As part of the NHS response to Coronavirus (COVID-19), we have made changes to the services we provide
Who we are
We, Midlands Partnership NHS Foundation Trust (the Trust), are a data controller. Our address for communications is:
St George’s Hospital
Our telephone number is 0300 790 7000
We are registered to process personal and sensitive information under the Data Protection Act 2018 - our registration number is Z5442879
Our Caldicott Guardian (senior person responsible for sharing of patient information) is Dr Abid Khan. He is also the Responsible Officer and Medical Director.
Our Senior Information Risk Owner (SIRO) is Jayne Deaville. She is also our Director of Finance and Performance.
Why we collect and use your information (purpose of processing)
We ask information about you so that you can receive care and treatment. We keep this information, together with details of your care, because it may be needed if we see you again, and allows continuity of your care. If you have a complaint regarding this care we will also collect any data you provide to us.
We collect your personal information if you apply for a job or to volunteer with the Trust. We also collect your information if you work for us.
As data controllers under the GDPR we process personal data (under Article 6) and sensitive data which the GDPR terms as Special Categories (under article 9).
Personal data is defined as information relating to a living individual that can identify them. Examples include name, date of birth, NHS Number or a combination that can also identify an individual.
Special Categories are defined as: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life and sexual orientation.
We act as joint data controllers with Staffordshire County Council to deliver services in relation to Learning Disability, Older People. Physical and Sensory Disability and Mental Health. As part of this agreement data may need to be shared with them. This applies in Staffordshire only and mental health in the north of the county does not fall within this remit.
Records about you are used by those caring for you to:
- Provide a good basis for all healthcare decisions by you and care professionals
- We may offer you services, referrals or information based on your profile Enable you to work in partnership with those providing care
- Make sure the care we provide is safe and effective care
- Work effectively with others providing you with care
- To provide chaplaincy and pastoral care services
- Remind you about appointments.
Others within the Trust and the NHS may also need to access records about you to:
- Check the quality of care (called clinical audit)
- Protect the health of the general public
- Keep track of NHS spending including goods and services the Trust provides
- Manage the health service
- Help investigate untoward incidents, complaints or legal claims
- Teach healthcare staff
- Help with research. If we need to use information that identifies you, for more than your direct care or to check the quality of that care we will always seek your consent beforehand.
- To keep you informed of the work of the Trust such as new services and to carry out surveys.
The lawful basis of the processing
The Trust processes personal information only when it has a legal basis for doing so.
The primary purpose for which the Trust processes personal information is in order to support its healthcare activities as set out in the National Health Service and Community Care Act 1990. This is the Trust’s source of “official authority.”
The basis for the Trust processing your information is described in Article 6 (Lawfulness of processing) and Article 9 (processing of special categories of personal data) of the General Data Protection Regulation.
The legal basis for using your data will depend on what we need to do but includes:
- Consent - We have been given clear consent to process the personal data for a specific purpose
- Contract - The processing is necessary for a contract that we have with an individual
- Legal obligation - the processing is necessary for us to comply with the law
- Vital interest - the processing is necessary to protect someone's life
- Public Task - the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
- The legislation does not prevent us sharing information if there is a safeguarding concern and data may be shared if it falls in to this arena.
Categories of personal data processed
Categories of personal data
Our guiding principle is that we hold your records in strict confidence.
