Privacy and Accessibility
The Dudley Group NHS Foundation Trust (The Trust) is the main provider of hospital and adult community services to the populations of Dudley, significant parts of the Sandwell borough and smaller, but growing, communities in South Staffordshire and Wyre Forest.
The Trust covers three hospital sites at Russells Hall Hospital, Guest Outpatient Centre in Dudley and Corbett Outpatient Centre in Stourbridge and provides a full range of secondary care services and some specialist services for the wider populations of the Black Country and West Midlands region. The Trust also provides specialist adult community based care in patients’ homes and in more than 40 centres in the Dudley Metropolitan Borough Council community.
The Trust has responsibility for ensuring that the information/data processed across these sites and services, which includes your personal and sensitive (special category) data is processed in accordance with the principles of Data Protection Legislation and more recently the General Data Protection Regulations (GDPR).
The purpose of this Privacy Statement is to:
- Inform you why we collect information about you
- Inform you how we use your personal information
- Explain who we share your personal information with
- Explain how you can restrict the disclosure of information
- Inform you about our text messaging service
- Explain how your personal information is used to improve the NHS as a whole
- Explain how you can access information held within your health records
- Explain how you can request information under a Freedom of Information Act request
The General Data Protection Regulations (GDPR)
The General Data Protection Regulation (GDPR) 25th May 2018. GDPR is the biggest change in data protection law for 20 years.
The GDPR is part of a package including the Directive on data protection and law enforcement, which is intended to bring about a harmonious data protection regime across the European Union (EU).
What information does the GDPR apply to?
Personal Information (data)
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified. The Trust collects the following types of personal data:
- Personal information including your name, address, date of birth, NHS number, next of kin and contact details
- Details of your hospital admissions or outpatient appointments
- Records and reports about your health
- Results of investigations, such as X-rays and laboratory tests
- Relevant information from other health professionals, relatives or carers
The GDPR applies to both electronic personal data and to structured manual filing systems containing personal data; it can also include personal data that has been pseudonymised – e.g. where identifiers have been hidden and can be accessed via a ‘key reference’.
The Trust will process this type of data under the GDPR legal basis Article 6.
Sensitive personal data (Special Category Data)
The GDPR refers to sensitive personal data as special categories of personal data
Special category data is more sensitive, and so needs more protection. For example, special category information held by the Trust about you may include:
- Ethnic origin
The Trust will process this type of data under the GDPR legal basis Article 9.
The General Data Protection Registration (GDPR) requires each Member State to appoint at least one independent national supervisory authority.
It has been proposed that the role of the UK supervisory authority should be fulfilled by the Information Commissioner. Elizabeth Denham was appointed UK Information Commissioner in July 2016. She has set out a commitment to increase the trust people have in what happens to their personal data.
The purpose of the NHS is to provide you with the highest quality of health care. To help us achieve this we must keep records about your health, treatment and the care we have provided or plan to provide.
These records are called your health records and may be stored in paper format or electronically. Health records may include information such as:
- Your address, date of birth and emergency contact details.
- Equality and diversity data (for example, ethnicity, religion). We are legally obliged to collect this information so we and our commissioners can be sure that we provide our services fairly to anyone from any background or community who may need them.
- Notes and reports about your health, information about your treatment and care.
- Information from other people who are involved with your care, such as other health and social care professionals or relatives.
- We may also hold your information if you have contacted us with an enquiry or complaint.
If you think that any of the information we hold about you is incorrect, please let us know as soon as possible. Please check that the details we have about you are correct with either the receptionist if you are attending an outpatient’s appointment or the ward clerk if you are an inpatient. If you feel we hold incorrect medical information please inform your doctor.
Your records are used to guide and administer the care you receive to ensure your doctor, nurse or other healthcare professionals involved in your care has up-to-date information to assess your health and decide what care you need when you visit in the future.
In all circumstances where we need to share your information we will only share it with those who are authorised to receive it. In most cases this will include:
- NHS Trusts (where your care and rehabilitation is to be continued elsewhere)
- General Practitioners (GPs)
- Ambulance Services
- Other healthcare providers with which the Trust has a sharing agreement in place
- Clinical Commissioning Groups (CCGs)
All information we hold about you is confidential. We will not release any information about you without your consent, except to other professionals involved in your care or in exceptional circumstances for instance when the health and safety of others is at risk, where there is a lawful basis to share the information or where the law requires information to be passed on.
