Privacy Policy

Portsmouth Hospitals University NHS Trust (the Trust) takes your confidentiality and privacy rights very seriously. This notice explains how we collect, process, share and store your personal information and forms part of our accountability and transparency obligations to you under the General Data Protection Regulations (GDPR) 2016 and the Data Protection Act 2018. As the provider of acute health services for Portsmouth and the surrounding area and as a public organisation which processes personal information, we are required to register as a Data Controller with the Information Commissioner’s Office (ICO). The ICO is the regulator for data protection, privacy and electronic communications. Our ICO registration reference number is Z5031878.

When you come into the Trust, information about you, your medical treatment and family background is recorded on paper and computer to help us care for you. This information is known as your health record and we will keep this information in case we need to see you again or if there is a question about the treatment you have received.

To provide you with the highest quality care, the Trust collects information about you, your health and the care given to you or planned to be given to you. This information may include:

• Your full name, including any previous name (eg, maiden name) if applicable
• Your date of birth, NHS number, address, telephone number and email address – where you have provided it to enable the Trust to communicate with you by email or text
• Your next of kin and emergency contact details
• Details of your previous hospital appointments, A&E attendances, home visits and hospital admissions
• Letters, referrals, notes and reports about your health from other providers such as your GP or other health/social care professionals

• Details of the care, treatment or support you have received, including investigations (laboratory tests, scans and x-rays) and details of any treatments or procedures you have undergone and the professional opinions of those caring for you
• Information on the medicines we give to you including any allergies you may have.
• Information from those who know you well, such as family members or carers
• Where required we may also record information on your religion, ethnicity, disabilities and sexual orientation, in order to ensure the Trust can meet your specific needs within these areas (spiritual care, language preference and translation services, dietary needs etc.).

Most of your records are stored on paper, however the Trust is moving towards new models of service delivery which include holding your information on electronic computer systems.

Surveillance Camera's (overt and covert) are used for the safety of staff, patients and for the pursuit and investigation of crime.

Your information is vital in helping the Trust to:

• Provide your health professionals with accurate, up to date information for assessing your needs and making decisions with you about your care and treatment
• Record details of our contact with you to provide seamless care and avoid duplication
• Ensure your care and treatment is safe and effective
• Ensure any concerns or complaints you may have can be investigated

Your information is also available should you:

• Move to another area
• Need to use another service
• See a different healthcare professional

The Trust has a statutory duty under the Health and Social Care Act 2012 to share information about you where it is necessary for the purpose of providing you with direct care. Your personal information will be shared within the Trust among the multi-disciplinary teams that are involved in your direct care:

• Medical staff, nursing staff and allied health professionals (doctors, nurses, physiotherapists, occupational therapists etc.)
• Pathology and radiology staff involved in the analysis and reporting of your diagnostic tests
• Administration staff
• Healthcare students in training
• Staff conducting local clinical audits to evaluate the care provided to you. Only de-identified information is used in any reports.
• On invitation after discussion with you, staff or volunteers in chaplaincy and various charities which provide support to you while in hospital or at home (Macmillan Cancer Support, the Stroke Association, the Red Cross etc.)

We will also share your information with your GP on discharge from the Trust, other NHS Trusts when we seek a specialist opinion or when we transfer your care and the ambulance services if you are in need of their transport services.

The Trust and other agencies work together to provide you and your carers with the most appropriate treatment and support. We may also share information with:

• Community Service Providers (Solent NHS Trust, Southern Health NHS Foundation Trust)
• Social Services
• Local Authorities (Portsmouth City Council, Hampshire County Council)
• Voluntary Services
• Private Healthcare Services
• The Police
• Education Services
• Other NHS Services such as the IOW NHS Trust

On occasion the Trust contracts independent companies to provide services to our patients. These independent companies are required to sign contracts fully outlining their responsibilities under GDPR and Data Protection. We may need to share your personal information with them in order for you to receive their products or services (hearing aids, prosthetics, podiatry).

Care and Health Information Exchange (CHIE)

Formerly known as the Hampshire Health Record, CHIE is a secure system which shares health and social care information from GP surgeries, hospitals, community, mental health and social services.

Your doctor or nurse may access this information in relation to your attendance at the hospital to provide a complete picture of your health journey. The Trust supplies information to CHIE in the form of your clinical letters and reports of investigations. For more information on CHIE’s compliance with the GDPR/DPA click here. If you do not want your information shared with CHIE, please discuss this with your healthcare professional.

Care Quality Commission (CQC)

The Care Quality Commission (CQC) is the independent regulator of health and adult social care in England.  The CQC ensure that health and social care services provide people with safe, effective, compassionate, high-quality care.  The CQC monitor, inspect and regulate services and publish their findings.  

The CQC have powers under the Health and Social Care Act 2008 to access, inspect and take copies of any documents or records held by the Trust including your personal and health records to carry out its functions as a regulator.  The Trust is sometimes instructed by the CQC to provide personal and health data to them and this will always be sent to the CQC using a secure email or secure file transfer system.  

Health and Safety Executive (HSE)

The HSE's purpose is to regulate Health and Safety in line with their statutory duties under the Health and Safety at Work Act 1974, including inspection and investigation activities.  Under the legislation we may be asked to provide the HSE with your personal and health information as part of their investigations.  

NHS Patient Survey Programme (NPSP)

These surveys are part of the government’s commitment to ensure patient feedback is used to inform improvements and development of the NHS. In the public interest we may share your contact information with an NHS approved contractor for the purpose of administering the survey on our behalf.

NHS Digital and NHS England

These government organisations assess the care provided by the Trust and as such we are contractually obliged to share information from your patient record such as referrals, assessments, diagnosis, activity and sometimes the answers you provide to questionnaires.

