How we use your information

Note: For information about how website users’ information is used when browsing this website, please see the website privacy statement.

Your information your rights (fair processing notice)

(Fair Processing Notice is also known as Privacy Notice)

Our hospitals and other sites come under the legal entity of Chelsea and Westminster Hospital NHS Foundation Trust. As we process personal data, we are legally obliged to be on the Data Protection Register held by the Information Commissioner’s Office (ICO). Our registration number is Z5779617.

Our Data Protection Officer is Graham Trainor—he can be contacted by emailing DPO.chelwest@nhs.net. 

This Data Privacy Notice is to assure you of our compliance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003) (referred to collectively in this Privacy Notice as ‘’the Data Protection legislation’’).

All individuals for whom we hold data have the same rights under the Data Protection legislation, although the legal basis for processing the data may vary depending on the reason we hold the data—i.e. whether you are a patient, member of staff, volunteer, Foundation Trust Member or anyone else. Your personal information is retained in accordance with the retention and deletion schedules, as set out in the NHSx Code of Practice on Records Management. For further information, please visit the NHSx website.

What information do we keep about you?

Patients

For patients collectively, all the information we hold about you is called your health record. It includes general personal information (such as your name, address, next of kin and GP) and Special Category Personal Data relating to health (such as reports, test results, operations and other treatments), ethnicity, religion and, where appropriate, genetic, sexual orientation etc. These records exist in either paper or electronic formats or both. They are secured by appropriate security measures to comply with legislation, and assessed in the Data Security & Protection Toolkit.

Legal basis for processing patient data: 

We obtain and hold personal data under GDPR Article 6 (1) (e) (Public Task), (b) (Performance of a contract), (c) (Compliance with a Legal Obligation) and in special cases (d) (Vital interests to protect someone’s life). 

For Special Category Personal Data (including health data), we normally process under Article 9 (2) (h), but other special category conditions may also apply.  

The ICO website has further information on the GDPR lawful bases for processing personal data.  

Consent

Please be aware that we don’t normally use consent as a lawful basis for processing your personal data under GDPR. This is different to consent to treatment.

Private Care patients

Whilst this Privacy Notice will apply to all patients, there are some additional data sharing requirements that we have for Private Care patients (for example Insured, Sponsored, or self-pay patients). 

We share personal and clinical information, such as name, address, date of birth, insurer policy number, with third parties such as private insurance companies for the assessment and approval of funding requests for private treatment at the Trust.

However, before any information is shared with these third parties, Private Care patients are required to complete an ‘Undertaking to Pay Form’ which details the terms and conditions of payment for Private Care. 

For self-funding patients we will also share personal and clinical information with internal and external (GPs, consultants and referring hospitals) clinical staff in order to determine the potential treatment costing. 

Where necessary, the Trust will share non-clinical personal information for example your name, address, NHS number and/or insurance details as well as a brief history of collection efforts, with credit reference agencies and / or third party debt recovery agencies to pursue recovery of unpaid debt. Such action is only undertaken after internal processes have been exhausted i.e. when we have tried on three attempts to recover aged debt via written letters.

Carers/next of kin

As part of a patient’s health record, we record next of kin and, where relevant, carers’ details. There may be occasions where we will contact them for the sake of clinical audit—for example, the National Audit of Care at the End of Life (NACEL).

Staff

If you are a member of staff then the information we hold is about your employment and related information—this is known as your staff record. We hold this information mainly in electronic format though for older records, it may be in paper format.  

If you are both a member of staff and a patient, then two sets of records are maintained.

Further information on our processing of staff data can be found in the Trust’s separate Privacy Notice for staff.

How is information about you used?

Records about you are used by those caring for you to:

• Provide a good basis for all healthcare decisions by you and healthcare professionals
• Enable you to work in partnership with those providing care
• Make sure the care we provide is safe and effective
• Work effectively with others providing you with care
• Facilitate and manage appointment bookings, reminders and rescheduling and online patient letters using 3rd party processors such as DrDoctor

Others within the Trust, the NHS and other government bodies may also need to use records about you to:

• Check the quality of care (called clinical audit)
• Protect the health of the general public
• Keep track of NHS spending
• Manage the health service
• Help investigate untoward incidents, complaints or legal claims
• Prevent fraud
• Teach healthcare staff
• Help with research

If we need to use information that identifies you for purposes other than your direct care (or to check the quality of that care), we will always seek your consent beforehand.

