Privacy Notice & Data Sharing

Details about you such as:

• Name
• Address
• Date of birth
• NHS number
• GP
• Next of kin

Contacts we have had with you such as:

• as clinic visits
• hospital admissions notes
• reports about your health
• any treatment and care you need

Details and records about you such as:

• the treatment and care you receive
• results of investigations
• x-rays
• scans and laboratory tests
• relevant information from other health professionals
• relatives or those who care for you and know you well

Please note phone calls to and from the Trust may be recorded for monitoring and training purposes.

If you want to access copies of your health record held by the Trust, please read the following information.

Firstly the definition of a health record is any record of information relating to someone's physical or mental health that has been made by (or on behalf of) a health professional.

Since April 2011 the Trust has been responsible for all secondary care provided by community services across Warwickshire. Community services such as ‘Child Health Services’ and other secondary care services provided by the Trust will hold separate patient service records.

Therefore, when you request copies of your health record please submit a single request and detail the specific health information you believe is held by an acute or secondary care service belonging to South Warwickshire University NHS Foundation Trust.

Providing specific information such as dates, service attended and health professionals seen by you will ensure the Access to Health Records Team (AHR team) are able to deal with your request efficiently.

Please do not submit separate requests simultaneously. Simply state all of the information you require on one request form.

Making a request

Please use this form to request copies of your medical records.

Alternatively you can Download or print a copy of the new health records form. - WORD or Download or print a copy of the new health records form. - PDF.

This should be emailed to information.governance@swft.nhs.uk or posted to the below address:

Information Governance Department
Pickering's Building, 1st Floor
Millers Road
Warwick
CV34 5AN
Tel: +44(0)1926 495321 ext. 8351/4141

Some information may be available via the Patient Portal. The portal is available to the majority of outpatient specialties and provides patients with the opportunity to manage their own appointments and view appointment letters online.

These forms are not compulsory. You can submit your request in writing to the above address. However, the Trust has provided the forms for your convenience and advises forms will prevent delays in processing the request.

Your GP Record

The Trust will not have information held in your GP records other than copies of key information shared by your GP. Therefore, if you require access to information held in your GP records you must submit a request to the GP Practice that you are registered with.

When you change GPs your GP will transfer all of your GP record to your new GP. This ensures all of your previous medical history is now known to your new GP.

Your Summary Care Record

Any queries concerning your NHS Summary Care Record (SCR) must also be redirected to your GP to answer. They are responsible for the information uploaded to your NHS Summary Care Record. For more information about the NHS SCR click on the following link: NHS electronic care records page.

For processing to be lawful under the GDPR and the Data Protection Act 2018, South Warwickshire University NHS Foundation Trust (SWFT) is obliged to identify a lawful basis before it can process personal data. The obligation requires SWFT to satisfy a condition under Article 6 and where special category data is being processed, also under Article 9.

For lawful processing under Article 6(1)(e) will apply: ‘for the performance of a task carried out in the public interest or in the exercise of official authority’

For necessary processing of special categories, e.g. health data for employment purposes the following condition, under Article 9, will apply: 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional’

There may be occasions when the data subject’s consent will provide the legal basis for the processing of their personal data under Article 6(1)(a)

The table details other reasons we may process and the reasons under the law that support this.

Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) you have a number of rights with regard to your personal data.

Right to request access to your information

Rectification of your personal data

Right to data portability

If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.

Right to erasure

In order for the Trust to provide you with high quality health care services we are required to collect and use of your personal data. To support our clinical duties this data can sometimes be shared with relevant departments within the Trust, with other NHS organisations and authorities where required and, at times, it may also be used for training and auditing purposes.

We are committed to processing your personal data in accordance with the law.

South Warwickshire NHS Foundation Trust is the Data Controller for any personal information you provide, if required, the Trust can provide you with information about why your personal data is being processed, how long the Trust will keep it for, who it may be shared with, information about your rights as well as who to contact if you have any queries or concerns.

