Royal Berkshire Foundation Trust Privacy Policy

This privacy notice explains what we do with your personal information where we care or have provided care to you. It tells you:

• the information we collect about you
• how we store this information
• how long we retain it
• who we may share it with
• for which legal purpose we may share it

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is ZB173305.

Please note that the information contained in this privacy notice is applicable to all Royal Berkshire NHS Foundation Trust sites:

• Prince Charles Eye Unit, Windsor- St Leonards Road, Windsor SL4 3DP
• Townlands Memorial Hospital- York Road, Henley-On-Thames RG9 2DR ·
• West Berkshire Community Hospital- London Road, Thatcham RG18 3AS
• Dingley Child Development Centre- Campus, Erlegh House, Earley Gate Whitenights Road University Of, Reading
• Bracknell Healthspace- Eastern Gate, Bracknell RG12 9RT
• Windsor Dialysis Unit- Old Ambulance Station Maidenhead Road, Windsor SL4 5EY

Personal data

"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

• name
• identification number
• social media posts
• location data
• online identifier

Special category of personal data

"Special category of personal data" means information, which is thought to be "extra sensitive" such as ethnicity, sexual orientation and religion.

Data controller

"Data controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.

Processing

"Processing," means anything that is done to the personal data we hold.

Pseudonymisation

"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information.

We are Royal Berkshire NHS Foundation Trust and our head office is located at Craven Road, Reading RG1 5AN. We are a data ‘controller’, this means that we are responsible for deciding how we use your personal information.

In order to look after your health and care needs, the Trust may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care provider organisations, for example neighbouring GP practices, hospitals and NHS 111. We may also use the contact details we hold for you to send you public health messages, by text or email.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.

We also participate in research with other acute hospital providers, renowned universities and selected private organisations with the aim to establish any trends and find a vaccine or cure. Where possible, we will anonymise your data and ensure the data is kept in a safe and secure environment, giving minimal access by others.

Where possible, the Trust conducts appointments via video conferencing applications.

Our legal basis to process your personal information in these types of consultations does not differ from usual, face-to-face consultations as the Trust is still providing you with direct, medical care. Therefore, the legal basis for the Trust conducting video conferencing is “the performance of a task carried out in the public interest” under Art 6 (1) (e) GDPR and the “provision of health or social care or treatment or the management of health of social care systems and services” under Art 9 (2) (h) GDPR in combination with Schedule 1, Part 1, section 2(2) DPA.

By clicking on the video link to begin the consultation, you are providing your consent and agreement for the consultation to take place over the video call.  Your personal/confidential patient information will be safeguarded in the same way as we would under normal circumstances.

We process your personal data in the main because the processing is necessary for the purposes of a contract of employment we have with you. In some cases, we may process information only once we have received your consent for us to do so. In other cases, we will process data in order to comply with legal requirements, both contractually and non-contractually. The reasons for which we may process your personal data may include (but are not limited to):

• Staff administration (including payroll)
• Pensions administration
• Workforce planning, and provision of facilities such as estates, car parking and IT
• Equal Opportunities Monitoring

Surveying of staff to support organisational initiatives

There are a number of reasons why we may have to share your personal information with third parties for example:

• The disclosure is necessary for a statutory function of NHS England or the third party to whom the information is being disclosed;
• There is a statutory obligation to share the data; for example making returns to the Cabinet Office, Department of Health, Office of National Statistics etc.
• Disclosure is required for the performance of a contract
• Disclosure is necessary to protect your vital interest; for example in medical emergency situations
• Disclosure is made to assist with prevention or detection of crime, or the apprehension or prosecution of offenders
• Disclosure is required by a Court Order
• Disclosure is necessary to assist NHS England to obtain legal advice
• Fraud

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

If you choose to opt out of sharing your data, your personal health information will still be used to make sure you get the treatment and care you need. For example, your data may be shared so that you can be referred to hospital or get a prescription.

Patients can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters  or by clicking on "Your Health" in the NHS App, and selecting "Choose if data from your health records is shared for research and planning".

For further information, please visit the NHS Digital website

National data opt-out statistics
Statistical analysis of national data opt-outs and how they might affect data used for research and planning.

Understanding the national data opt-out - NHS Digital

Why and how we process your data in the National Data Opt-Out and your rights.

