Privacy Notice & Data Sharing

Personal information such as:

1. Name
2. Address
3. Date of birth
4. NHS number
5. GP
6. Next of kin

We may collect sensitive personal data such as:

1. Racial or ethnic origin (for monitoring purposes)
2. Genetic data and biometric data (for health purposes)
3. Data concerning health (for health purposes)
4. Data concerning your sex life or sexual orientation (for health purposes (where appropriate) or monitoring purposes)

Contacts we have had with you such as:

1. Clinic visits
2. Hospital admissions notes
3. Reports about your health
4. Any treatment and care you need

Details and records about you such as:

1. The treatment and care you receive
2. Results of investigations
3. X-rays
4. Scans and laboratory tests
5. Relevant information from other health professionals
6. Relatives or those who care for you and know you well

To provide your care.

The doctors and other health professionals caring for you need to keep records about your health and the treatments you have received from the NHS and other healthcare providers, to be able to provide you with the most effective care. It is in your interests as a patient for a full and complete record to be collected, so that we have accurate, up-to-date information about you.

To help run our hospitals and improve our service

We may also need to use some information about you to:

• Manage the healthcare services we provide
• Help investigate any complaints, claims or incidents
• Match data under the National Fraud Initiative
• Help us to plan new services
• Help us keep track of spending on our services
• Prepare performance statistics for the Department of Health and other regulatory bodies
• Assist in clinical audits of the quality of our services#

After you attend one of our hospitals you may receive a text message asking you to rate how happy you were with your visit. This is a national service called the Friends and Family Test, and it gives NHS users an opportunity to give feedback on their experience. When you receive a Friends and Family Test message by text, you will have the option to opt out of any future messages from this service if you wish to do so.

The Trust must have a lawful basis for processing your personal data.

For the majority of personal data held, our lawful basis under GDPR is Article 6(1)(e): For the performance of a task carried out in the public interest or in the exercise of official authority.

There may be rare occasions when the legal basis for processing your data is consent, and the lawful basis under GDPR Article 6(1)(a) for this is: the individual has given clear consent for you to process their personal data for a specific purpose.

If you are a patient we will also be processing your health data. This is classed as a special category, sensitive data and we need an additional legal basis for processing health information.

This legal basis is Article 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.’

Under UK GDPR and the Data Protection Act, you have a number of rights with regard to your personal data:

• Right to request access to your information
• Right to have incorrect information corrected
• Right to data portability in some circumstances
• Right to erasure in some circumstances
• Right to limit the use of your data in some circumstances
• Right to object to the use of your data in some circumstances
• Rights in relation to automated decisions

The Information Commissioner’s Office has further information on your rights.

If you want to access copies of information about you held by the Trust, including your health record, please read the following information.

The definition of a health record is any record of information relating to someone's physical or mental health that has been made by (or on behalf of) a health professional.

Since April 2011 the Trust has been responsible for all secondary care provided by community services across Warwickshire. Community services such as ‘Child Health Services’ and other secondary care services provided by the Trust will hold separate patient service records.

Therefore, when you request copies of your health record please submit a single request and detail the specific health information you believe is held by an acute or secondary care service belonging to South Warwickshire University NHS Foundation Trust.

Providing specific information such as dates, service attended and health professionals seen by you will ensure the Access to Health Records Team (AHR team) are able to deal with your request efficiently.

Please do not submit separate requests simultaneously. Simply state all of the information you require on one request form.

Making a request

Please use this form to request copies of your medical records.

Alternatively, you can:
Download or print a copy of the health records form. - WORD or
Download or print a copy of the health records form. - PDF.

This should be emailed to information.governance@swft.nhs.uk or posted to the address below:

Information Governance Department
Pickering's Building, 1st Floor
Millers Road
Warwick
CV34 5AN

Tel: +44(0)1926 495321 ext. 8351/4141

Some information may be available via the Patient Portal. The portal is available to the majority of outpatient specialties and provides patients with the opportunity to manage their own appointments and view appointment letters online.

These forms are not compulsory. You can submit your request in writing to the above address. However, the Trust has provided the forms for your convenience and advises forms will prevent delays in processing the request.

Your GP Record

The Trust will not have information held in your GP records other than copies of key information shared by your GP. Therefore, if you require access to information held in your GP records you must submit a request to the GP Practice that you are registered with.

When you change GP’s, your GP will transfer all of your GP record to your new GP. This ensures all of your previous medical history is now known to your new GP.

Your Summary Care Record

Any queries concerning your NHS Summary Care Record (SCR) must also be redirected to your GP to answer. They are responsible for the information uploaded to your NHS Summary Care Record. For more information about the NHS SCR click on the following link: NHS electronic care records page.

We may record CCTV images of people entering, approaching, entering or passing our buildings to:

• help staff and visitors feel safer;
• act as a deterrent to offenders;
• allow the collection of evidence to help find and convict offenders.

Security staff may wear body worn cameras which can be activated to preserve evidence during incidents.

The lawful basis for processing personal information is: 6(1) (f) processing is necessary for the purposes of the legitimate interests pursued by a controller

CCTV data may be shared with third parties such as the police or courts where there is a legal basis to do so.

Any processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

The lawful basis for processing personal information is: 6(1)(c) ‘…necessary for compliance with a legal obligation…

The lawful basis for processing personal data is: 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…

Other information:

Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008.

The Trust regularly participates in research projects across various clinical areas.

In most cases you will be asked for consent to take part in any research project. Any research project including personal identifiable information that does not seek consent will be approved by the NHS under section 251 approval.

The Trust may share anonymised data for research purposes with third parties.

The lawful basis for processing personal information is: 6(1)(a) the data subject has given consent to the processing of their personal data for one or more specific purposes. Or in cases where section 251 approval has been granted; 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’

The lawful basis for processing personal data is: 9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject …’

Other information:

A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support.

