Wye Valley Trust Coronavirus

Visiting has been stopped at our hospitals and there are changes in place to a number of services. For more details visit our Coronavirus page

Search Wye Valley NHS Trust

Privacy notice

Your privacy is important to us.

This privacy notice tells you what to expect from us when you contact us or use our services and you provide us with your information.

This notice is layered so you can easily find the answers to your questions.

Wye Valley NHS Trust (WVT) is the Data Controller (and Data Processor) for the personal and special category information we hold/process, unless otherwise stated.

WVT is committed to protecting the rights of individuals in line with data protection legislation. We aim to advise you how we will use your information to ensure you are informed. We can provide you with information about why your data is being processed, how long we will keep it for and who it may be shared with.

 

Data controller details

There are many ways you can contact us, including by phone, email and post. More information is on our contact us page.

Pippa Whitfield is our Data Protection Officer (DPO) and if you have any concerns regarding how your data is processed please contact:

Wye Valley NHS Data Protection Officer
Wye Valley NHS Trust
The County Hospital
Union Walk
Hereford
HR1 2ER

Email Pippa.Whitfield@wvt.nhs.uk
Phone 01432 364089

Wye Valley NHS - ICO Registration Number – Z2977999

Data protection legislation

The European Union General Data Protection Regulations (GDPR) came into force on 25 May 2018 along with the Data Protection Act 2018 which forms part of the UK data protection legislation.

This legislation places greater emphasis on being accountable and transparent when handling information. Data Controllers have to abide by a number of requirements and some of them relate to:

  • Information held
  • Transparency and sccountability
  • Individual's rights
  • Subject access requests
  • Lawful basis for processing personal data
  • Consent
  • Children
  • Data breaches
  • Data Protection by Design and data protection Impact Assessments
  • Data Protection Officers
  • International organisations and data

Personal and special category data

The GDPR/Data Protection Act 2018 covers personal and special category data (sensitive data) personal data is: 'Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • Name
  • An identification number
  • Location data
  • An online identifier to one or more factors specific to the physical
  • Physiological data
  • Genetic data
  • Mental data
  • Cultural or social identity of that natural person

Special category personal data (sensitive personal data) identifiers:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data and biometric data
  • Data concerning health
  • Data concerning a natural person's sex life or sexual orientation

Transferring personal data to countries outside of the European Economic Area

GDPR and The Data Protection Act 2018 legislation primarily applies to controllers and processors located in the European Economic Area (the EEA). As the Trust and the subcontractors adhere to GDPR and the Data Protection Act 2018 no data should be transferred to another country outside of the European Economic Area, unless specific written contracts and appropriate technical and organisational measures have been implemented.

What information do we hold about you?

Most of the information we process is provided to us directly by you so we can make informed decisions regarding your health. In order for us to do this it is necessary for us to collect and hold information about you. This information may relate to you, your family and any other person. Data may include your:

  • Name
  • Address
  • Email address
  • Date of birth
  • Telephone number
  • NHS number
  • Hospital (RLQ) Number
  • GP
  • Next of kin contact details

Your information may include details about:

  • Referrals
  • Clinic visits
  • Hospital admissions
  • Reports about your health
  • Treatment and care you need and have received
  • Results of investigations
  • X-rays
  • Scans and laboratory tests
  • Relevant information from other health professionals
  • Details/comments of relatives or those who care for you and know you well
How long do we keep your information?

Wye Valley NHS Trust is obliged to retain your data in accordance with the Department of Health's Records Management Code of Practice 2016.

Your data protection rights

Under data protection law, you have various rights (depending on the reason why we are processing your information).

Your right of access

You have the right to ask us for copies of your personal information. Request a copy of your WVT records. ICO guidance on right of access.

Your correction and deletion of data rights

You have the right to request that your information is amended or erased in certain circumstances. Mistakes can be rectified however where your opinion differs from that of your health care professional, we will record your option as an addendum to your record. Your opinion will be shared whenever that part of your record is shared. Your record can only be amended where there is a factual inaccuracy. ICO guidance on correction. ICO guidance on deletion.

Right to data portability

You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances. ICO guidance on your right to data portability.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Consent

If you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw your consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.

Right to object

You have the right to object to the processing of your personal data on grounds relating to your particular situation. The right is not absolute and we may continue to use your data if we can demonstrate compelling legitimate grounds.

Rights related to automated decision making including profiling

You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.

How will your information be used?

Your doctor, nurse or any other health care professional involved in your care will have access to information about you, which will be used to assess your health care needs and to plan your treatment. We will ensure that appropriate information about you is available if you see another health care professional, are referred to a specialist or another part of the NHS. We may use your contact information to remind you of your health checks (for example, clinic appointments, immunisations, cervical smears, breast screening or other treatment etc).

National opt-out service

WYE Valley NHS Trust is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • Improving the quality and standards of care provided
  • Research into the development of new treatments
  • Preventing illness and diseases
  • Monitoring safety
  • Planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn't needed. You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. Find out more or to register your choice to opt out. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: NHS Health Research Authority - Patient information and health and care research (which covers health and care research) and Understanding Patient Data - What you need to know (which covers how and why patient information is used, the safeguards and how decisions are made).

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement. Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

What is our legal basis for processing your personal/special category data?

For data processing to be lawful under the GDPR and the Data Protection Act 2018, we are obliged to identify a lawful basis before we can process personal and special category data. We will process personal data under Article 6 and special category data under Article 9.

We may apply Article 6(1)(e) for lawful processing: 'for the performance of a task carried out in the public interest or in the exercise of official authority'.