We may share information about you with the following agencies in order to support the delivery of your care:

• Department of Health
• Clinical Commissioning Groups (CCG’s)
• Other providers involved in your care- such as hospitals
• General Practitioners (GP’s)
• Ambulance Service
• Mental Health Services
• Social services

We may also share your information, with your consent and subject to strict sharing protocols about how it will be used with (unless there are safeguarding risks or crime prevention, we will have a legal obligation to disclose information about you without seeking consent):

• NHS Digital
• Education services
• Local authorities
• Voluntary sector providers
• Private sector

We may also share your information with others that need to use records about you to carry out the following:

• Check the quality of treatment or advice we have given you
• Protect the health of the general public
• Manage the health service
• Help investigate any concerns or complaints you or your family have about your healthcare
• Carry out Research and Clinical Audits
• Conduct patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients

We protect your information in the following ways:

Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.

Access controls - Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails - We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation - If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management - All healthcare records are stored confidentially in a secure location.

Legislation - There are laws in place to protect your information, including the General Data Protection Regulation and the Human Rights Act 1998.

Caldicott Guardian - Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the South Warwickshire University NHS Foundation Trust is Dr Charles Ashton.

South Warwickshire University NHS Foundation Trust (SWFT) is the Data Controller [and Data Processor] of data for the purposes of the DPA18 and GDPR.

SWFT as the Data Controller is committed to protecting the rights of individuals in line with the Data Protection Act 2018 (DPA) and the new General Data Protection Regulation(GDPR).

SWFT has a Data Protection Officer (DPO) and if you have any concerns as to how your data is processed please contact the Data Protection Officer by email: dpo@swft.nhs.uk

South Warwickshire University NHS Foundation Trust is obliged to retain your data in accordance with the Department of Health’s Records Management Code of Practice 2016.

Records Retention Guide

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact the Data Protection Officer using the contact details above.

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for a decision.

The Information Commissioner can be contacted at: -

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Right to make a complaint directly to the ICO

The Freedom of Information Act 2000 (FOIA) gives members of the public certain rights to request information from public authorities. The individual right of access applies to all types of recorded information held by public authorities regardless of the date of the information. The Act does, however, set out some exemptions to this right. It also places a number of obligations on public authorities about the way in which they provide information. Subject to the exemptions, anyone making a request must be informed whether the public authority holds the information and, if so, be supplied with it - generally within 20 working days. There is also a duty to provide advice or assistance to anyone seeking information (for example in order to explain what is readily available or to clarify what is wanted).

Download more information on the Freedom of Information Act.

Under Section 19 of the FOIA we have a legal duty to adopt and maintain a publication scheme for the publication of the information we use.

The publication scheme can help you find the following information:

Class 1 - Who we are and what we do
Class 2 - What we spend and how we spend it
Class 3 - What our priorities are and how we're doing
Class 4 - How we make decisions
Class 5 - Our policies and procedures
Class 6 - Lists and registers
Class 7 - The services we offer

Making a request

Please use this form to submit a Freedom of Information Request. Freedom of Information Requests can also be emailed to swft@infreemation.co.uk

Or posted to:

Information Governance Department, Warwick Hospital, Lakin Road, Warwick CV34 5BW.

Bona Vacantia Enquiries

We make appropriate enquiries to trace relatives of patients who pass away at the hospital with no next of kin. For those who we are unable to trace, their details are forwarded on to: Government Legal Department, Bona Vacantia Division (BVD), PO Box 70165, London WC1A 9HG.

We do not hold any information on the value of any estate the person may have had, nor can we make any additional information available on individual cases through Freedom of Information requests. For further information, please click on the links below:

Download the Governments bona vacantia estates referral form.

View further information on bona vacantia.

To help you understand the implications of these new laws and how it could affect your work, we have compiled the following FAQs. If you have any questions, please contact: dpo.swft@nhs.net

1. What is the GDPR and when does it become applicable?

The GDPR is European Union (EU) legislation that will become directly applicable in

The GDPR is EU legislation that will be applicable as law in EU member States (e.g. the UK) from 25 May 2018, irrespective of national legislation.

