Skip to page content

Privacy Notice

The Dudley Group NHS Foundation Trust (The Trust) is the main provider of hospital and adult community services to the populations of Dudley, significant parts of the Sandwell borough and smaller, but growing, communities in South Staffordshire and Wyre Forest.

The Trust covers three hospital sites at Russell’s Hall Hospital, Guest Outpatient Centre in Dudley and Corbett Outpatient Centre in Stourbridge and provides a full range of secondary care services and some specialist services for the wider populations of the Black Country and West Midlands region. The Trust also provides specialist adult community-based care in patients’ homes and in more than 40 centres in the Dudley Metropolitan Borough Council community.

The Trust has responsibility for ensuring that the information/data processed across these sites and services, which includes your personal and sensitive (special category) data is processed in accordance with the principles of Data Protection Legislation and more recently the General Data Protection Regulations (GDPR).

The purpose of this Privacy Statement is to:

  • Inform you why we collect information about you
  • Inform you how we use your personal information
  • Explain who we share your personal information with
  • Explain how you can restrict the disclosure of information
  • Inform you about our text messaging service
  • Explain how your personal information is used to improve the NHS as a whole
  • Explain how you can access information held within your health records
  • Explain how you can request information under a Freedom of Information Act request

The Trust’s Data Protection Registration reference number with the Information Commissioner’s Office is Z8909702

What information do we collect about you?

At DGFT we aim to provide you with safe and effective care to the highest standards. To do this our medical professionals caring for you will keep records about your health and the care you receive from the Trust. This may be stored electronically and in a paper form. This includes personal and special category data.

The Trust collects the following types of personal and special category data:

  • Personal information including your name, address, date of birth, NHS number, next of kin and contact details
  • Details of your hospital admissions or outpatient appointments
  • Records and reports about your health
  • Results of investigations, such as X-rays and laboratory tests
  • Relevant information from other health professionals, relatives, or carers
  • Ethnic origin
  • Religion

It is important that your personal details are accurate and up to date and we will often check with you at appointments or visits that these details are correct.

Why do we collect information about you?

The staff caring for you need to collect and maintain information about your health, treatment, and care, so that you can be given the highest quality of health care.

We also collect data to help the NHS:

  • Prepare statistics on performance
  • Audit services
  • Monitor how we spend public money
  • Plan and manage the health services
  • Teach and train healthcare professionals
  • Conduct health research and development

We may also hold your information if you have contacted us with an enquiry or complaint.

If you think that any of the information, we hold about you is incorrect, please let us know as soon as possible.

How do we use your Data?

Provide Healthcare

Your records are used to guide, monitor, and administer the care you receive to ensure your doctor, nurse or other healthcare professionals involved in your care has up-to-date information to assess your health and decide what care you need when you visit in the future. Data may be in hard copy and electronic form, in various Trust systems, dashboards, reports and discussed at meetings. This is not an exhaustive list as there are many ways in which the Trust will process your data to manage your care.

Management and Evaluation of Services

Health Records can also be used within service evaluation, audit and for teaching purposes; in these cases, we use anonymous information when possible. Service evaluation and audit is a way for the Trust to review the service’s effectiveness or efficiency through assessment of its aims, objectives, activities, outputs, outcomes, and costs. Where possible we will use anonymised information to complete audits and evaluations.

Research

The Trust has an internal research department and where you are involved in a research project, you will be provided full information about the study or project and will be asked for consent before your information is used as part of the research.

Text messaging and email Reminders

DGFT operates a text messaging and email reminder facility for certain services. You can opt into this service by confirming your contact details, including your mobile telephone number when you attend the Trust. Text messages will then be sent to the mobile telephone number you have provided us with or t the email address we have on record.

What is the lawful basis for processing?

As a data controller the Trust must establish and publish the lawful basis that is relied on for processing personal data and data that is special categories (sensitive data). The following table indicates for the main processing legal basis that the Trust is relying on for processing activities.

Most of the processing we carry out is to deliver your care and is covered by the following legal provisions.

