The UK General Data Protection Regulation (UK GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information.
Whittington Health as a Data Controller
Whittington Health NHS Trust is a data controller under the UK GDPR and the Data Protection Act 2018. Our registration number with the Information Commissioner’s Office (ICO) is Z6966145
Controllers make decisions about processing activities. They exercise overall control of the personal information being processed and are ultimately in charge of, and responsible for the processing. Processing means any operation, or any set of operations performed upon personal information including, but not limited to, the collection, recording, organisation, storage, updating or modification, retrieval, use, sharing, consolidation, blocking, erasure, or destruction of data. The Trust is only the controller for information it holds. You should visit other NHS organisations websites who have treated you for details on the information they hold.
Why we collect information about you
The Information collected about you is necessary for the purpose of:
· producing records about your health and any care and treatment you are offered or receive
· providing a basis for health decisions made by you and care professionals
· providing medical diagnosis and providing treatment
· ensuring your care is safe and effective by working with other organisations providing you with care
· managing health and social care systems and services
· complying with legal obligations
What personal information is collected?
· Name, address, date of birth, phone number, and email address (where you have provided it to enable us to communicate with you)
· Your next of kin and contact details
· Notes and reports about your physical or mental health and any treatment, care or support you need and receive
· Results of your tests and diagnosis, including medical imaging
· Relevant information from other professionals, relatives or those who care for you or know you well
· Any contacts you have with us such as home visits or outpatient appointments
· Information on medicines, side effects and allergies
· Patient experience feedback and treatment outcome information you provide.
Lawful basis for processing your personal data
The Trust will process your data lawfully in accordance with the regulations:
· Article 6(1)(e) and Article 9(2)(h) of UK General Data Protection Regulation (UK GDPR) /Data Protection Act 2018 (DPA18)
In cases where your personal data is needed for reasons other than direct care & treatment, and where there is no other valid legal basis, your explicit consent will be sought prior to processing.
Others in the NHS may also need to use records about you
Data may be shared with our health or social care partners should they be involved or required to be involved in providing care or treatment to you. Other reasons may also include:
· checking the quality of care (clinical audit)
· collecting data regarding public health matters
· commissioning purposes and ensuring NHS funding is being allocated appropriately
· helping to investigate any concerns or complaints you may have about your health care
· teaching healthcare workers and help with research and planning
Right to rectification
We will amend any errors in the information we hold about you if it is agreed to be inaccurate or incomplete. Please be aware that sometimes we may hold information that you do not agree with, but it is not adjudged to be incorrect, e.g. a clinical opinion recorded by a health professional. In such instances, we may (by mutual agreement) add a statement from you to your record regarding your concern, but not change the information.
National Data Opt Out
You have the right to object to your data being used for the research, planning and running of the NHS via the National Data Opt-out programme as well as your ‘right to object’ under Article 21 of the GDPR/DPA 18.
Health Information Exchange (HIE)
The Trust works with GP practices, other hospitals and social services across North London to make your information available to them. A record of care is held on each partner’s secure clinical system (a local record). HIE integrates data from each partner’s electronic health and care systems to provide a real-time and read-only summary of that data to a care professional when required for the purpose of your direct care.
The care professional can see relevant parts of your clinical record; this excludes certain sensitive data items.
How can I “opt-out” of data sharing via HIE?
Please think carefully before making this decision as sharing your health and social care information will make it easier for services to provide the best treatment and care for you.
If you chose to opt-out, we may still need to share data for your care, but it will be using less immediate methods. For example, your GP may refer you to a hospital consultant by email. During your hospital appointment, the consultant will be able to see some of the information your GP holds about you by referring to HIE. If you opt-out the consultant may only see the information the GP put in the email or may need to phone your GP in advance of your appointment.
For further information on HIE, including how to opt out and how to opt back in, you can go to the North London Partners website: https://northlondonpartners.org.uk/
Systems, Storage and Retention
Your data will be stored on secure Trust systems and servers based in the UK.
Records will be retained as per the guidance set out in the Records Code of Practice for Health and Social Care 2021.
Whittington Health are utilising the web-based video consultation platform called ‘Attend Anywhere’, for video consultations. Attend Anywhere requires you to enter your name, phone number and date of birth upon log on via a secure web link on your smart phone, tablet or computer. There is no requirement to create an account to use the platform. Your name, phone number and date of birth data are deleted from the platform within an hour of finishing the consultation and leaving the waiting area.
Zesty is the Trusts chosen patient portal which allows patients to view and manage their Acute Outpatients Appointment online.
Data Protection Impact Assessments
You can view the Trust’s Data Protection Impact Assessments (DPIA) by making a Freedom of Information request. These will be redacted of any sensitive information that may have a security risk. To make a Freedom of Information request, please email us at firstname.lastname@example.org.
How to access your personal information
You can make a request to obtain a copy of personal data that we hold about you by completing the request form on the Subject Access Requests page here on our public website.
How to contact us
You can contact the Data Protection Officer at email@example.com or by calling 020 7288 3077.
If you are dissatisfied with the service you have been provided and have exhausted the Trust’s complaints process, you can refer any complaints to the Information Commissioner’s Office (ICO) via the ICO website or by calling 0303 123 1113.