Who do we share your information with?

The above uses of your data will involve sharing your information with other health and social care professionals involved in your care, such as doctors, nurses, therapists and your GP as well as some administrative staff.

There are some sector-wide and national initiatives where data is shared, legally under UK legislation, between organisations to speed up access to patient records for direct care purposes, such as the NWL digital integrated care initiative. The governance and access controls around these initiatives are very strict.

We also participate in some national audits and submit your pseudonymised data to the Secondary Uses Service (SUS) which is the single repository for healthcare data in England. This enables a range of reporting and analyses to support the NHS in the delivery of healthcare services—and is mandated by law. 

Access to these records is strictly controlled on a need-to-know basis and is managed by NHS Digital. For example, the organisations who commission health services from the hospitals (Clinical Commissioning Groups/CCGs) cannot, as a rule, gain access to personal information about you—just aggregated data to enable them to commission the most appropriate services. Exceptions exist where direct management of healthcare budgets is requested by individuals and also for certain procedures where proof of need is required, an approved process.

To assist in the management of the health service, and to protect the health of the general public, we may share information with other parts of the NHS or with other public sector organisations.

We may also use third party service providers to process data on our behalf. If we do, then we will always have an appropriate agreement/contract in place to ensure that they keep the data secure, and that they do not use or share information other than in accordance with our instructions. Examples of functions that may be carried out by third parties include:

• Systems providers which facilitate and manage appointment bookings on our behalf such as DrDoctor
• Companies that provide IT services & support, including our core clinical systems, data hosting service providers or document management services;
• Delivery services (for example if we were to arrange for delivery of any medicines or equipment to you).

Further details regarding specific third party processors can be provided on request to the Data Protection Officer.

We are also required by law to report certain information to the appropriate authorities—for example notification of new births and incidences of certain communicable diseases, crimes or suspicion of terrorist acts to the police or other UK bodies, for example General Medical Council, or the Healthcare Safety Investigation Branch of NHS investigations.

Whenever we share information with other organisations we do this in line with the Data Protection legislation and the Common Law Duty of Confidentiality, as well as any other relevant legislation or when required to do so by court order. We will only ever share the minimum amount of information required for the purpose.

We do not share information, in the ways described above, regarding treatment you may have received in the specialities of sexually transmitted infections and human fertilisation and embryology (not withstanding any legal requirements imposed on the Trust).

The future of healthcare: digital, data and technology in health and care

There has been a rapid growth of digital health technology and the use of apps and artificial intelligence (AI) over the past few years. This work is actively encouraged by the government with the ultimate objective of the provision of better care and improved health outcomes for people in England.

We want to make the best use of digital technology to deliver great patient care. That's why we introduced a new electronic patient record system called Cerner EPR across the Trust and other clinical systems.

We have also adopted other digital solutions as part of our ongoing digital transformation.

• Information about digital solutions

How do we protect your information?

We abide by the principles as set out in the Data Protection legislation and self-assess our state of compliance with Information Governance (IG) and Security Standards via the Data Security & Protection Toolkit (DSPT). We also use internal auditors to scrutinise our self-assessment scores.

All NHS staff—whether permanent, temporary, bank or volunteer—have to comply with the legislation, and confidentiality is part of statute and common law. Maintaining your confidentiality at all times is treated with the utmost seriousness and staff contracts ensure this even after leaving the Trust. 

Clinicians also have professional codes of conduct with which they need to comply, and these deal with confidentiality of healthcare.

Below are the links to the relevant professional bodies:

• General Medical Council
• Nursing & Midwifery Council
• Health & Care Professions Council

All staff are required to undertake annual Information Governance training and, where appropriate, additional training in line with their responsibilities. Staff are reminded throughout the year of various aspects of their responsibilities.

It is illegal for a member of staff to access any record, including those of their friends and colleagues, unless they are directly involved in their care. 

Our IT systems are provided either in-house or by specific suppliers who are required to manage the data securely in a manner compliant with UK legislation. 

We have perimeter and internal protection of our IT systems and monitor access and security in a proactive manner. Only individuals with legitimate reasons are allowed access to areas storing data.

The Trust works on the principles of Privacy by Design ensuring that we consider privacy and security in all that we do, and ensuring that security and privacy are considered before we undertake any new projects or procure any new systems. 

What rights do you have as a patient?