  • 6(1) (e) the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

and

  • 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
  • 6(1)(d) is available in life-or-death situations but should not be necessary for health or social care organisations to use in the performance of its tasks. This might apply in a situation where an organisation needs to act to prevent harm being caused by a patient or service user, to someone who has no relationship with the organisation.

Statutory basis / Other relevant conditions

  • NHS Trusts National Health Service and Community Care Act 1990
  • NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers
  • 251B of the Health and Social Care Act 2012

Do we Share Your Information?

Yes, the Trust does share information. We may need to share some information about you so we can all work together for your benefit. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will only ever pass this information about you if:

  • There is a genuine need for it
  • Where there is a danger of harm to a child or vulnerable adult
  • To aid the prevention and detection of serious crime
  • There is a court order
  • We have your consent

We may share information about you with the following agencies to support the delivery of your care:

  • NHS Trusts (e.g., where your care and rehabilitation are to be continued elsewhere)
  • Department of Health and other NHS bodies, Public Health England
  • Clinical Commissioning Groups (CCG’s)
  • Other providers involved in your care- such as hospitals
  • General Practitioners (GP’s) in Dudley and out of areas you are not from the Dudley area.
  • Ambulance Service such as West midlands Ambulance Service
  • Other healthcare providers with which the Trust has a sharing agreement in place
  • Mental health services
  • Social services

We may also share your information, with your consent and subject to strict sharing protocols about how it will be used with:

  • Education services
  • Local authorities
  • Voluntary sector providers
  • Private sector
  • The Police
  • Safeguarding Teams
  • Social Services
  • Voluntary services

We will ask you for your explicit consent to share your personal information unless there is a lawful basis to share the information, we are mandated by law, or the health and safety of others is at risk.

We may also share your information with others that need to use records about you to carry out the following:

  • Check the quality of treatment of advice we have given you
  • Protect the health of the public
  • Manage the health service
  • Help investigate any concerns or complaints you or your family have about your healthcare

Some information we must share is used for statistical, research or audit purposes, and in these instances, we take strict measures to ensure that individual patients cannot be identified and where appropriate anonymisation and pseudonymisation techniques will be used to protect your identity.

If you are diagnosed with cancer or a condition that may lead to cancer, the team looking after you at the Trust will record information about you and the care you received. This applies to children and adults of all ages. This information is shared with the National Cancer Registry, which is part of Public Health England.

You have the right to opt out of cancer registration. This will not affect the care you receive from your healthcare team.

In all circumstances where we need to share your information, we will only share it with those who are authorised to receive it. Anyone who receives information from us also has a legal duty to keep it confidential and secure.

The principal partner organisations with which the Trust has sharing agreements in place and where information may be shared are:

  • Action Heart
  • Birmingham City Council
  • Black Country Partnership NHS Foundation Trust
  • Care, Grow, Live (CGL) Atlantic Recovery Centre
  • Community Safety Partnership
  • West Midlands Police
  • West Midlands Fire
  • Dudley CCG
  • Dudley and Walsall Mental Health Partnership NHS Trust
  • Dudley Community Partnership
  • Dudley Council for Voluntary Service (Dudley CVS)
  • Dudley MBC
  • Genomic Health UK Ltd
  • GP surgeries
  • National Probation Service
  • Ophthalmic Diagnostic Services
  • Safeguarding Teams
  • Solihull MBC
  • The Black Country Alliance
  • Walsall Healthcare NHS Trust
  • Sandwell and West Birmingham Hospitals NHS Trust
  • The Royal Wolverhampton Hospitals NHS Trust
  • Walsall Council
  • Wolverhampton City Council

Where do we obtain your information?

The Trust will collect data about you in several ways. The main method of collection is directly from yourself.

Face to face:

Most of the information we hold about you will be collected from you at the time you engage with us and our services. Any data provided will be used for the reasons listed in this notice and will only relevant data will be requested and recorded by the Trust.

Telephone calls:

The information you disclose over a telephone call may be recorded by the Trust either to support your care or as a record of the conversation that has taken place.