The DPA 1998 will be completely repealed.

4. What are the penalties for non-compliance?

Fines under the GDPR are up to a maximum of €20 million or 4% of turnover. For health and social care organisations, any fine would be likely to give rise to a loss of public trust, attract media attention and thereby inflict considerable reputational damage. Therefore, it is important organisations ensure their compliance.

Headline impacts are:

• Appointment of Data Protection Officer (DPO) mandatory for all public authorities
• Organisations obliged to demonstrate that they comply with the new law (the concept of ‘accountability’).
• Significantly increased penalties possible for any breach of the Regulation – not just data breaches (see above).
• Legal requirement for security breach notification.
• Removal of charges, in most cases, for providing copies of records to patients or staff who request them.
• Requirement to keep records of data processing activities.
• Data Protection Impact Assessment required for high risk processing (which includes the large-scale processing of health-related personal data).
• Data protection issues must be addressed in all information processes.
• Specific requirements for transparency and fair processing.
• Tighter rules where consent is the basis for processing.

Some of these requirements should be established good practice. Organisations that are performing well in their information governance toolkit scores should have a good baseline to work from. However, these legal requirements require organisations to take specified actions, and have evidence to demonstrate that they have done so.

Organisations should undertake a thorough review of the GDPR requirements, including the helpful and on-going guidance published by the Information Commissioner’s Office (ICO), to ensure you are compliant. This is especially important as areas which were good practice are now legal requirements (e.g. the Data Protection Impact Assessment – see below).

Other issues to think about include the information provided to data subjects. Most health and social care organisations provide privacy notices to their data subjects as standard which explains what they use personal data for and why etc.The ICO have published a code of practice on what should be included. The GPDR / DP Bill now requires specific information be provided to a data subject. Articles 12 – 14 of the GPDR set out what will be required.

6. What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a mechanism for identifying, quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high risk processing (such as processing “health data”) is introduced.

• When undertaking a DPIA, an organisation’s designated Data Protection Officer must be consulted. A DPIA should be signed off by an organisation’s Senior Information Risk Owner (SIRO) and the Data Protection Officer (DPO).
• A DPIA has to be completed before any new process, system or way of working goes live (i.e. at the business planning stage of a project) where it involves high risk processing.
• The completion of a DPIA will help to minimise the chance that any new process, system or way of working will present a high risk to the rights of individuals through a failure to comply with the GDPR (or new DPA).

7. What/who is the DPO?

The DPO will also be responsible for monitoring the organisation(s) compliance with the GDPR.

It is important to note that data processors that process personal data on behalf of health or social care organisations must appoint a DPO where they either:

• process special categories data on a large scale OR
• perform regular or systematic monitoring of data subjects

The DPO reports directly to an organisation’s highest management level and may not be disciplined or dismissed for carrying out their tasks as a DPO.

8. Who can be a DPO?

Organisations must ensure that the DPO role is independent, free from conflict of interest. DPOs may be shared by multiple organisations that are ‘public authorities’ taking into account organisational structure and size, and may be either a member of staff or may fulfil the tasks on the basis of a service contract, provided there is no conflict of interest. A DPO team with a nominated contact for each organisation is an acceptable approach.

There are specific roles that the DPO cannot perform in conjunction with this new role. As a result it is important to consider EU Guidelines that state:-

9. What guidance does the ICO intend to publish
The ICO has already started to publish useful information and will continue to do so.

10. Do you need to re-seek consent if already obtained for the purposes of sharing data?
Please be aware the ICO have produced draft guidance regarding consent which may be helpful.

Organisations should review their existing consents before May 2018 to ensure that they are GDPR-compliant.

It will not be necessary to seek new consent if your existing consents are already GDPR compliant - although you will need to ensure that you have compliant documentation and consent withdrawal mechanisms in place.

If your existing DPA consents do not meet the GDPR’s requirements, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure the continued processing is transparent and fair (i.e. that the data subjects rights and freedoms are not undermined through a change in processing), or stop the processing.

