How we use your information

Fair Processing Notice, privacy notice

Your information your rights (fair processing notice)

Our hospitals and other sites come under the legal entity of Chelsea and Westminster Hospital NHS Foundation Trust. As we process personal data, both patient and staff, we are legally obliged to be on the Data Protection Register held by the Information Commissioner’s Office (ICO). Our registration number is Z5779617.

What information do we keep about you?

Collectively, all the information we hold about you is called your health record. It includes general personal information (for example your name, address, next of kin and GP) and sensitive information such as health reports, test results, operations and other treatments, ethnicity and religion. These records are kept in both paper health records and held electronically on clinical and corporate systems.

If you are a member of staff then the information we hold is about your employment and is known as your staff record.

If you are both a member of staff and a patient then two sets of records are maintained.

How is information about you used?

Records about you are used by those caring for you to:

  • Provide a good basis for all healthcare decisions by you and healthcare professionals
  • Enable you to work in partnership with those providing care
  • Make sure the care we provide is safe and effective
  • Work effectively with others providing you with care
  • Remind you about appointments

Others within the Trust and the NHS may also need to use records about you to:

  • Check the quality of care (called clinical audit)
  • Protect the health of the general public
  • Keep track of NHS spending
  • Manage the health service
  • Help investigate untoward incidents, complaints or legal claims
  • Teach healthcare staff
  • Help with research

If we need to use information that identifies you for more than your direct care or to check the quality of that care, we will always seek your consent beforehand.

Who do we share your information with?

The above uses of your data will involve sharing your information with other health and social care professionals involved in your care, such as doctors, nurses, therapists and your GP as well as some administrative staff.

There are some sector-wide and national initiatives where data is shared between organisations to speed up access to patient records for direct care purposes, such as the NWL digital integrated care initiative. The governance and access controls around these initiatives are very strict.

We also participate in some national audits and submit your data anonymously to the Secondary Uses Service (SUS) which is the single repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services—this is mandated by law. Access to these records is strictly controlled on a need-to-know basis. For example, the organisations who commission health services from the hospitals (Clinical Commissioning Groups/CCGs) cannot, as a rule, gain access to personal information about you—just aggregated data to enable them to commission the most appropriate services.

To assist in the management of the health service, and to protect the health of the general public, we may share information with other parts of the NHS or with other public sector organisations.

We are also required by law to report certain information to the appropriate authorities—for example notification of new births and incidences of certain communicable diseases. We may also provide information regarding crimes or suspicion of terrorist acts to the police.

Whenever we share information with other organisations we do this in line with the Data Protection Act (1998) and the NHS Confidentiality Code of Practice (2003).

We share anonymous information with local authorities and the police for the purposes of crime mapping.

We do not share information, in the ways described above, regarding treatment you may have received in the specialities of sexually transmitted infections and human fertilisation and embryology (not withstanding any legal requirements imposed on the Trust).

Electronic patient records

We want to make the best use of digital technology to deliver great patient care. That's why we are introducing a new electronic patient record system called Cerner EPR across the Trust.

How do we protect your information?

We aim to abide by the principles of the Data Protection Act 1998 (DPA) and self-assess our state of compliance with Information Governance (IG) Standards via the IG Toolkit. We also use internal auditors to scrutinise our self-assessment scores.

All NHS staff—whether permanent, temporary or volunteer—have a legal duty to comply with the DPA and maintain your confidentiality at all times, even after leaving the Trust. Most staff groups also have a professional codes of conduct with which they need to comply.

All staff are required to undertake annual Information Governance refresher training and are reminded throughout the year of various aspects of their responsibilities.

It is illegal for a member of staff to access their own record or the records of their friends and colleagues unless they are directly involved in their care. Even checking a friend’s phone number on the administration system is an actionable offence.

Objections to the use of your data

You may object to having your data used for any secondary purposes by contacting the Information Governance Department at . We would hope—with the controls we have in place and the necessity of using your data in the way described—that you would have no objection to our sharing of your data.

What rights do you have as a patient?

You have the right to:

  • Confidentiality under the DPA 1998, the Human Rights Act 1998 and the common law duty of confidence
  • Access your health records either by asking for a copy of all records about you or coming in to view your records, under supervision, on site (see below)
  • Have errors in your details corrected
  • Not have your data used for marketing purposes

Help us to help you—accuracy of data

Our staff should always verify your basic details such as name, address and GP practice each time you visit one of our sites. If they forget, then please remind them. If you spot errors when using an automated check-in kiosk then please inform a member of staff.

Always ensure that you:

  • Give us accurate and full information on first contact and check it
  • Let us know immediately if any of your personal details have changed or are incorrect, otherwise there is a danger you will miss crucial appointments or that we won’t be able to contact you quickly in an emergency
  • Provide your NHS number if possible
  • Always give your full regular registered name rather than a nickname/short name or other name, as match our records with your GP practice records—the spelling and order of names is particularly important and accounts for around 70% of errors

Access to your health records (Subject Access Request/SAR)

If you are a patient and require a copy of your health records, please see the ‘Requesting your medical records’ page. There is a charge for this service but you can come in and view your records, under supervision, for free.

Staff, volunteers and job applicants should contact our Human Resources department for copies of documentation we hold.

Guidance from the Information Commissioner's Office

The Information Commissioner’s Office (ICO) provides guidance on data sharing, subject access requests, freedom of information requests and many other subjects.


Was this page useful to you?

Share this page