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees. The purpose of the processing is to protect the child or vulnerable adult.

The lawful basis for processing personal information is: 6(1)(c) ‘…necessary for compliance with a legal obligation…

The lawful basis for processing personal data is: 9(2)(b) ‘...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law..’

Other information:

• This sharing is a legal and professional requirement and therefore there is no right to object.

• The data will be shared with local safeguarding services.

In order for the Trust to provide you with high-quality health care services we are required to collect and use your personal data. To support our clinical duties this data can sometimes be shared with relevant departments within the Trust, with other NHS organisations and authorities where required and, at times, it may also be used for training and auditing purposes.

We are committed to processing your personal data in accordance with the law.

South Warwickshire NHS Foundation Trust is the Data Controller for any personal information you provide, if required, the Trust can provide you with information about why your personal data is being processed, how long the Trust will keep it for and who it may be shared with.

We may share information about you with the following agencies in order to support the delivery of your care:

• Department of Health
• Clinical Commissioning Groups (CCG’s)
• Other providers involved in your care- such as hospitals
• General Practitioners (GP’s)
• Ambulance Service
• Mental Health Services
• Social services

We may also share your information, where there is a lawful basis to do so, with:

• NHS Digital
• Education services
• Local authorities
• Voluntary sector providers
• Private sector organisations who are involved in your care

We may also share your information with others that need to use records about you to carry out the following:

• Check the quality of treatment or advice we have given you;
• Protect the health of the general public;
• Manage the health service;
• Help investigate any concerns or complaints you or your family have about your healthcare;
• Carry out Research and Clinical Audits;
• Conduct patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients

We protect your information in the following ways:

Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.

Access controls - Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails - We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation - If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records Management - All healthcare records are stored confidentially in a secure location.

Legislation - There are laws in place to protect your information, including the General Data Protection Regulation and the Human Rights Act 1998.

Caldicott Guardian - Within each NHS organisation there is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for this Trust is Dr Charles Ashton.

South Warwickshire University NHS Foundation Trust is the Data Controller [and Data Processor] of data for the purposes of the DPA18 and GDPR.

The Trust has a Data Protection Officer (DPO), and if you have any concerns as to how your data is processed please contact the Data Protection Officer by email: dpo@swft.nhs.uk or by letter:

Data Protection Officer
Information Governance Department
Pickering's Building, 1st Floor
Millers Road
Warwick
CV34 5AN

South Warwickshire University NHS Foundation Trust is obliged to retain your data in accordance with the NHSX Records Management Code of Practice 2021.

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact the Data Protection Officer via dpo@swft.nhs.uk or:

Data Protection Officer
Information Governance Department
Pickering's Building, 1st Floor
Millers Road
Warwick
CV34 5AN

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner’s Office for a decision. The Information Commissioner’s Office can be contacted at: -

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or via their website.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance, to help with:

• Improving the quality and standards of care by providing research into the development of new treatments
• Preventing illness and diseases
• Monitoring safety
• Planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt-out visit www.nhs.uk/your-nhs-data-matters.

You can also find out more about how patient information is used at: https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and https://understandingpatientdata.org.uk/what-you-n... (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

South Warwickshire University NHS Foundation Trust works with other health and social care organisations to share information that form part of your Integrated Care Record. The Integrated Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other health and care professionals in Coventry and Warwickshire, Birmingham and Solihull, and Herefordshire and Worcestershire when they are involved in your health or social care.

More information about the Coventry and Warwickshire ICR is available on the website.

NHS Login to NHS App
Legal Basis: NHS Digital (NHSD) is the data controller for both login and App. NHS Login is used solely to authenticate the request.

NHS App to Patient Care Aggregator
The Patient Care Aggregator is being built by an assured Third party i.e. Servita, hosted within the Amazon Web Services (AWS) NHSD infrastructure under contract to NHS England (NHSE).

Legal Basis: NHSE will be the data controller for the service support and the Patient Care Aggregator in the initial phases. NHSE and NHSD will be Joint Data Controllers for the data surfaced in the NHS App where NHSE are issuing NHS App, Services Directions (2022) to NHSD to provide the summary details of patient scheduled secondary care outpatient appointments in the NHS App. This will remain until the new NHS App Directions provided by the Secretary of State for Health and Social Care replace the above-mentioned.

This Direction is given in the exercise of powers under the Health and Social Care Act 2012 and Regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013 (the Regulations). NHSD is the data controller of the Application Programme Interface (API) Management System. NHSD is processing data under UK GDPR: - Art. 6(1)[c] - legal obligation by virtue of the Direction Art. 9(2)[g] - substantial public interest and Part 2 Sched.1, DPA 2018, para 6 (statutory and governmental process by Direction) Servita are a data processor of NHSE.

NHS Trusts to Patient Care Aggregator
Legal Basis: In the host environment, this will be to provide health and care services under UK GDPR Article 6(1)(e) and for sensitive data Article 9(2)(h). NHS Trusts as data controllers, will not currently be mandated to provide secondary care appointment data to the Care Aggregator - their decision to send data will be voluntary. They will remain responsible for the management of an Excluded Patient List including those users that wish to remove their data from the Patient Care Aggregator Records Service. Note: - This is likely to change when the new NHS App Direction is in place between DHSC and NHSD and a DPN (Data Provision Notice) can be issued by NHSD to Trusts NHSE does not hold NHS Trust patient data and a patient’s information access rights under UK GDPR will be executed by the NHS Trust as data controller for the care information they hold.

Further Information:

• NHSE Privacy Notice
• NHSD Privacy and Cookies
• NHSD Terms and Conditions
• NHS Login Privacy Notice