Portsmouth Hospitals NHS Trust (the Trust) takes your confidentiality and privacy rights very seriously. This notice explains how we collect, process, share and store your personal information and forms part of our accountability and transparency obligations to you under the General Data Protection Regulations (GDPR) 2016 and the Data Protection Act 2018. As the provider of acute services for Portsmouth and the surrounding area and as a public organisation which processes personal information, we are required to register as a Data Controller with the Information Commissioner’s Office (ICO). The ICO is the regulator for data protection, privacy and electronic communications. Our ICO registration reference number is Z5031878.
When you come into the Trust, information about you, your medical treatment and family background is recorded on paper and computer to help us care for you. This information is known as your health record and we will keep this information in case we need to see you again or if there is a question about the treatment you have received.
To provide you with the highest quality care, the Trust collects information about you, your health and the care given to you or planned to be given to you. This information may include:
Most of your records are stored on paper, however the Trust is moving towards new models of service delivery which include holding your information on electronic computer systems.
Your information is vital in helping the Trust to:
Your information is also available should you:
The Trust has a statutory duty under the Health and Social Care Act 2012 to share information about you where it is necessary for the purpose of providing you with direct care. Your personal information will be shared within the Trust among the multi-disciplinary teams that are involved in your direct care:
We will also share your information with your GP on discharge from the Trust, other NHS Trusts when we seek a specialist opinion or when we transfer your care and the ambulance services if you are in need of their transport services.
The Trust and other agencies work together to provide you and your carers with the most appropriate treatment and support. With your consent we will share information with:
On occasion the Trust contracts independent companies to provide services to our patients. These independent companies are required to sign contracts fully outlining their requirements under GDPR and Data Protection. We may need to share your personal information with them in order for you to receive their products or services (hearing aids, prosthetics, podiatry).
Formerly known as the Hampshire Health Record, CHIE is a secure system which shares health and social care information from GP surgeries, hospitals, community, mental health and social services.
Your doctor or nurse may access this information in relation to your attendance at the hospital to provide a complete picture of your health journey. The Trust supplies information to CHIE in the form of your clinical letters and reports of investigations. For more information on CHIE’s compliance with the GDPR/DPA click here. If you do not want your information shared with CHIE, please discuss this with your healthcare professional.
CHIA is a database which contains information that can be used by data analysts and researchers for looking at trends and patterns in health issues in the general population. The process can help to identify better ways of providing care to you and your family.
Data in CHIA is used to plan how health and care services will be delivered in future, based on what types of diseases are being recorded and how many are being referred to hospital etc. Data is also used to help research into new treatments for diseases.
The information that CHIE sends to CHIA goes through a process called ‘pseudonymisation’. This means that any data items that could be used to identify you (e.g. name, date of birth, address) are removed. It is not possible for anyone using the data in CHIA to identify you. If you wish to ‘opt out’ of sharing your personal information with CHIA, please click here.
This survey is part of the government’s commitment to ensure patient feedback is used to inform improvements and development of the NHS. In the public interest we may share your contact information with an NHS approved contractor for the purpose of administering the survey on our behalf.
These government organisations assess the care provided by the Trust and as such we are contractually obliged to share information from your patient record such as referrals, assessments, diagnosis, activity and sometimes the answers you provide to questionnaires.
You have the right to object to the Trust sharing your information with NHS Digital. This will not affect your care in any way. For further information on how to ‘Opt-Out’ of sharing your data with NHS Digital, please click here.
To help us to monitor our performance, evaluate the care we provide and develop services to meet the service needs of the local population now and in the future, we share information with the NHS Clinical Commissioning Groups. This information is de-identified and access to it is strictly controlled.
The Trust has a very active and nationally recognised research department. The majority of the care you receive in hospital has come about as the result of clinical research. High quality clinical research means the NHS can improve future healthcare for everyone. Your health information can be used for research purposes but only with your consent. All information collected for research purposes will be de-identified before the results are published. For more information about Research at the Trust click here.
All research undertaken at the Trust is governed by the Health Research Authority. To read about how your information is used in research, please click here.
In England if you do not wish for your information to be used for research you can register your choice to ‘opt out’ by clicking here.
You have the right to refuse/withdraw your consent to information sharing with the above services at any time. Please discuss this with your health care professional as this could have implications on how you receive further care, including delays in you receiving care.
Your right to confidentiality is not absolute and there may be times when we must share your personal information with other agencies without your consent. Examples include:
The Trust will process your personal information fairly and lawfully by:
The Trust does not rely on consent to use your information as a ‘legal basis for processing’. We rely on criteria listed in Article 6 and 9 of the GDPR. Such as ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ and ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’ This means the Trust can use your personal information to provide you with your care without seeking your consent. You do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care.
The Trust will never share your personal information for marketing or insurance purposes.
All staff working for the Trust have a legal duty to keep you information secure and confidential. We do this by having policies and procedures in place which act as guides for staff. Any breach of your personal information is treated seriously and usually involves an investigation with the formulation of an action plan to prevent another breach. Staff who do not follow Trust guidance may face disciplinary action including dismissal.
The Trusts computer systems and networks are protected against virus’, hackers and unauthorised access. The Trust has strict rules about who is given access to specific systems. Any information about you that is sent electronically is sent securely (encrypted). The majority of our electronic systems are able to create an audit trail every time someone access your information.
The Trust uses Data Protection Impact Assessments (DPIA) to identify and address any data protection issues that may arise when developing new products or services or undertaking new activities which involve the processing of personal data. The Trust uses Information Sharing Agreements to control the way your information is shared. All personal information that is stored outside the Trust’s IT systems must undergo Due Diligence to ensure that the transfer and storage of your information is safe.
The Trust has appointed a Caldicott Guardian, who is responsible for protecting the confidentiality of patient information and enabling the appropriate sharing of information.
The Trust has also appointed a Data Protection Officer (DPO) who is responsible for facilitating accountability within the organisation and ensuring the Trust is able to demonstrate its compliance with the GDPR.
Each year the Trust is required by the Department of Health to complete the Data Security and Protection Toolkit. The Trust’s security and confidentiality compliance are assessed against national standards required by NHS Digital and Care Quality Commission.
For the financial year 2017-18 the Trust achieved a ‘satisfactory’ rating with a compliance score of 68%.
All records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care Act 2016. This code sets out best practice guidance on how long we should keep your information before we are required to review it and dispose of it securely. The Trust must also follow UK law and best practice when we dispose of your confidential information when it is no longer needed.
Under GDPR you have the right to access the information we hold about you, both in paper and electronic formats. We may not be able to supply you with some information if:
For more information on how to access your health record, click here.
To get further advice or to report a concern directly to the Information Commissioner’s Office, you can contact them at:
Information Commissioner’s Office
Employees of Portsmouth Hospital NHS Trust can find the Trust’s Employee Privacy Notice by clicking here. (link)