Covid-19 and your information – Updated 8 April 2020
This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk here Coronavirus (COVID-19): notification to organisations to share information – GOV.UK (www.gov.uk)
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
During this period of emergency we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here COPI Notice – Frequently Asked questions – NHSX.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.
We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.
So that we can provide you with the best possible service, a variety of information is collected about you from a range of sources, such as your General Practitioner (GP). This information is used to support your healthcare.
Under the General Data Protection Regulation (GDPR) information about your physical and mental health, racial or ethnic origin and religious belief are considered as sensitive personal information and is subject to strict laws governing its use. This page explains why Barnsley Hospital NHS Foundation Trust (BHNFT) collects personal information about you, the ways in which such information may be used, and your rights under the General Data Protection Regulation. The Trust is legally responsible for ensuring its processing of personal information is in compliance with the general data protection regulation.
Security of Information
Confidentiality affects everyone: BHNFT collects, stores and uses large amounts of personal data every day, such as medical or personal records which may be paper-based or held on a computer.
We take our duty to protect your personal information and confidentiality very seriously and are committed to taking appropriate measures to ensure it is held securely and only accessed by those with a need to know.
At executive level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all our information systems and the data they hold. The SIRO also makes sure that any associated risks or incidents are documented and investigated appropriately. We also have a Caldicott Guardian who has particular responsibility for providing advice on protecting patient confidentiality and sharing patients’ information securely when appropriate.
Legal Basis for the processing of your data
The General Data Protection Regulation (GDPR) requires the Trust to process:
Sensitive personal data (Health Records) under 9(2)(h) – “Necessary for the reasons of preventative or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” and occasionally 9(2)(c) “when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”
Personal data under 6(1)(e) “Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Trust (Data Controller)” and occasionally 6(1)(d) “ when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”
Why do we collect information about you?
All clinicians and health and social care professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:
- Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
- Contact we have had with you such as appointments or clinic visits.
- Notes and reports about your health, treatment and care – A&E visits, in patient spells or clinic appointments
- Details of diagnosis and treatment given
- Information about any allergies or health conditions.
- Results of x-rays, scans and laboratory tests.
- Relevant information from people who care for you and know you well such as health care professionals and relatives.
It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes to your contact details or GP Practice as soon as possible. This minimises the risk of you not receiving important correspondence.
By providing the Trust with their contact details, patients are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).
How your Personal Information is used
In general terms, your records are used to direct, manage and deliver your care so that:
- The doctors, nurses and other health or social care professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.
- Health and social care professionals have the information they need to assess and improve the quality and type of care you receive.
- Appropriate information is available if you see another doctor, or are referred to a specialist or another part of the NHS or social care.
- Your concerns can be properly investigated if a complaint is raised.
The Care Record
The Care Record is a shared system that allows Health or social care professionals within the Barnsley Health and Social Care community to appropriately access the most up-to-date and accurate information about patients to deliver the best possible care.
The NHS Care Record Guarantee
The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained from:
The Records Management Code of Practice
This Records Management Code of Practice for Health and Social Care 2016 is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to NHS organisations in England. This also includes public health functions in Local Authorities and Adult Social Care where there is joint care provided within the NHS.
The Code is based on current legal requirements and professional best practice. It will help organisations to implement the recommendations of the Mid Staffordshire NHS Foundation Trust Public Inquiry1 relating to records management and transparency.
How long Health Records are retained
All patient records are destroyed in accordance with the NHS Records Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained.
The Trust does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.
Transfers Outside the European Economic Area
The Trust will ensure that personal confidential data, even it would constitute fair processing, will not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the European Economic Area to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects
When do we share information about you?
We share information about you with others directly involved in your care; and also share more limited information for indirect care purposes, both of which are described below:
Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.
Direct Care Purposes
Unless you object, we will normally share information about you with other health and social care professionals so that you may receive the best quality care:
- Other NHS Trusts and hospitals that are involved in your care.
- NHS Digital and other NHS bodies.
- General Practitioners (GPs).
- Ambulance Services.
You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:
- Social Care Services.
- Education Services.
- Local Authorities.
- Voluntary and private sector providers working with the NHS.
We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on information.
