Royal Hospital NHS Foundation Trust (CRHFT) will:

• only use the minimum amount of information necessary for the purpose. Where possible, we will use information that does not identify you,
• ensure that anyone receiving information about you is under an obligation to keep it confidential and to only use the information for the specified purpose,
• have secure systems in place to help prevent unauthorised access to patient information held on its computers,
• have audit trails available on electronic systems to ensure we can identify who has accessed your record.

We are committed to protecting your privacy and will only process personal confidential data in accordance with the UK General Data Protection Regulation (UK GDPR), UK Data Protection Act 2018, the Common Law Duty of Confidentiality, and the Human Rights Act 1998. 

CRHFT is a Data Controller under the terms of the UK GDPR. We are legally responsible for ensuring that all personal confidential data that we collect and use i.e. hold, obtain, record, use or share about you is done in compliance with the Data Protection Principles. Our Data Protection Officer can be contacted at crhft.DPO@nhs.net.

CRHFT is registered as a data controller with the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is Z6956411 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

All of our staff, contractors and committee members receive appropriate and ongoing training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

If you receive care from other organisations, such as Social Care or voluntary healthcare providers, there may be a need to share information about you so that everyone involved in your care can work together for your benefit. Information about you will only be used or passed on to others involved in your care.

CRHFT works in partnership with several NHS and Non-NHS organisations across Derbyshire to deliver joined-up integrated services to users.

To ensure you receive safe and effective care, information about your health and treatment will be shared with other organisations caring for you. Information will only be shared for the purpose of direct care and will only be viewed by individuals who are directly involved in your care. To support the sharing of information to provide you with the best treatment, Derbyshire Health and Social Care organisations, including CRHFT, have developed the Derbyshire Shared Care Record. More information can be found here: https://joinedupcarederbyshire.co.uk/about/our-work/derbyshire-shared-care-records.

Organisations providing care are increasingly working together to ensure patients receive the most appropriate treatment at the earliest opportunity. To support this, we may share your information with, or receive information from, another organisation in order to determine if you can receive treatment more quickly. Please be assured that this information is being shared for direct care purposes only and all organisations will treat your information confidentially.

If you do not want your health record to be shared with other services involved in your care, please ensure you inform the service(s) caring for you. You can choose to exclude parts of your record from being shared, or you can opt out of sharing your record altogether. You can also change your mind at any time about whether you wish to share your record.

If you ask us not to share information about you with another person or organisation, we will respect your wishes unless there are exceptional circumstances. Not sharing information may mean that we have to alter the level of care we provide to you, but this will be explained. The final decision will normally rest with you.

There are exceptional circumstances where information about you will be shared, even if you do not give us permission to do so. These are where information is shared for legal reasons or in the public interest. Circumstances where information may be shared without your permission include:

• Where it is required by law, for example, the notification of births, deaths, and some infectious diseases,
• Where a court order has been issued requesting the information,
• Where there is a serious risk of harm to you or other individuals,
• Where a child is believed to be at risk of harm (Children’s Act 1989),
• Where information is required for the prevention, detection, or prosecution of a serious crime,
• Where information you have supplied to us is about a serious crime that has been committed, such as murder, manslaughter, rape, treason, or kidnapping (Police and Criminal Evidence Act 1984),
• Where the information you have supplied to us is about suspected terrorism (Anti-terrorism, Crime and Security Act 2001 and Terrorism Act 2000),
• Where the disclosure is necessary in any legal proceedings.

Use of patient data to improve NHS ServicesCRHFT, like all NHS organisations, uses information about your care to review the quality of care. This enables us to be sure that standards are being met and helps us to improve the quality of care that we provide. This activity is carried out by clinical teams and may also involve Service Evaluation and Clinical Audit / other non-clinical Trust staff who are experts in data collection. The Trust oversees all this activity through its authorisation processes. Our Caldicott Guardian is responsible for keeping the confidentiality of patient information safe. No patients can ever be identified in any subsequent reporting of results unless we have previously asked and got your permission.

If you do not want your records or data to be used for Service Evaluation and Clinical Audit, please inform the service(s) caring for you.

All NHS organisations are expected to participate in and support health and care research. The Health Research Authority sets standards for NHS organisations to make sure they protect your privacy and comply with the law when they are involved in research.

CRHFT has a research innovation group dedicated to ensuring we apply the strictest governance around your information in relation to research.

Wherever possible, CRHFT will use information that does not identify individuals. Where identifiable information is required, CRHFT will always gain your consent before using your information for research purposes. A member of your care team may review your care records to determine if you are suitable to take part in a research study, before contacting you for your consent to take part in the research.

Further information for patients on health research can be found at: https://www.hra.nhs.uk/information-about-patients/Further information on Data Protection in relation to research can be found from the Health Research Authority at: https://www.hra.nhs.uk/about-us/news-updates/gdpr-guidance-researchers/

CRHFT is compliant with the national data opt-out policy. Visit the NHS Digital website to find out more about the National Data Opt Out.

You have the right to ask for a copy of all records about you under the UK General Data Protection Regulations:

• CRHFT will provide a copy of the information free of charge. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
• CRHFT may also charge a reasonable fee to comply with requests for further copies of the same information.
• We must comply with your request within one month of receipt. However, we may extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.

To request a copy of your records, please see the How to Access your Information page.

Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact:

Assistance & ComplaintsChesterfield Royal Hospital NHS Foundation TrustCalowCHESTERFIELDS44 5BLTel: 01246 512640e-mail: crhft.acs@nhs.net

Additionally, patients have the right to contact the Trust’s Data Protection Officer if they should ever be dissatisfied with the way the Trust has handled or shared their personal information. Contact details are as follows:

Data Protection Officer,
Chesterfield Royal Hospital NHS Foundation Trust,
Calow,
CHESTERFIELD,
S44 5BL
Email: CRHFT.DPO@nhs.net

If you remain dissatisfied with the Trust’s decision following your concerns, you may wish to contact:

Information Commissioner's Office
Wycliffe House
Water Lane
WILMSLOW
SK9 5AF
Tel: 0303 123 1113
Website: https://ico.org.uk/global/contact-us/

We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.