The Trust would not share information that identifies you unless it has a fair and lawful basis  to do so:

• You have given the Trust permission (explicit consent)
• To protect children and vulnerable adults
• When a formal court order has been served upon us
• When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime
• Emergency Planning reasons such as for protecting the health and safety of others
• When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals

The Trust is required by law to protect the public funds its administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

All information that the Trust holds about you will be held securely and confidentiality. The Trust uses administrative and technical controls to do this, and uses strict controls to ensure that only a limited amount of authorised staff are able to see information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of the Trusts staff, contractors and committee members receive role appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

The Trust needs to hold and maintain information about your health, treatment and care, so that you can be given proper, necessary and effective treatment.

As part of the Trust’s requirements under the law, it must demonstrate clear legal reason for collecting, using, sharing and retaining personal data about you. For personal data used in the provision of health and social care our basis is outlines as ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority’ under 6(1)(e) of GDPR. This is because the Trust is a public organisation providing a healthcare service and is required to use names, addresses or other personal data to deliver this.

The Trust’s legal basis for using sensitive personal data (called ‘special categories of personal data’ under GDPR) is that this is necessary for the ‘provision of health or social care or treatment or the management of health of social care systems and service’ under 9 (2) (h) of GDPR. This is because the Trust must use health and social care information about you in the delivery of your care.

These points also cover the use of data for clinical audits, service improvement and sharing with other health or social care providers when necessary as part of our service delivery.

There may be times when the Trust uses other different legal bases for other services it provides (e.g. research). In most instances, the information will be made anonymous so that you cannot be identified. If this is not possible, we will ask your permission and may have to request approval from the NHS Health Research Authority's Confidentiality Advisory Group. In some instances, Confidentiality Advisory Group approval may already be in place if the information requested is part of a research project.

The Health Research Authority has further details on patient information and health and care research accessible via this link: https://www.hra.nhs.uk/information-about-patients/.

For further information on this please refer to the NHS Health Research Authority at; https://www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/ and The Health Research Authority at; https://www.hra.nhs.uk/information-about-patients/  

We collect personal information about you in a number of ways. This can be from referral details from your GP or another hospital, or directly from you or your authorised representative.

It is likely that we hold the following personal information about you:

• Your full name, date of birth, address, telephone number
• Your next of kin contact details (full name, address, phone number, and email address)
• Your GP details

We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred or maiden name.

In addition to the above, we may hold special category personal information about you, which could include:

• notes and reports about your health, treatment and care including;
• your medical test results, symptoms and diagnoses
• results of investigations, such as X-rays and laboratory tests)
• future care you may need
• your patient experience feedback
• personal information from people who care for and know you, such as relatives and health or social care professionals
• other personal information, such as smoking status

• your religion and ethnic origin
• whether or not you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status)
• where applicable, the date and cause of a person’s death in our hospitals

This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

It is important for us to have a complete picture of you, as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.

Your records are used to directly manage and deliver healthcare to you to ensure that;

• the staff involved in your care have accurate and up to date information to assess and advice on the most appropriate care for you
• staff have the information they need to be able to assess and improve the quality and type of care you receive
• appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or healthcare provider

• Provide a good basis for all health decisions made by you and your healthcare professional
• Make sure your care is safe and effective
• Work effectively with others providing you with care
• Assess the quality of care we give you
• Protect the health of the general public
• Monitor NHS spending
• Manage health services
• Help investigate any concerns or complaints you or your family have about your healthcare
• Report infectious diseases
• Help with accounts and auditing
• Secure clinical funding from your GP and the Clinical Commissioning Group
• Report fraudulent claims for NHS treatment
• Evaluating and improving patient safety
• Training other healthcare professionals (trainee doctors, nurses etc.)
• Conducting clinical research and audits
• Evaluating Government and NHS policies and comply with legal and regulatory obligations and follow guidance and best practice issues by these bodiesRisk stratification - a process for identifying and supporting patients who are most likely to need hospital or other healthcare services in the future. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for risk stratification purposes. Risk stratification uses de-identified personal data from health care services to determine which people are at risk of experiencing certain outcomes, such as unplanned hospital admissions.
• Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health and not just the treatment of sickness. Unidentifiable, anonymised information about patients is collected from a number of NHS organisations and then analysed to create a risk score. Data is securely managed throughout the whole process to ensure that identities are kept confidential

Staff information we hold:

• Full name, email address, address, employee number generated in ESR and NI number.
• We retain this information to ensure correct recording of training for compliance purposes.