You have the right to object to the Trust sharing your information with NHS Digital. This will not affect your care in any way. For further information on how to ‘Opt-Out’ of sharing your data with NHS Digital, please click here.

Hampshire and Isle of Wight Integrated Care System (ICS) and Integrated Care Board

Hampshire and Isle of Wight (HIOW) Integrated Care System (ICS) is a partnership of NHS and local government organisations working together to join up health and care services to improve health and wellbeing of people in the communities we serve.  The HIOW integrated Care Board sits within the ICS and is a statutory organisation responsible for setting the strategic plan for the NHS to deliver its part of the health and care strategy.  It is responsible for allocating NHS resources.  The Trust does not routinely share your personal information such as your health record, with the ICB.  However we may share information from a health professional in relation to funding for specific specialised treatment or to investigate a complaint or concern you have raised with the ICB. 

Health Research

The Trust has a very active and nationally recognised research department. The majority of the care you receive in hospital has come about as the result of clinical research. High quality clinical research means the NHS can improve future healthcare for everyone. Your health information can be used for research purposes but only with your consent. All information collected for research purposes will be de-identified before the results are published. For more information about Research at the Trust click here.

All research undertaken at the Trust is governed by the Health Research Authority. To read about how your information is used in research, please click here.

In England if you do not wish for your information to be used for research you can register your choice to ‘opt out’ by clicking here.

You have the right to refuse/withdraw your consent to information sharing with the above services at any time. Please discuss this with your health care professional as this could have implications on how you receive further care, including delays in you receiving care.

Your right to confidentiality is not absolute and there may be times when we must share your personal information with other agencies without your consent. Examples include:

• Where there is a concern that you are putting yourself at risk of serious harm
• Where there is a concern that you are putting another person at risk of serious harm
• Where there is a concern that a child or vulnerable adult is being put at risk of harm
• Where we have been instructed to do so by a Court
• If the information is essential for the investigation or prevention of a serious crime
• Where we are legally required to do so, such as with the notification of new births, notification of deaths
• Where your information is required to protect the public health in cases of infectious diseases
• If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information about you even if you object.

The Trust will process your personal information fairly and lawfully and in a transparent manner by:

• Only using your information if we have a lawful reason to do so and ensuring you know how we will use your information

The Trust does not rely on consent to use your information as a ‘legal basis for processing’. We rely on criteria listed in Article 6 and 9 of the GDPR. Such as (e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ and (h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’ This means the Trust can use your personal information to provide you with your care without seeking your consent. You do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care.

• Only using your information for the purpose it was specifically collected and not use it for other purposes

The Trust will never share your personal information for marketing or insurance purposes.

• Only use your information if it is adequate, relevant  and limited to what is necessary to deliver your care
• Ensuring your information is accurate and up to date and if found to be inaccurate, we will correct it, where appropriate
• Only keeping your information for as long as we are legally required to do so
• Ensuring we have appropriate security measures in place, including measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

All staff working for the Trust have a legal duty to keep you information secure and confidential. We do this by having contracts with confidentiality clauses for staff and suppliers, policies and procedures in place which act as guides for staff. Any breach of your personal information is treated seriously and usually involves an investigation with the formulation of an action plan to prevent another breach. Staff who do not follow Trust guidance may face disciplinary action including dismissal.

The Trusts computer systems and networks are protected against virus’, hackers and unauthorised access. The Trust has strict rules about who is given access to specific systems. Any information about you that is sent electronically is sent securely (encrypted). The majority of our electronic systems are able to create an audit trail every time someone accesses your information.

The Trust uses Data Protection Impact Assessments (DPIA) to identify and address any data protection issues that may arise when developing new products or services or undertaking new activities which involve the processing of personal data. The Trust uses Information Sharing Agreements to control the way your information is shared. All personal information that is stored outside the Trust’s IT systems must undergo a IT Due Diligence to ensure that the transfer and storage of your information is safe.

The Trust has appointed a Caldicott Guardian, who is responsible for protecting the confidentiality of patient information and enabling the appropriate sharing of information.

The Trust has also appointed a Data Protection Officer (DPO) who is responsible for facilitating accountability within the organisation and ensuring the Trust is able to demonstrate its compliance with the UK Legislation.

Each year the Trust is required by the Department of Health to complete the Data Security and Protection Toolkit. The Trust’s security and confidentiality compliance are assessed against national standards required by NHS Digital and the Care Quality Commission.

All records held by the NHS are subject to the Records Management Code of Practice 2021. This code sets out best practice guidance on how long we should keep your information before we are required to review it and dispose of it securely. The Trust must also follow UK law and best practice when we dispose of your confidential information when it is no longer needed.

Under GDPR you have the right to access the information we hold about you, both in paper and electronic formats. We may not be able to supply you with some information if:

• it has been provided by someone else who has not given permission for you to see it
• it relates to criminal offenses
• it is being used to detect or prevent crime
• it could cause physical or mental harm to you or someone else.

For more information on how to access your health record, click here.

• The right to be informed how we collect, use, store and share your information in a clear and transparent manner
• The right to access the information we hold about you
• The right to rectification in specific circumstances
• The right to erasure in specific circumstances
• The right to restrict processing
• The right to data portability
• The right to object to processing
• The right not to be subject to automated decision-making including profiling.

If you wish to voice a comment or report a concern or complaint, please contact the Patient Advice and Liaison Service (PALS) 

To get further advice or to report a concern directly to the Information Commissioner’s Office, you can contact them at:

Information Commissioner’s OfficeWycliffe HouseWater LaneWilmslowCheshireSK9 5AFTelephone: 03031231113Website: https://ico.org.uk/concerns

To view an easy to read privacy notice for younger patients click here.