The Dudley Group NHS Foundation Trust (The Trust) is the main provider of hospital and adult community services to the populations of Dudley, significant parts of the Sandwell borough and smaller, but growing, communities in South Staffordshire and Wyre Forest.
The Trust covers three hospital sites at Russells Hall Hospital, Guest Outpatient Centre in Dudley and Corbett Outpatient Centre in Stourbridge and provides a full range of secondary care services and some specialist services for the wider populations of the Black Country and West Midlands region. The Trust also provides specialist adult community-based care in patients’ homes and in more than 40 centres in the Dudley Metropolitan Borough Council community.
The Trust has responsibility for ensuring that the information/data processed across these sites and services, which includes your personal and sensitive (special category) data is processed in accordance with the principles of Data Protection Legislation and more recently the General Data Protection Regulations (GDPR).
The purpose of this Privacy Notice is to:
- Inform you why we collect information about you
- Inform you how we use your personal information
- Explain who we share your personal information with
- Explain how you can restrict the disclosure of information
- Inform you about our communication services e.g. text messaging, patient portal
- Explain how your personal information is used to improve the NHS as a whole
- Explain how you can access information held within your health records
- Explain how you can request information under a Freedom of Information Act request
The Trust’s Data Protection Registration reference number with the Information Commissioner’s Office is Z8909702.
What information do we collect about you?
At the Trust we aim to provide you with safe and effective care to the highest standards. To do this our medical professionals caring for you will keep records about your health and the care you receive from the Trust. This may be stored electronically and in a paper form. This includes personal and special category data.
The Trust collects the following types of personal and special category data:
- Personal information including your name, address, date of birth, NHS number, next of kin and contact details
- Details of your hospital admissions or outpatient appointments
- Records and reports about your health
- Results of investigations, such as X-rays and laboratory tests
- Relevant information from other health professionals, relatives, or carers
- Ethnic origin
It is important that your personal details are accurate and up to date and we will often check with you at appointments or visits that these details are correct.
Why do we collect information about you?
The staff caring for you need to collect and maintain information about your health, treatment, and care, so that you can be given the highest quality of health care.
We also collect data to help the NHS:
- Prepare statistics on performance
- Audit services
- Monitor how we spend public money
- Plan and manage the health services
- Teach and train healthcare professionals
- Conduct health research and development
We may also hold your information if you have contacted us with an enquiry or complaint.
If you think that any of the information, we hold about you is incorrect, please let us know as soon as possible.
How do we use your Data?
Your records are used to guide, monitor, and administer the care you receive to ensure your doctor, nurse or other healthcare professionals involved in your care has up-to-date information to assess your health and decide what care you need when you visit in the future. Data may be in hard copy and electronic form, in various Trust systems, dashboards, reports and discussed at meetings. This is not an exhaustive list as there are many ways in which the Trust will process your data to manage your care.
Management and Evaluation of Services
Health Records can also be used within service evaluation, audit and for teaching purposes; in these cases, we use anonymous information when possible. Service evaluation and audit is a way for the Trust to review the service’s effectiveness or efficiency through assessment of its aims, objectives, activities, outputs, outcomes, and costs. Where possible we will use anonymised information to complete audits and evaluations.
Where your information may be involved in a research project, you will be provided full information about the study or project and will be asked for consent before it is used as part of the research.
Text messaging and email Reminders
The Trust operates a text messaging and email reminder facility for certain services using third party providers. You can opt into this service by confirming your contact details, including your mobile telephone number when you attend the Trust. Text messages will then be sent to the mobile telephone number you have provided us with or the email address we have on record.
When collecting or transferring sensitive information such as health and personal details we use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure. However, any information we receive from you via a personal email address systems and any response we might transmit via email in return, cannot be guaranteed to be completely protected from access by unauthorised persons.
What is the lawful basis for processing?