Information we collect includes:
- Your name and address
- Your medical conditions, allergies and medications
- Treatment provided and contact you have had with us
- Results of investigations, such as x-rays, MRI / CT and laboratory tests
- Reports about your health and the care you need
- Relevant information from other health professionals
- Smoking status
- Any learning disabilities
- Marital status
- NHS number
- Overseas status
- Place of birth
- Preferred name or maiden name
- Where applicable, the date, cause and place of death
- Your ethnic origin, in order to help in planning services and ensuring equal access
- School details
- Child/Adult protection status
- Email address
- Your religious, spiritual or pastoral beliefs (or none)
- Family details
- Sexual life
- Next of Kin details
- Where applicable, the date, cause (if died in hospital) and place of death
- Power of Attorney Status / Deputyship under the Mental Capacity Act (Health and Personal Welfare)
- Photographs, audio and video recordings
- Financial information for private care
Special category data
Special category data is personal data which the GDPR says is more sensitive (very like sensitive data under the DPA 1998), and so needs more protection:
- Ethnic origin
- Trade union membership
- Biometrics (where used for ID purposes)
- Sex life
- Sexual orientation.
The Care Records Guarantee (opens in a new window) outlines the duty we have to maintain accurate records of the care we provide to you; keep these records confidential and secure; and provide information in a format that is accessible to you.
For staff, volunteers and job applicants and others
- Employees, job applicants, apprentices, complainants, enquirers, survey respondents, suppliers, professional experts, consultants, people captured in closed circuit television images
- Information is also held on job applicants for the purposes of processing their application and ensuring equality and patient safety
- Information on staff, volunteers and apprentices may be shared with third parties that provide services to the trust and in order to comply with statutory requirements and to facilitate the running of the Trust.
- Staff, Volunteers and apprentices need to be aware however their information will be processed as part of their contract / agreement with the Trust. This will be fully explained to you by The Human Resources team and / or your manager.
- Staff, volunteers and job applicants should contact the Trust Human Resources department for further information on how their information is processed.
Not a patient or staff?
It is possible that the Trust holds information on you as part of someone else’s record. Under GDPR you may still be entitled to receive a copy of this information, so long as it would not breach the confidentiality of the person whose records hold the information, or there is another reason not to provide it.
Who do we share information with?
We will share information with you the patient and other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.
We will also share information as required by law, for example, to comply with a court order.
We will anonymise or pseudonymise your information wherever possible to protect confidentiality.
In particular, as a patient we will inform your GP and others involved in your care of your progress unless you ask us not to.
You need to be aware however that there are possible consequences if you do not allow us to share. These will be fully explained to you by your clinician, and could include delays in receiving care and you being harmed.
We may share your information with other organisations and individuals where it may benefit you or we are required to do so, for example with:
- Hospitals and Health care organisations
- Social services
- Community services
- General Practitioners (GP)
- Clinical commissioning groups (who commission hospital services– usually information is partly or fully anonymised)
- Education Services, such as research at universities and examining bodies.
- Ambulance services
- Companies that provide services on behalf of the trust.) this maybe via an Integrated Clinical Care Record (IDCR)
- Family, associates and representatives (with your consent or under Lasting Power of Attorney/Deputyship under Mental Capacity Act – Personal Welfare)
- Healthcare social and welfare organisations
- Suppliers, service providers
- Auditors and audit bodies
- Financial organisations; including in order to process payments you make for goods and services.
- Professional advisers and consultants, legal representatives, debt recovery
- Security organisations
- Voluntary sector providers, such as patient groups or health charities
- Care homes including private sector care homes
- Private health care providers
- Police forces
- Chaplaincy & Pastoral Care
- Hospital Hotel Services
- The Health and Safety Executive
When we share your information with other organisations the sharing will be covered by an agreement describing how the information is to be used (an Information Sharing Protocol)
Information we are required to report
We are also required by law to report certain information to the appropriate authorities.
Whenever we share information with other organisations we will do this line with the Data Protection Act and the NHS Confidentiality Code of Practice (2003).
The source of personal data where we do not obtain it from you
We may obtain your personal information from the organisations or individuals listed above that we share with or others that have information that may assist with the provision of your care.
Automated decision-making and profiling
The Trust does not carry out automated decision making but will endeavour to identify people who may benefit from additional services (profiling) for example those who attend our emergency department frequently.
Appropriate staff, for example clinicians, would make the actual decisions based on the available information.