Subject to strict agreements describing how it will be used, your information may also be shared with:
- Social Services
- Education services
- Local Authorities
- Private Sector Providers
- Crime Reduction Initiatives
- Safeguarding Teams
- Dudley MBC Community and Housing Services
- Voluntary services
- The Police
We will ask you for your explicit consent to share your personal information unless there is a lawful basis to share the information, we are mandated by law or the health and safety of others is at risk.
Person identifiable information may be used for essential NHS purposes such as research and auditing services. This will only be done:
- With your consent
- When it is required by law to be passed on to improve public health
- Where there is a lawful basis under Article 6 and Article 9 of the GDPR
- When appropriate approval is in place from a Research Ethics Committee to screen health records for the purpose of identifying individuals who could subsequently be approached about participation in the study.
At all times you retain the right to opt out of such screening. You can do this by calling the following Trust number 01384 456111 Ext 3719 to speak to a member of staff in the Research Department.
You may be receiving care from several organisations including the NHS, Social Services and voluntary organisations.
We may need to share your information so we can all work together for your benefit
We will only ever use or pass on information about you if professionals involved in your care have a genuine need for it.
We will not disclose your information to third parties without your permission (consent), giving you the chance to opt out of the sharing, unless there are exceptional circumstances, such as when the health or safety of vulnerable patients are at risk, the health and safety of others is at risk, where the law requires information to be passed on or where there is a lawful basis to share the information under Articles 6 and 9 of the GDPR.
The law requires us to report certain information to the appropriate authorities:
- Notifications of new births
- Where we encounter diseases which may endanger the safety of others, such as meningitis or measles etc.
- Where a formal court order has been issued
The NHS Care Record Guarantee is the NHS commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing.
The Trust IT Services are certified with ISO27001 Information Security Management standard accredited by BSI. This is an international standard and recognised within the commercial and public sector. There are very few NHS Trusts that are certified to ISO27001.
The Trust IT Services are Cyber Essentials certified. Cyber Essentials covers the ’10 Steps to Cyber Security’ published by the National Cyber Security Centre (NCSC). This is a scheme welcomed by the Information Commissioner, Elizabeth Denham.
The Dudley Group NHS Foundation Trust operates a text messaging reminder facility for certain services. You can opt in to this service by confirming your contact details, including your mobile telephone number when you attend the Trust. Text messages will then be sent to the mobile telephone number you have provided us with.
Please note that if the mobile telephone number you provide us with is not your own, we cannot be held responsible if someone else reads your text message.
For the services that provide this facility you do not have to provide us with your mobile telephone number if you do not wish to receive this service.
The Dudley Group NHS Foundation Trust may from time to time ask for your views on the services we provide to enable us to improve. This request may be sent by text message. To OPT out, simply reply STOP free of charge or call free phone 0800 073 0510
When collecting or transferring sensitive information such as health and personal details we use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure.
However, any information we receive from you via Hotmail, AOL, Google mail or Yahoo or other web-based email systems and any response we might transmit via email in return, cannot be guaranteed to be completely protected from access by unauthorised persons. This is because the World Wide Web is beyond our control. It is also the case that we cannot guarantee who has access to an individual’s emails within any home, office or internet café setting.
If we receive an email from you via Hotmail, AOL, Google mail or Yahoo or other web-based email systems we will assume that you have provided your consent for us to respond to that email address and you have taken into account the issues raised above.
The Data Protection Act 2018 and GDPR legislation allows you to find out what information is held about you on computer and in certain manual records. This is known as the ‘Right of Subject Access’. If you wish to see or receive a copy of your records or those belonging to:
- Your child, if the healthcare professional decides it’s in the best interest of the child. In the case of older children you may see the records if the child agrees, or if the child is unable to understand, if the healthcare professional agrees that it is in the child’s best interests
- A patient who has died and you are acting as their personal representative or you have a claim resulting from their death
- Someone unable to give permission because of age or mental ability where you have a legitimate interest.
Please make your request to: The Access to Health Records Team, Health Records Department, Russells Hall Hospital, Dudley, West Midlands, DY1 2HQ.
Tel: (01384) 456111 (ext. 1390)
Please include the full name, address and details of the records that you wish to receive a copy of. If you are requesting information for someone other than yourself, you will be required to provide written consent from that person or proof of your legitimate rights to access that information.