Virtual consultations:

The information you disclose during a virtual consultation with us may be recorded by the Trust or a third-party supplier who is supporting our provision in offering virtual appointments. This will be for the purposes of supporting your care or as a record of the consultation taking place.

Emails:

If you email the Trust, we may keep a record of your contact and your email address, and the data contained with the email. Emails which are not within your notes will be kept for a period of 180 days after deletion.

Other organisation:

We may receive information from other organisations that are also required by law to share information with us about you, to help us have a full picture of your needs, provide you with care e.g., in relation to patient care transfer. This may be your GP or another NHS Organisation Social Care of Local Authority.

Shared Care:

The Trust and its staff may, on a need-to-know basis have access to specific clinical systems from other organisation such as the summary care record that is relevant to your care. All systems are restricted, auditable, and only access where there is a lawful need.

DGFT is working with other health and social care organisations to develop a Shared Care Record. We will share information that will form part of your Shared Care Record. The Shared Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you.

Your data rights

Under UK GDPR and the DPA 2018 you have several rights in relation to your information. Below is a list of the rights you have and when they apply.

All rights should be considered within 30 calendar days from date of receipt, but this time scale may be extended if the request is complex. This may be the case where a request requires us to obtain data form a third party such as emails.

The Right of Access

You have the right to request a copy of any information held by the Trust as well as any supplementary information. You may also be able to request a copy of data on behalf of another person e.g., a child or someone you have power of attorney for.

Right to Rectification

If you believe your information may be inaccurate or incomplete you can make a request to have your information reviewed and corrected. Where there is a dispute between a data subject and a medical professional as to whether medical data is correct the Trust will retain the original but add an addendum to say it has been disputed.

The Right to Erasure

The right to erasure is also known as the ‘right to be forgotten’ introduces a right for you to have personal data erased. This right is not available with health care data except in exceptional circumstances.

The Right to Object

Where we are relying on your consent to process data you have the right to object to processing which means that data should cease to be processed. In most cases we do not rely on consent as the legal basis for processing information. If your data is used for any other reason this right may apply but each request would be assessed on an individual basis.

The Right to Restrict Processing

The right to restriction allows you to request the restriction or suppression your personal data. This right is linked with the right to rectify and the right to object and only applies if one of the following is met:

  • you contest the accuracy of your personal data, and the accuracy is being verified by the Trust;
  • the data has been unlawfully processed (i.e., in breach of the lawfulness requirement of the first principle of the GDPR) and you oppose erasure and requests restriction instead.
  • the personal data is no longer needed but we need to keep it to establish, exercise or defend a legal claim.

The Right to Data Portability

The right to data portability allows you to obtain and reuse your personal data across different services without any hindrance to usability. The right to data portability is not an absolute right and generally does not apply to your health care information unless:

  • The processing is based on your consent or in the performance of a contract.
  • When processing is carried out by automated means.

Use of profiling

Profiling is automated processing of personal data to evaluate certain things about an individual. The Trust may use profiling techniques for health care planning purposes e.g., risk stratification of patients based on missed appointments.

How do I request my data?

Please send all requests for personal data or queries about an existing request in writing to:

Access to Health Records Team
Health Records Department
Russell’s Hall Hospital
Dudley
West Midlands
DY1 2HQTelephone:
Call 01384 4561111 Ext.1390 to request a paper form to be sent to you.Email:
dgft.accessteam@nhs.net

However, you can be refused access to some or all your records if:

  • The person in charge of your care thinks that you or someone else can be harmed by disclosing the information
  • The information relates to or was provided by someone else who can be identified and is not the patient or a healthcare professional
  • You have applied on behalf of someone who has died or is no longer capable and they originally gave the information on the understanding it would not be shared

More information on this can be found here Accessing your medical records – The Dudley Group NHS Foundation Trust (dgft.nhs.uk)

Subject Access Requests under GDPR rules (post 25 May 18) will be processed within 30 days. However, once our teams have established the volume of records requested there may be a requirement to extended this up to a further 2 months. We will contact you within 30 days should this be the case.