The Trusts records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.

The Trusts records may be held on paper or in a computer system. Where possible, we will always look to anonymise/pseudonymise your personal information to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use or share the minimum information necessary.

To help provide the best possible care, sometimes the Trust will need to share your information with others. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, General Practioners (GPs), ambulance services, primary care agencies etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.

The Trust works with a number of other NHS organisations, independent treatment centres and clinics to provide patients with the best possible care. To support this, information about you may be securely shared. This includes;

Berkshire and Surrey Pathology Services (BSPS)

As part of your care, you may have provided samples e.g. urine or blood etc. which will be processed by the Trust’s laboratory, or, if a specialised test, with a partner laboratory. The results of these tests and a record of the drugs you have been prescribed are stored by the Trust. The Trust is part of Berkshire Surrey Pathology Services (BSPS) which is a joint venture of Pathology Services between Ashford and St Peters, Frimley Health, Royal Berkshire, Royal Surrey NHS and Surrey and Sussex Healthcare NHS Trusts.

To view their Privacy Notice, please see: www.berkshireandsurreypathologyservices.nhs.uk/privacy-policy/. 

Connected Care Group

Connected Care

Local shared care records (Connected Care) are used by the Trust to share some key information from your records with other organisations, health, and social care professionals who may be involved in your care.  

Role based access controls are implemented within the local shared care record systems and these controls make certain that only those roles that have a legitimate reason to access your data can do so.  In addition to the technical access controls, all organisations that have been granted access to the local shared care records have committed to perform regular audits to ensure that the controls are properly applied.

The various types of organisation that may be required to view relevant aspects of your data using the local shared care record include one.

 1Independent sector health care providers (when you have been referred to them);

2. Independent sector social care providers (when you have been referred to them);
3. Local authorities;
4. NHS Trusts, including:
5. Hospitals
6. Community healthcare services (when you have been referred to them)
7. Emergency services
8. Mental health services (when you have been referred to them) e. Specialist service providers (when you have been referred to them); and
9. Voluntary sector organisations (when you have agreed to be referred to them).
   
   Practices contribute the following types of data to the local shared care record:
10. Personal demographic details (e.g. address, date of birth, next of kin/emergency contact details, ethnicity, disability or language preferences);
11. Allergies;
12. Events and episodes of care;
13. Health promotion information;
14. Medication data (current and past);
15. Preventative procedures;
16. Problems;
17. Procedures;
18. Referrals;
19. Relevant social and family history;
20. Results from diagnostic procedures; and
21. Test results.

Other health and social care organisations contribute the following types of data to your local shared care record: 1. Alerts, allergies, risks and warnings; 2. Admissions and discharges; 3. Ambulance, NHS 111 and Out of Hours calls; 4. Care plans; 5. Carer Details; 6. Diagnostic tests, imaging, results and reports; 7. Electronic documents and letters; 8. Next of kin; and 9. Referrals, appointments and consultations.

There are three main local care records that are made available to support your care across the local health and social economy.  These are one. Share Your Care (which is also known as Connected Care).  This local shared care record consolidates your important local data from all sources for access by authorised professionals when you need it; two. The GP clinical system used in practices and other non-hospital settings that can provide near real-time access to your GP data when you are being cared for elsewhere in the local health care economy; and 3. The local pathology and diagnostic system that can provide details of your tests and diagnostic reports to authorised professionals elsewhere in the local health care economy when you need it.

Your rights in respect of these local shared records are summarised below one. As required by law, you have a right to request a copy of your local shared care record and. 2. You also have a right to request that errors in your records be corrected. 3. For some uses of your data, you also have the right to object to your data being processed.
We aim to comply with these rights at all times. 

For your benefit, the Trust may also need to share some of your patient information with non-NHS organisations involved in your care. This might include organisations such as local authorities, social services, education services, the police, voluntary and private sector health and social services providers, and private healthcare companies. Private patient information may also be shared with insurers, debit collection agencies or third parties involved in the payment or delivery of care and this may include transfers to home countries outside the UK.

Where sharing involves a non-NHS organisation outside the clear scope of care delivery, a specific information sharing protocol is put in place to ensure that only relevant information is shared and this is done securely in a way, which complies with the law.