Transfers of your information to third countries or international organisations
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA) unless additional safeguards have been put in place to protect your information.
Any transfers made will be in full compliance with all aspects of the Data Protection legislation. If this is to happen you will be informed by the Trust.
How long do we hold your information for?
We retain health records for at least eight years from the last date that you presented at the Trust and until 25th birthday for children.
These are the minimum times for which we keep information; we may keep it for longer if we believe doing so will be of benefit to you or in regard to any other legal obligation.
We have a duty to:
- Maintain full and accurate records of the care we provide to you
- Keep records about you confidential and secure
You have the right to see or have a copy of your personal information.
You do not need to give a reason; and normally there will be no charge.
We may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information.
Any fee will be based on the administrative cost of providing the information.
If you want to access your health records, you should make a written request to the Trust subject access team at the following address:
Access to Records Team
St Georges Hospital
We provide an application form and other information to assist you with your application which can be found on the 'Your Rights' page (under 'Accessing your Health and Social Care Records') but you do not need to use our form as long as you provide us with the information we require to process your request.
We will normally provide your information within one month (four weeks) of receiving all the information we need to respond to your request. If maybe that we have to extend the time period by a further two months (eight weeks) if your request is complex, numerus or large. We will inform you within the month of receipt if this is the case and explain why the extension is necessary.
Please be as detailed as possible when requesting information, for instance stating date ranges, appointment types or specific letters.
Before records are released we will seek the advice of the consultant in charge of the patient care to ensure that no information about an individual’s physical or mental health or condition will be released if it would be likely to cause harm to them or another person’s physical or mental health condition. We will also withhold information provided by third parties where we don’t have consent to release it or where the patient has made it clear that they did not want the information disclosed.
Before providing any information we will need to verify your identity and may request further information from you so we may progress your query as quickly as possible.
Your right to be informed
This means you have a right to be informed about the way we collect and use your data.
Your right to rectification
This means you have the right to have inaccurate (incorrect or misleading as to any matter of fact) personal data corrected or completed.
Your right to have your personal information erased
This right is not absolute and only applies in certain circumstances.
You have the right to restrict the processing of your information in the following circumstances:
You contest the accuracy of your personal data and we are verifying the accuracy of the data.
We no longer need the personal data but you need to keep it in order to establish, exercise or defend a legal claim; or
You have objected to the Trust processing your data under Article 21(1), and The Trust is considering whether the Trusts legitimate grounds override yours (the individual).
Your right to data portability
This means that you can request a secure transfer of your data to another Data Controller.
The right to data portability only applies when:
- the data is about you and that it was provided by you to the Trust.
- where the processing is based on your consent or for the performance of a contract; and
- when processing is carried out by automated means
If the Trust provides your information to you under the right to portability no fee will be payable and the information will be provided within one month.
Your right to object
This means that you have the right to object to the Trust processing your data where the processing is based on:
- legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
You must have an objection on “grounds relating to your particular situation”
Your right to withdraw your consent
This means that once you have given your explicit consent for your information to be processed you have the right to:
- Withdraw your explicit consent for the processing of your information.
- You can withdraw your consent by informing the department / team that took your consent. You can do this in writing or verbally.
Closed Circuit Television (CCTV)
The Trust makes use of CCTV systems including body worn cameras for crime prevention in line with the Information Commissioners CCTV code of practice. You have a right of access if you wish to request your data captured on CCTV.
Further information, complaints and your right to complain to the Regulator
For further information or if you would like to make a complaint, please contact:
If you would like this leaflet in your own language, in large print, in Braille or audiotape please contact the PALS team.
If you feel that we have not adequately dealt with your complaint regarding how we process your information you can raise the issue with the Information Commissioner who is the supervisory authority for the United Kingdom (the Regulator) at the address below:
Information Commissioner's Office
By phone: 0303 123 1113
By email firstname.lastname@example.org
Website: ico.org.uk (opens in a new window)