Indirect Care Purposes
We also use information we hold about you to:
- Review the care we provide to ensure it is of the highest standard and quality
- Ensure our services can meet patient needs in the future
- Investigate patient queries, complaints and legal claims
- Ensure the hospital receives payment for the care you receive
- Prepare statistics regarding NHS performance
- Audit NHS accounts and services
- Undertake heath research and development (with your consent – you may choose whether or not to be involved)
- Help train and educate healthcare professionals
Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital’s websites:
When other people need information about you
Everyone working in Health and Social Care has a legal duty to keep information about you confidential and anyone who receives information from us is also under a legal duty to keep it confidential.
From time to time we may need to share information with other professionals and services concerned in your care. This may be for instance, when your healthcare professional needs to discuss your case with other professionals (who do not work for the Trust) in order to plan your care. We do this in order to provide the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved. We will only share information in this way if we have your permission and it is considered necessary.
There may be other circumstances when we must share information with other agencies. In these rare circumstances we are not required to seek your consent.
Examples of this are:
- If there is a concern that you are putting yourself at risk of serious harm
- If there is a concern that you are putting another person at risk of serious harm
- If there is a concern that you are putting a child at risk of harm
- If we have been instructed to do so by a court
- If the information is essential for the investigation of a serious crime
- If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
- If your information falls within a category that needs to be notified for public health or other legal reasons, e.g. Certain infectious diseases
Other ways in which we use your information
Telephone calls to Barnsley Hospital Trust are routinely recorded for the following purposes:
- To make sure that staff act in compliance with Trust procedures.
- To ensure quality control.
- Training, monitoring and service improvement
- To prevent crime, misuse and protect staff
SMS text processing
When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times. It can also be used to contact you to provide feedback about the care and treatment you have received e.g. Friends and Family Test
Surveillance Cameras (CCTV & Body Worn Video)
We employ surveillance cameras (CCTV and Body Worn Video) on and around the hospital site in order to:
- protect staff, patients, visitors and Trust property
- apprehend and prosecute offenders, and provide evidence to take criminal or civil action in the courts
- provide a deterrent effect and reduce unlawful activity
- help provide a safer environment for our staff
- assist in traffic management and car parking schemes
- monitor operational and safety related incidents
- help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance
- assist with the verification of claims
You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Please see the ‘Data Subjects Rights’ section. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems.
We reserve the right to withhold information where permissible by Data Protection Legislation and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV or Body Worn Video data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to Data Protection Legislation.
Data Subjects Rights
Under the General Data Protection Regulations and Data Protection Legislation, you have the following rights:
- The right to request a copy of your personal data which the Trust holds about you:
Make a Subject Access Request
Other Information Right Requests
Right to be informed
We must be completely transparent with you by providing information ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’. Our privacy notice is one of the ways we try and let you know how data is handled.
Right to rectification
You have the right without undue delay to request the rectification or updating of inaccurate personal data.
Right to restrict processing
You can ask for there to be a restriction of processing such as where the accuracy of the personal data is contested. This means that we may only store the personal data and not further process it except in limited circumstances
Right to object
You can object to certain types of processing such as direct marketing. The right to object also applies to other types of processing such as processing for scientific, historical research or statistical purposes (although processing may still be carried out for reasons of public interest).
Right to data portability
Where personal data is processed on the basis of consent and by automated means, you have the right to have your personal data transmitted directly from one data controller to another where this is technically possible.
Right to erasure or ‘right to be forgotten’
You can request the erasure of their personal data including when:
(i) the personal data is no longer necessary in relation to the purposes for which they were collected
(ii) you no longer provide your consent, or
(iii) you object to the processing.
Make a request under your ‘Information Rights’
Freedom of Information
The Freedom of information Act 2000 provides any person with the right to obtain information held by BHNFT, subject to a number of exemptions.
Further information on the Freedom of Information Act and Making a Request
Please note: if your request is for information we hold about you (for example, your health record), please instead see above, under ‘Data Subjects Rights’.
Raising a Concern
Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact the Patient Advice & Liaison Service (PALS).
If you have any concerns about how we handle your information you have a right to complain to the Information Commissioners Office about it.
The GDPR 2018 requires organisations to lodge a notification with the Information Commissioner to describe the purposes for which they process personal information. These details are publicly available from:
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, SK9 5AF
Telephone: 08456 306060