Any exercise to contact individuals to refresh consent must itself comply with the DPA and Privacy and Electronic Communications Regulations (PECR).

11. How will the right to erasure be applied in a healthcare setting?

A data subject’s right to erasure is a fundamental right. However, it must be applied sensibly. There are legitimate areas under the GDPR where processing can lawfully continue and such a request refused. For example, where there is a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. There are other instances such as public interest in the area of public health (related to specific articles) or archiving.

This right aims to strengthen the ability to remove information made available online especially when made public by a child and making this right available when they are an adult.

A request from a data subject exercising this right should be taken seriously and on a case by case basis. Where it is legitimately not possible to erase the information, this should be communicated to the data subject promptly and as per the requirements under Article 15 (“right of access”).

12. Is there a standard format to giving information held back to the patient?

No. The GDPR describes what information should be provided to the patient but not the format of how it should it be provided.

Information Governance Policy

Adult Asthma Patient Information

Chronic Obstructive Pulmonary Disease Information

Community Acquired Pneumonia Audit

National Audit of Care at the End of Life (NACEL)

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care providing research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is compliant with the national data opt-out policy.

National Data Opt Out Policy

South Warwickshire Unviersity NHS Foundation Trust works with other health and social care organisations to share information that will form part of your Integrated Care Record. The Integrated Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other health and care professionals in Coventry and Warwickshire, Birmingham and Solihull, and Herefordshire and Worcestershire when they are involved in your health or social care.

For more information about the Coventry and Warwickshire ICR click here or here to view an information leaflet and to discover how your data is used and to how to exercise your rights please see the full Privacy Notice or copy and paste this link www.happyhealthylives.uk/integrated-care-record/privacy-notice/

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.

To see the COVID-19 privacy notice, please click here.

This link provides details of the National Immunisation Management Service.

NHS Login to NHS App

Legal Basis: NHS Digital (NHSD) is the data controller for both login and Ap. NHS Login is used solely to authenticate the request.

NHS App to Patient Care Aggregator

The Patient Care Aggregator is being built by an assured Third party i.e. Servita, hosted within the Amazon Web Services (AWS) NHSD infrastructure under contract to NHS England (NHSE).

Legal Basis: NHSE will be the data controller for the service support and the Patient Care Aggregator in the initial phases. NHSE and NHSD will be Joint Data Controllers for the data surfaced in the NHS App where NHSE are issuing NHS App, Services Directions (2022) to NHSD to provide the summary details of patient scheduled secondary care outpatient appointments in the NHS App. This will remain until the new NHS App Directions provided by the Secretary of State for Health and Social Care replace the above mentioned.

This Direction is given in the exercise of powers under the Health and Social Care Act 2012 and Regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013 (the Regulations). NHSD is the data controller of the Application Programme Interface (API) Management System. NHSD are processing data under UK GDPR: - Art. 6(1)[c] - legal obligation by virtue of the Direction Art. 9(2)[g] - substantial public interest and Part 2 Sched.1, DPA 2018, para 6 (statutory and governmental process by Direction) Servita are a data processor of NHSE.

NHS Trusts to Patient Care Aggregator

Legal Basis: In the host environment, this will be to provide health and care services under UK GDPR Article 6(1)(e) and for sensitive data Article 9(2)(h). NHS Trusts as data controllers, will not currently be mandated to provide secondary care appointment data to the Care Aggregator - their decision to send data will be voluntary. They will remain responsible for the management of an Excluded Patient List including those users that wish to remove their data from the Patient Care Aggregator Records Service. Note: - This is likely to change when the new NHS App Direction is in place between DHSC and NHSD and a DPN (Data Provision Notice) can be issued by NHSD to Trusts NHSE does not hold NHS Trust patient data and a patient’s information access rights under UK GDPR will be executed by the NHS Trust as data controller for the care information they hold.

Further Information:

NHSE Privacy Notice

NHSD Privacy and Cookies

NHSD Terms and Conditions

NHS Login Privacy Notice