As a data controller the Trust must establish and publish the lawful basis that is relied on for processing personal data and data that is special categories (sensitive data). The following table indicates for the main processing legal basis that the Trust is relying on for processing activities.
Most of the processing we carry out is to deliver your care and is covered by the following legal provisions within GDPR.
- 6(1)(e) the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
- 6(1)(d) is available in life-or-death situations but should not be necessary for health or social care organisations to use in the performance of its tasks. This might apply in a situation where an organisation needs to act to prevent harm being caused by a patient or service user, to someone who has no relationship with the organisation.
Statutory basis / Other relevant conditions
- Data Protection Act (DPA) 2018
- NHS Trusts National Health Service and Community Care Act 1990
- NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers
- 251B of the Health and Social Care Act 2012
Do we Share Your Information?
Yes, the Trust does share information. We may need to share some information about you so we can all work together for your benefit. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will only ever pass this information about you if one or more of the following applies:
- There is a genuine need for it
- Where there is a danger of harm to a child or vulnerable adult
- To aid the prevention and detection of serious crime
- There is a court order
- We have your consent
We may share information about you with the following agencies to support the delivery of your care:
- NHS Trusts (e.g., where your care and rehabilitation are to be continued elsewhere)
- Department of Health and Social Care, other NHS bodies such as NHS England
- Integrate Care Boards
- Other providers involved in your care such as hospitals
- General Practitioners (GP’s) in Dudley and out of areas you are not from the Dudley area
- Ambulance Service such as West midlands Ambulance Service
- Other healthcare providers
- Mental health services
- Local authorities
We may also share your information, with your consent and subject to strict sharing protocols about how it will be used with:
- Education services
- Voluntary sector providers
- Private sector
- The Police
- Safeguarding Teams
- Social Services
- Voluntary services
We will ask you for your explicit consent to share your personal information unless there is a lawful basis to share the information, we are mandated by law, or the health and safety of others is at risk.
We may also share your information with others that need to use records about you to carry out the following:
- Check the quality of treatment of advice we have given you
- Protect the health of the public
- Manage the health service
- Help investigate any concerns or complaints you or your family have about your healthcare
Some information we must share is used for statistical, research or audit purposes, and in these instances, we take strict measures to ensure that individual patients cannot be identified and where appropriate anonymisation and pseudonymisation techniques will be used to protect your identity.
If you are diagnosed with cancer or a condition that may lead to cancer, the team looking after you at the Trust will record information about you and the care you received. This applies to children and adults of all ages. This information is shared with the National Cancer Registry.
You have the right to opt out of cancer registration. This will not affect the care you receive from your healthcare team.
In all circumstances where we need to share your information, we will only share it with those who are authorised to receive it. Anyone who receives information from us also has a legal duty to keep it confidential and secure.
Some partner organisations with which the Trust shares information include:
- Action Heart
- Birmingham City Council
- Black Country Partnership NHS Foundation Trust
- Charity Organisations
- Community Safety Partnership
- West Midlands Police
- West Midlands Fire
- West Midlands Ambulance Services
- Dudley and Walsall Mental Health Partnership NHS Trust
- Dudley Community Partnership
- Dudley Council for Voluntary Service (Dudley CVS)
- Dudley Metropolitan Borough Council
- Genomic Health UK Ltd
- GP surgeries
- National Probation Service
- Ophthalmic Diagnostic Services
- Safeguarding Teams
- Solihull MBC
- The Black Country Alliance
- Walsall Healthcare NHS Trust
- Sandwell and West Birmingham Hospitals NHS Trust
- The Royal Wolverhampton Hospitals NHS Trust
- Walsall Council
- Wolverhampton City Council
- Other Neighbouring Trusts
Where do we obtain your information?
The Trust will collect data about you in several ways. The main method of collection is directly from yourself.
Face to face:
Most of the information we hold about you will be collected from you at the time you engage with us and our services. Any data provided will be used for the reasons listed in this notice and will only relevant data will be requested and recorded by the Trust.