You have the right to:

• Confidentiality and privacy under GDPR, the DPA, the Human Rights Act 1998 and the Common Law Duty of Confidentiality
• the right to be informed about the collection and the use of your personal data (This privacy notice is part of that)
• the right to access personal data and supplementary information (Known as a Subject Access Request (SAR) - please see Request your health records 
  Under Data Protection legislation there are no fees for the first request and we usually provide the requested information electronically. Making & posting paper copies is expensive and time-consuming, and we want to avoid costs to the NHS where possible.

Staff, volunteers and job applicants should use the same form to obtain access to the information the Trust holds on you.

• the right to have inaccurate personal data rectified, or completed if it is incomplete
• the right to erasure (to be forgotten) in limited circumstances - health records and staff records have specific retention periods imposed by law. If we are unable to act on your request to delete your information, we will inform you of the appropriate legislation and provide you with details of any points of escalation if you are unhappy with our decision. This applies in a similar manner to the right to restrict or objection to processing).
• the right to restrict processing in certain circumstances
• the right to data portability, which allows you to obtain and reuse your personal data for your own purposes across different services
• the right to object to processing in certain circumstances
• rights in relation to automated decision making and profiling
• the right to withdraw consent at any time (where relevant). We don’t usually use consent under GDPR for processing your personal data in providing you with care or for treating you.
• the right to complain to the Information Commissioner

Objections to the use of your data

The information collected about you when you use our services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments 
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. 

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone 
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used for research at:

• NHS Health Research Authority – which covers health and care research
• Understanding patient data – which covers how and why patient information is used, the safeguards and how decisions are made

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Help us to help you—accuracy of data

Our staff should always verify your basic details such as name, address and GP practice each time you visit one of our sites. If they forget, please remind them. If you spot errors when using an automated check-in kiosk, then please inform a member of staff.

Always ensure that you:

• Give us accurate and full information on first contact and check it.
• Let us know immediately if any of your personal details have changed or are incorrect—there is a danger you will miss crucial appointments or that we won’t be able to contact you quickly in an emergency.
• Provide your NHS number if possible. All correspondence from the Trust should contain an NHS number or you can find it here
• Always give your full regular registered name rather than a nickname/short name or other name—we need to match our records with your GP practice records. The spelling and order of names is particularly important and account for around 70% of errors.

The Trust will not regularly contact you to ask for an update of your details, as we value your privacy—we do request that you update us if your circumstances change to ensure we keep our records up-to-date. 

CCTV/body-worn cameras

The Trust uses CCTV on various sites. Our security team may also wear body-worn cameras. These are used for the safety and security of our patients and staff. 

The recordings of identifiable individuals are classed as personal data but do not form part of any health or staff record. Images are held for a period of 31 days, or longer if required for any investigation. 

Staff movements when using security passes are also recorded.

Preventing fraud

Chelsea and Westminster Hospital NHS Foundation Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office under the NFI is responsible for carrying out data matching exercises. Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. 

No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

As the Trust participates in the Cabinet Office’s National Fraud Initiative it is required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. It then receives a report of matches which it will be required to investigate, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update its records accordingly.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014 (LAAA) and the data sets which the Trust submits can be found in the Cabinet Office guidance.

As the process is mandated by the Cabinet Office it does not require the consent of the individuals concerned under the Data Protection Act 2018 or the General Data Protection Regulation.

Data matching by the Cabinet Office is subject to a Code of Practice. Further information on the Cabinet Office’s legal powers and the reasons why it matches particular information can be found here.  

The Trust has a dedicated counter fraud service provided by RSM. Please contact our local counter fraud specialists to discuss any concerns.

Gemma Higginson
E: gemma.higginson@rsmuk.com/gemma.higginson1@nhs.net
M: 07800 718 680

Natalie Nelson
E: natalie.nelson@rsmuk.com
T: 020 3201 8358 

In addition to the above, all patients are checked for Overseas Visitor Cost Recovery and fraud purposes, and we will share information with the Home Office and/or other relevant government departments and agencies where we are required to do so, in accordance with our legal obligations.

Guidance from the Information Commissioner's Office

The Information Commissioner’s Office (ICO) provides guidance on data sharing, subject access requests, freedom of information requests and many other subjects. It is the body responsible for regulating GDPR and other related legislation.

If you have any concerns about the way we have handled your data or are not happy with the Trust’s response to any complaint or concern you have raised, you are entitled to contact the Information Commissioner’s Office as below.

The Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

T: 0303 123 1113

• ICO website