Outside of providing healthcare, unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, the Trust will not disclose any information to third parties, which can be used to identify individuals without consent.

The Trust outsources a limited number of administration and IT support services to external organisations. The majority of companies are based within the European Economic Area (EEA) and all services are provided under specific contractual terms, which are compliant with UK data protection legislation.  The Trust (or third parties acting on our behalf) may store or process information that the Trust collect about you in countries outside the EEA.

Where the Trust makes a transfer of your personal information outside of the EEA, a risk assessment is undertaken to ensure appropriate levels of Security are in place before the transfer.

There may also be situations where we are under a duty to share your information due to a legal requirement. This includes, but is not limited to;

The Trust is required to send statutory information to the Department of Health, which is then held centrally and strictly controlled by NHS Digital. This organisation takes advice from independent board called the Security and Confidentiality Advisory Group, which reports to the government Chief Medical Officer.

The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented, unless there are exceptional circumstances, such as:

• when the health or safety of others is at risk
• where the law requires it
• where there is an overriding public interest to do so

Your rights

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to withdraw consent
• Rights in relation to automated decision making and profiling.

If you do not agree to certain information being processed or shared with the Trust or by the Trust, or have any concern, then please let us know.

You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. If you wish to discuss withdrawing consent please contact the Trusts Patient Relations team either by calling 0118 322 8338 or email talktous@royalberkshire.nhs.uk

National Opt-Out

The NHS Constitution states, “You have the right to request that your confidential information is not used beyond your own direct care and treatment and to have your objections considered”.

Direct care is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation or suffering of an individual.

Indirect care is defined as work within the health and social care environment which does not involve the direct treatment or support of individuals e.g. research, commissioning and much of the work done in public health.

For further information and support about National  Opt-Out, please contact NHS Digital Contact Centre at enquiries@hscic.gov.uk referencing ‘Type 2 Opt-Outs – Data Request’ in the subject line, or by calling on 0300 303 5678.   You can also visit their website: http://digital.nhs.uk/article/7092/Information-on-type-2-opt-outs

To access the personal data we hold about you, please contact our Information Governance Team via;

Email: I.G@royalberkshire.nhs.uk

Post to:

IG Team

Royal Berkshire NHS Foundation Trust

Craven Road,

Reading

Berkshire

RG1 5AN

To access a copy of your medical records, please contact medical records team via;

By email: rbb-tr.accesstohealth@nhs.net

Post to;

Access to Medical Records

Royal Berkshire NHS Foundation Trust

London Road

Reading

Berkshire

RG1 5AN

The Trust will hold Subject Access Requests for 3 years after closure at which time the retention period will be reviewed on an individual basis. If a Subject Access Request has been subject to an appeal the Trust will be required to hold your information for 6 years after closure at which time your information will be destroyed.

Your personal information is may be held in both paper and electronic formats and will be held for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care 2016 and National Archives Requirements.

We hold and process your information in accordance with the General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:

• maintain full and accurate records of the care we provide to you
• keep records about you confidential and secure
• provide information in a format that is accessible to you

Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the guidance of NHS Digital Records Management Code of Practice for Health and Social Care 2016, and Trust Policy [CG059].

The Trust has an Executive Director responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian who oversees the arrangements for the use and sharing of patient information. The Caldicott Guardian plays a key role in ensuring that the NHS, Councils with Social Services and Public Health responsibilities and Partner Organisations satisfy the highest practical standards for handling patient information. Acting as the ‘conscience’ of the Trust, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share and advises on options for lawful and ethical processing of information.

The Caldicott Guardian for this organisation is:

Name:                   Dr Janet Lippett

Title:                     Chief Medical Officer  

Email:                   janet.lippett@royalberkshire.nhs.uk

The Trust has a Data Protection Officer (DPO) responsible for monitoring compliance with the GDPR and other data protection legislation, the organisations data protection policies, awareness-raising, training and audits. The DPO acts as the contact point with the ICO, our employees and the public. They co-operate with the ICO and will consult on any other matter relevant to Data Protection.If you have any queries during this time with how your personal data is being processed by the Trust, please contact the Data Protection Officer:

Caroline Lynch

Via Email: Caroline.Lynch@royalberkshire.nhs.uk 

Or Post:

Corporate Governance Department

Royal Berkshire NHS Foundation Trust

Craven Road, Reading

Berkshire RG1 5AN

Email:     I.G@royalberkshire.nhs.uk

For independent advice about data protection, privacy and data –sharing issues, you can contact the Information Commissioner (ICO):

The ICO is the Regulator for GDPR and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information. 