The information you disclose over a telephone call may be recorded by the Trust either to support your care or as a record of the conversation that has taken place.
The information you disclose during a virtual consultation with us may be recorded by the Trust or a third-party supplier who is supporting our provision in offering virtual appointments. This will be for the purposes of supporting your care or as a record of the consultation taking place.
If you email the Trust, we may keep a record of your contact and your email address, and the data contained with the email. Emails which are not within your notes will be kept for a period of 180 days after deletion.
The Trust has surveillance cameras (CCTV and body-worn cameras) on and around our premises for the purposes of crime prevention and detection, to assist in traffic management and to monitor operational and safety-related incidents. Images captured by CCTV will not be kept for longer than necessary and will be held securely. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. The use of CCTV and any disclosure of images will be in accordance with the codes of practice issued by the Biometrics and Surveillance Camera Commissioner.
We may receive information from other organisations that are also required by law to share information with us about you, to help us have a full picture of your needs, provide you with care e.g., in relation to patient care transfer. This may be your GP or another NHS Organisation such as Social Care of the Local Authority.
The Trust and its staff may, on a need-to-know basis have access to specific clinical systems from other organisations that is relevant to your care. All systems are restricted, auditable, and only accessed where there is a lawful need.
The Trust is working with other health and social care organisations to develop a Shared Care Record. We will share information that will form part of your Shared Care Record. The Shared Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you.
The benefits of a patient portal are highlighted in the NHS long term plan, which expects to give every patient a new digital ‘front door’ to give people secure digital access to their own health records going live from August 2022.It gives patients online access to their health records via a portal and lets them see their appointments, medical correspondence, test results and more.
Digital appointment letters – Healthcare Communications
A new patient portal is available where patients can view all their appointment letters.
More information is on our website, refer to the link here.
Accessing your information via the NHS app:
You will now be able to access appointment details, letters, and clinical information which are currently available in our patient portals provided by Healthcare Communications via the NHS app. You do not have to access them via the NHS app, you can continue to access this information directly within the portals; this information will only be accessible to you via the NHS app if you provide consent (this is done within the NHS app). The Trust will share NHS numbers of people signed up to our patient portals with NHS England for this purpose, the NHS app needs to know who is associated with Healthcare Communications so it can find the information you want and access.
For more details on the NHS app please visit https://www.nhs.uk/nhs-app/.
For the future developments on NHS App refer to the link.
Your data rights
Under UK GDPR and the DPA 2018 you have several rights in relation to your information. Below is a list of the rights you have and when they apply.
All rights should be considered within 30 calendar days from date of receipt, but this time scale may be extended if the request is complex, in which case we may keep you notified. This may be the case where a request requires us to obtain data from a third party such as emails.
The Right of Access
You have the right to request a copy of any information held by the Trust as well as any supplementary information. You may also be able to request a copy of data on behalf of another person e.g., a child or someone you have power of attorney for.
Right to Rectification
If you believe your information may be inaccurate or incomplete you can make a request to have your information reviewed and corrected. Where there is a dispute between a data subject and a medical professional as to whether medical data is correct the Trust will retain the original but add an addendum to say it has been disputed.
The Right to Erasure
The right to erasure is also known as the ‘right to be forgotten’ introduces a right for you to have personal data erased. This right is not available with health care data except in exceptional circumstances.
The Right to Object
Where we are relying on your consent to process data you have the right to object to processing which means that data should cease to be processed. In most cases we do not rely on consent as the legal basis for processing information. If your data is used for any other reason this right may apply but each request would be assessed on an individual basis.
The Right to Restrict Processing
The right to restriction allows you to request the restriction or suppression your personal data. This right is linked with the right to rectify and the right to object and only applies if one of the following is met:
- you contest the accuracy of your personal data, and the accuracy is being verified by the Trust;
- the data has been unlawfully processed (i.e., in breach of the lawfulness requirement of the first principle of the GDPR) and you oppose erasure and requests restriction instead.