The Health Records Access Team also deal with the Health Records of deceased persons.

Access to the health records of a deceased person is governed by the Access to Health Records Act (1990). Under this legislation when a patient has died, only their personal representative, executor or administrator of their will, or anyone having a claim resulting from the death (this could be a relative or another person), has the right to apply for access to the deceased’s health records.

National Opt Out

DGFT works in the health and care system to help improve care for patients and the public. Whenever you use a health or care service, such as attending urgent Care, Accident & Emergency or use Community Care services, important information about you is collected into a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

However, you have a right to request that your personal confidential data is not used beyond direct care. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. This is called the National Data Opt Out.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

  • NHS Health Research Authority (which covers health and care research); and
  • Understanding Patient Data (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

You can also find out more about how patient information is used at:

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Our organisation is currently compliant with the national data opt-out policy.

The National data Opt-out does not apply all the time. For example:

  • where explicit consent has been obtained from the patient for the specific purpose.

to the disclosure of confidential patient information required for the monitoring and control of communicable disease and other risks to public health.

  • Where personal data is required under s. 259 of the Health and Social Care Act 2012 following a Direction from NHS England or the Secretary of State.
  • Where there is a legal requirement for the data disclosure that specifically sets aside the common law duty of confidentiality then the national data opt-out will not apply.
  • Data disclosure under Regulation 3 of the Control of Patient Information Regulations 2002 is exempt from the national data opt-out.
  • Data disclosure has Section 251 support obtained under regulation 2 or 5.

Keeping Your Information Safe

Everyone working for the NHS has a legal duty to keep information about you confidential and secure under the General Data Protection Regulation 2016 / Data Protection Act 2018 and the Caldicott principles. We use the minimum amount of information required to inform the people who need to know to provide you care.

Anyone who receives information from us is also under a legal duty to do the same and our staff all have a confidentiality clause within their contract. Breaking these rules can result in staff members being dismissed.

The Trust IT Services are certified with ISO27001 Information Security Management standard accredited by BSI. This is an international standard and recognised within the commercial and public sector.

The Trust IT Services are Cyber Essentials certified. Cyber Essentials covers the ’10 Steps to Cyber Security’ published by the National Cyber Security Centre (NCSC). This is a scheme welcomed by the Information Commissioner, Elizabeth Denham.

We make every effort to check and test material at all stages of production. It is always wise for you to run an anti-virus programme on all material downloaded from the internet. We cannot accept any responsibility for any loss, disruption or damage to your data or your computer system that may occur while using material derived from this website.

National Fraud Initiative

DGFT is required [by law] to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error, or other explanation until an investigation is carried out.

We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed on the gov.uk website.

CCTV

The Trust has surveillance cameras (CCTV and body-worn cameras) on and around our premises for the purposes of crime prevention and detection, to assist in traffic management and to monitor operational and safety-related incidents. Images captured by CCTV will not be kept for longer than necessary and will be held securely. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. The use of CCTV and any disclosure of images will be in accordance with the codes of practice issued by the Information Commissioner.

Text Messages and Email

DGFT operates a text messaging reminder facility for certain services. You can opt into this service by confirming your contact details, including your mobile telephone number when you attend the Trust. Text messages will then be sent to the mobile telephone number you have provided us with.

When collecting or transferring sensitive information such as health and personal details we use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure. However, any information we receive from you via a personal email address systems and any response we might transmit via email in return, cannot be guaranteed to be completely protected from access by unauthorised persons.

How long so we keep your information?

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary. All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

For more information please see the Record Management Code for Practice for Health and Social Care 2016, retention schedules

Data Protection Officer

If you have any questions or concerns regarding how your data is being processed, please contact the Data Protection Officer.

Data Protection Officer
Information Governance Team
South Block
Russells Hall Hospital
Pensnett Road
Dudley
DY1 2HQdgft.dpo@nhs.net

This notice may change from time to time. It was last updated January 2022.