However, you can be refused access to some or all of your records if:
- The person in charge of your care thinks that you or someone else can be harmed by disclosing the information
- The information relates to or was provided by someone else who can be identified and is not the patient or a healthcare professional
- You have applied on behalf of someone who has died or is no longer capable and they originally gave the information on the understanding it would not be shared
The Data Controller responsible for keeping your information confidential is:
The Dudley Group NHS Foundation Trust
Russells Hall Hospital
The principal partner organisations with which the Trust has sharing agreements in place and where information may be shared are:
- Action Heart
- Birmingham City Council
- Black Country Partnership NHS Foundation Trust
- Care, Grow, Live (CGL) Atlantic Recovery Centre
- Community Safety Partnership
- West Midlands Police
- West Midlands Fire
- Dudley CCG
- Dudley and Walsall Mental Health Partnership NHS Trust
- Dudley Community Partnership
- Dudley Council for Voluntary Service (Dudley CVS)
- Dudley MBC
- Genomic Health UK Ltd
- GP surgeries
- National Probation Service
- Ophthalmic Diagnostic Services
- Safeguarding Teams
- Solihull MBC
- The Black Country Alliance
- Walsall Healthcare NHS Trust
- Sandwell and West Birmingham Hospitals NHS Trust
- The Royal Wolverhampton Hospitals NHS Trust
- Walsall Council
- Wolverhampton City Council
Data Protection Legislation and the GDPR requires organisations to register with the Information Commissioner’s Office to describe the purposes for which they process personal information. These details are available publicly from:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
The Trust’s Data Protection Registration reference number with the Information Commissioner’s Office is Z8909702
The Dudley Group NHS Foundation Trust website does not store or capture personal information other than that provided voluntarily by users of our feedback form. The site merely logs general visitor statistics which are collected and used to improve and maintain the website for the benefit of visitors.
Links to external web sites are not included.
We make every effort to check and test material at all stages of production. It is always wise for you to run an anti-virus programme on all material downloaded from the internet. We cannot accept any responsibility for any loss, disruption or damage to your data or your computer system that may occur while using material derived from this website.
This site has been optimised for a screen of 800 x 600 resolution and is best viewed in high colour (16 bit) or above.
All downloadable documents on the site are available in Portable Document Format (PDF). To view PDF files you will need Adobe Acrobat Reader installed on your computer. This can be freely downloaded from the Adobe site which can be accessed from the link below. Click here to download the latest version of Adobe Reader Acrobat supports Microsoft Active Accessibility (MSAA), a standard that enables Windows based programs to easily deliver information to assistive technologies. Click here to find out more about Adobe Acrobat and accessibility.
This organisation is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.
Data matching by the Cabinet Office is subject to a Code of Practice.
View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. For further information on data matching at this organisation contact Chris Walker, Deputy Director of Finance, on 01384 321039; or Antony Upton, Local Counter Fraud Specialist, on 07484 040694.
Fraud and bribery in the NHS costs the taxpayer millions of pounds every year. We are accountable to the public for the provision of services in an open and honest manner and any failure to do so brings the service into disrepute and threatens the respect afforded to the whole organisation. The Trust is committed to applying the highest standards of ethical conduct and integrity and every employee and individual acting on the Trust’s behalf is responsible for maintaining the organisation’s reputation and for conducting Trust business honestly and professionally.
The Trust will take all necessary steps to counter fraud, through compliance with the NHS Counter Fraud Authority Standards for Providers: Fraud, Bribery and Corruption. A zero-tolerance approach is taken to fraud and all allegations will be thoroughly investigated by the Trust’s Local Counter Fraud Specialist (LCFS). The Trust will ensure appropriate action is taken against wrong-doers, as well as undertaking steps to recover any assets lost, as a result of fraud.
Transparent, fair conduct helps to foster deeper relationships of trust between the Trust and our partners. The Trust does not tolerate any form of bribery, whether direct or indirect, by, or of, its staff, agents or consultants, or any persons or entities acting for it or on its behalf. The board and senior management are committed to implementing and enforcing effective systems throughout the Trust to prevent, monitor and eliminate bribery, in accordance with the Bribery Act 2010.
A bribe is a financial advantage or other reward that is offered to, given to, or received by an individual or company (whether directly or indirectly) to induce or influence that individual or company to perform public or corporate functions or duties improperly. Employees and others acting for or on behalf of the Trust are strictly prohibited from making, soliciting or receiving any bribes or unauthorised payments.