- the personal data is no longer needed but we need to keep it to establish, exercise or defend a legal claim.
The Right to Data Portability
The right to data portability allows you to obtain and reuse your personal data across different services without any hindrance to usability. The right to data portability is not an absolute right and generally does not apply to your health care information unless:
- The processing is based on your consent or in the performance of a contract.
- When processing is carried out by automated means.
Use of profiling
Profiling is automated processing of personal data to evaluate certain things about an individual. The Trust may use profiling techniques for health care planning purposes e.g., risk stratification of patients based on missed appointments.
How do I request my data?
Subject Access Requests under GDPR rules (post 25 May 2018) will be processed within 1 month of receipt of the request. However, we may extend the time limit by a further two months if the request is complex or if we receive a number of requests from you. We will contact you within 30 days should this be the case.
The Health Records Access Team also deal with the Health Records of deceased persons. Access to the health records of a deceased person is governed by the Access to Health Records Act (1990). Under this legislation when a patient has died, only their personal representative, executor or administrator of their will, or anyone having a claim resulting from the death (this could be a relative or another person), has the right to apply for access to the deceased’s health records.
You can make a request to access your medical records processed by the Trust. Please refer to the link for more details.
National Data Opt-Out
The Trust works in the health and care system to help improve care for patients and the public. Whenever you use a health or care service, such as attending urgent Care, Accident & Emergency or use Community Care services, important information about you is collected into a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
However, you have a right to request that your personal confidential data is not used beyond direct care. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. This is called the National Data Opt-Out (NDOO).
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
- https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
- https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Our organisation is currently compliant with the NDOO policy.
The NDOO does not apply all the time. For example where explicit consent has been obtained from the patient for the specific purpose.
to the disclosure of confidential patient information required for the monitoring and control of communicable disease and other risks to public health.
- Where personal data is required under s. 259 of the Health and Social Care Act 2012 following a Direction from NHS England or the Secretary of State.
- Where there is a legal requirement for the data disclosure that specifically sets aside the common law duty of confidentiality then the NDOO will not apply.
- Data disclosure under Regulation 3 of the Control of Patient Information Regulations 2002 is exempt from the NDOO.
- Data disclosure has Section 251 support obtained under regulation 2 or 5.
Keeping Your Information Safe
Everyone working for the NHS has a legal duty to keep information about you confidential and secure under the GDPR 2016 / Data Protection Act 2018 and the Caldicott principles. We use the minimum amount of information required to inform the people who need to know to provide you care.
Anyone who receives information from us is also under a legal duty to do the same and our staff all have a confidentiality clause within their contract. Breaking these rules can result in staff members being dismissed.
The Trust IT Services are certified with ISO27001 Information Security Management standard accredited by BSI. This is an international standard and recognised within the commercial and public sector.
The Trust IT Services are Cyber Essentials certified. Cyber Essentials covers the ’10 Steps to Cyber Security’ published by the National Cyber Security Centre (NCSC). This is a scheme welcomed by the Information Commissioner.
We make every effort to check and test material at all stages of production. It is always wise for you to run an anti-virus programme on all material downloaded from the internet. We cannot accept any responsibility for any loss, disruption or damage to your data or your computer system that may occur while using material derived from this website.
National Fraud Initiative
The Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error, or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed on the gov.uk website.
How long so we keep your information?
All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary. All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.
For more information please see the Records Management Code of Practice by NHS England.
Data Protection Officer
If you have any questions or concerns regarding how your data is being processed, please contact the Data Protection Officer.
Data Protection Officer
Information Governance Team
South Block, 2nd Floor,
Russells Hall Hospital,
Dudley, West Midlands
For a more detailed privacy notice for patients, please click here.
For a more detailed privacy notice for staff, please click here.
This notice may change from time to time. It was last updated September 2023.