Postal:     Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire ,SK9 5AF
Phone:     08456 306060 or 01625 545745
Website:  www.ico.org.uk

If you have any questions or concerns regarding how we use your information, please contact us at:

Postal:     Royal Berkshire NHS Foundation Trust, Craven Road, Reading, Berkshire, RG1 5AN

Royal Berkshire NHS Foundation Trust tries to meet the highest standards when collecting and using personal information. For this reason, the Trust takes any complaints it receives about this very seriously. The Trust encourages people to bring their concerns to its attention if they think that the Trusts collection or use of information is unfair, misleading or inappropriate. The Trust would also welcome any suggestions for improving its procedures.

You have the right to complain to the Information Commissioner's Office (the ICO) if you are not satisfied with the way we use your information. 

You can contact the ICO by writing to:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow 
Cheshire
SK9 5AF

Royal Berkshire NHS Foundation Trust – Children privacy notice

This privacy notice is designed for Children.

How we handle your information

What information do we collect?

• Your name and address
• The person we should contact if anything happens to you
• The name of your local doctor
• Details of visits to the hospital
• Test results and x-rays
• Information from other NHS professionals who care for you

How the Trust uses your information

We will use your information when our staff:

• Look at your health needs and give you the care and treatment you need
• Refer you to a different health service
• Look after you while you are in hospital
• Check the quality of your care
• Investigate any problems with your care

How else could your information be used?

The Trust may use and share some of your information to help us:

• Look after the health of the general public
• Check that the NHS is giving a good service
• Give information to the government about our work
• Look into new ways of caring for people
• Make sure our services can meet patient needs in the future
• Teach and train healthcare professionals

Do we share information about you with anyone else?

There are times when it is right for us to share information about you with other people and organisations:

• Local doctors (GPs)
• Health Authorities, NHS Trusts, NHS England
• The Government’s Department of Health
• The local Council’s Social Services and Education Services
• Private health and care companies with your consent
• Community organisations that provide care services with your consent

We will not give your information to other people without your permission unless:

• Someone’s health or safety is at risk
• The law says we should
• The law says that any other organisation that gets information from this Trust must keep it safe

Your rights

The law says that everyone working for the NHS has to keep information about you safe and confidential

• You have the right to:
• Have your personal information kept safe and secure
• To be hold about how your information is being used
• To ask for a copy of your medical records
• To ask that your personal information is only used for your care and treatment
• To check that your information is correct and up to date
• If you think any information about you held by the Trust is wrong, you can contact the Trust Information Governance Team: G@royalberkshire.nhs.uk

Things we must do

Royal Berkshire NHS Foundation Trust must:

• Keep records of the care we give to you
• Keep your records safe and secure
• Give you information in a way you can understand
• Give you a copy of your records whenever you ask for them

Seeing your records

If you want a copy of your medical records you should email: rbb-tr.accesstohealth@nhs.net

You can also request your medical records via post:

Access to Medical Records

Royal Berkshire NHS Foundation Trust

London Road

Reading

Berkshire

RG1 5AN

If you want a copy of personal data we hold about you, please contact our Information Governance Team via email: I.G@royalberkshire.nhs.uk

You can also request this by post:

IG Team

Royal Berkshire NHS Foundation Trust

Craven Road

Reading

Berkshire

RG1 5AN

The responsible use of health and care data is essential for providing individual care, planning services and developing new medical treatments.

Across the country there is an increased focus on how to create better access to data for research, and maintaining the highest standards of security and confidentiality.

Part of this new approach is to develop local Secure Data Environments (SDE). NHS organisations in the Thames Valley and Surrey (TVS) are working together to set up a local SDE for research.

This environment will securely store patient data. People, like university or industry researchers, can apply to become approved users to access this data. The data they can see is agreed before they are given access. The data will not leave the NHS.

To help develop the local SDE, we are working with patients, the public and healthcare professionals.

For further information please visit: Thames Valley and Surrey - Health and Care Data