The success of the Trust’s anti-fraud and bribery measures depends on all employees, those acting for the organisation, and our patients, playing their part in helping to detect and eradicate these offences. Therefore, the Trust encourages anyone who suspects a fraud or bribery offence to report their concerns as soon as possible via the contacts detailed below. No individual will suffer any detrimental treatment when reporting reasonably held suspicions.
Data Protection Officer
The Trust’s Data Protection Officer is:
Sharon Williams, Information Governance Manager
2nd Floor, South Block
Russells Hall Hospital
West Midlands DY1 2HQ
Local Counter Fraud Specialist: Sophie Coster
Mobile: 07436 268747
NHSCFA fraud and corruption reporting line
Tel: 0800 028 4060
The National data Opt-out does not apply where explicit consent has been obtained from the patient for the specific purpose.
The national data Opt-out does not apply to the disclosure of confidential patient information required for the monitoring and control of communicable disease and other risks to public health.
The table below summarises the commonly used bases for data processing and sets out when Opt-out applies.
Options include the use of the legal gateways set out in the Control of Patient Information Regulations 2002
(made under Section 251 of the NHS Act 2006) which allow confidential patient information to be used without patient consent:
|Legal basis in common law||Opt-out applies||Comments|
|Common Law Consent (Implied)||No – Out of scope for the national data opt-out||For common law purposes the sharing of information for direct or individual care purposes is on the basis of implied consent. This is out of scope for the national data opt-out – which only applies to purposes beyond individual care.
Implied consent can only be used when the surrounding circumstances mean that a patient knows, or would reasonably expect, that their data will be shared. In other words there should be ‘no surprises’ for the individual about who has had access to information about them where implied consent is relied upon.
An individual will still be able to ask their doctor or other healthcare professional not to share a particular piece of information with others involved in providing their care and should be asked for their explicit consent before access to their whole record is given.
|Common Law Consent (Explicit)||No||In this case an individual has given their consent for a specific use of their data, for example consenting to participate in a research study.
This would fall within the general exemption from the national data opt-out.
This rule applies even if the consent was given before the patient had set a national data opt-out.
|Mandatory legal requirement||No||Where there is a legal requirement for the data disclosure that specifically sets aside the common law duty of confidentiality then the national data opt-out will not apply.|
|Section 251 Regulation 2 – for diagnosis and treatment of cancer
Regulation 5 – for the medical purposes set out in the schedule to the regulations
|Yes – However, there are some specific exemptions||Data disclosure has Section 251 support obtained under regulation 2 or 5. This applies unless CAG (Confidentiality Advisory Group) have advised:
|Section 251 Regulation 3 – for communicable diseases and other risks to public health||No||Data disclosure under Regulation 3 of the Control of Patient Information Regulations 2002 is exempt from the national data opt-out.|
Lawfulness of processing
For processing Personal Data
One of the lawful basis in Article 6 (1) must apply:
6(1)(a) – Consent of the data subject
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) – Processing is necessary for compliance with a legal obligation
6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (WCC note: this last condition is not available to processing carried out by public authorities in the performance of their public tasks .)
For processing Special Category Data
One of the law basis in Article 9 (2) must also apply:
9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
9(2)(b) – Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
9(2)(c) – Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
9(2)(d) – Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
9(2)(e) – Processing relates to personal data manifestly made public by the data subject
9(2)(f) – Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
9(2)(g) – Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards
9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
9(2)(i) – Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
9(2)(j) – Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89 (1) [as at July 2017 this derogation has not been decided on in the UK] based on Union or Member State law which shall be proportionate to 1 the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Note: These are subject to further definition in the new Data Protection Bill
The GDPR sets a higher standard for consent, compared with Data Protection Legislation so there is a need to review whether this is still valid.
Consent must be unambiguous and freely given and involve clear affirmative action and recording of that consent.
Consent may be inappropriate if:
- You would still process their data on a different lawful basis if consent was withdrawn or refused, e.g. Adult/Child Protection
- You asked for consent as a precondition of access to services
- You are in a position of power over the individual – e.g. employer or public authority
When requesting consent as the basis:
- It should be given freely, it’s specific and informed, unambiguous and explicit.
- There should be a method of recording the consent (date, time, method)
- There should be a process in place for an individual to withdraw consent and that it occurs promptly (along with erasure of data unless there is a legal reason to retain)
- There should be document/system in place enabling you to produce a record of all consents, essentially to demonstrate your compliance.