We may apply Article 9(2)(h) for the processing of special category data, 'Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional'.

We may apply Article 6(1) (a) when the data subject's consent provides the legal basis for the processing of personal data.

The table below details other reasons why we may process data under the law.

Type of processingGDPR Article 6 Condition for personal dataGDPR Article 6 Condition for special categories (sensitive data)Statutory basis or other relevant conditions

Lawful basis for direct care and administrative purposes

All health and adult social care providers are subject to the statutory duty to share information about a patient for their direct care. This would also include:

(a) Preventive or occupational medicine

(b) the assessment of the working capacity of an employee

(c) medical diagnosis

(d) the provision of health care or treatment

(e) the provision of social care, or

(f) the management of health care systems or services

(g) waiting list management

(h) performance against national targets

(i) activity monitoring

(j) local clinical audit
6(1)(e) '…for the performance of a task carried out in the public interest or in the exercise of official authority…

9(2)(h) '…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…'

6(1)(d) is available in life or death situations but should not be necessary for health or social care organisations to use in the performance of its tasks. This might apply in a situation where an organisation needs to act to prevent harm being caused by a patient or service user, to someone who has no relationship with the organisation.

NHS England's powers to commission health services under the NHS Act 2006 or to delegate such powers.

251B of the Health and Social Care Act 2012.

Vital interest processing is necessary in order to protect the vital interests of the data subject or of another natural person

6(1)(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person 9(2)(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

Generally this only applies to matters of life and death for example if an individual is admitted to the A & E department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual's medical history is necessary in order to protect his/her vital interests.

It is less likely to be appropriate for medical care that is planned in advance.

Lawful basis for commissioning and planning purposes

Most national and local flows of personal data in support of commissioning are established as collections by NHS Digital either centrally, or for local flows by its Data Services for Commissioners Regional Offices (DSCRO).

Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it,

6(1)(c) '…for compliance with a legal obligation…'
9(2)(h) '…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…'

Commissioners may receive personal data in support of commissioning where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as 'section 251 support'. This support does not remove the need for GDPR compliance.

The commissioning of individually tailored services, or for example the approval of individual funding requests, should operate on the basis of consent for confidentiality purposes.
Lawful basis for research 6(1)(f)'…legitimate interests…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…' 9(2)(j) '…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject …'

Data Protection Act 2018 schedule 2(27)(1)

The listed GDPR provisions do not apply to personal data processed for:

(a) scientific or historical research purposes, or

(b) statistical purposes

A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basis will include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support.

Lawful basis for regulatory and public health functions

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
6(1)(c) '…necessary for compliance with a legal obligation…' 9(2)(j) ' …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…'

Health Protection (Notification) Regulations 2010 Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008

Clinical audits

Healthcare Quality Improvement Partnership

Some information we have to share is used for statistical, research or audit purposes, and in these instances we take strict measures to ensure that individual patients cannot be identified and where appropriate anonymisation and pseudonymisation techniques will be used to protect your identity. Anyone who receives information from us also has a legal duty to keep it confidential and secure.
Lawful basis for safeguarding 6(1)(e) '…for the performance of a task carried out in the public interest or in the exercise of official authority…' 9(2)(b) '…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law.' Children Acts 1989 and 2004, and the Care Act 2014
Lawful basis for employment purposes

6(1)(b) 'For the performance of a contract to which the 'individual' is a party'

Or

6(1)(e) '…for the performance of a task carried out in the public interest or in the exercise of official authority…'

9(2)(b) '…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law.'  
Who will your information be shared with?

So that we can provide you with high quality health care services we are required to collect and use your information to support you. Your data may sometimes be shared with relevant departments within WVT, other NHS organisations, authorities and sometimes it may be used for training and auditing purposes.

WVT are committed to processing your data in accordance with the law.

We may share information about you with the following agencies to support the delivery of your care:

  • Department of Health
  • Clinical Commissioning Groups (CCGs)
  • Other providers involved in your care, such as hospitals
  • General Practitioners (GPs)
  • Ambulance Service
  • Mental health services
  • Social services

We may share information about you without your consent if there are safeguarding or crime prevention investigations.

We may share your information, with (subject to strict sharing agreements):

  • NHS Digital
  • NHS England
  • NHS Improvement
  • Education services
  • Local authorities
  • Voluntary sector providers
  • Private sector organisations

We may share our information about you with others to:

  • Check the quality of treatment and advice provided to you
  • Protect the health of the general public
  • Manage the health service
  • Investigate any concerns or complaints you or your family have about your healthcare
  • Undertake research
  • Undertake clinical audits

Herefordshire One Record

Herefordshire patients will soon benefit from an improved digital sharing system called Herefordshire One Record.

This will enable sharing of patient records between GPs and other health care professionals in the county to ensure patients get the best possible treatment when needed.

Patient information is often only available within a single organisation. Herefordshire One Record will allow health care professionals in multiple organisations in Herefordshire to view patient records.

The following organisations will soon have access to the electronic systems to share information:

  • Herefordshire GP Practices
  • Wye Valley NHS Trust
  • St Michael's Hospice
  • Taurus Healthcare (for extended and out-of-hours GP services)

In addition, 2gether NHS Foundation Trust will also have access to view the records shared by the above organisations.

Dr Ian Roper, NHS Herefordshire CCG GP Lead said: "Improving the care of patients is always going to be at the forefront of any health care professional's mind. Herefordshire One Record will enable staff of these organisations to access up-to-date records that are held by the other organisations.

"It means that medical staff involved in patient care (whether they are a GP, Practice Nurse, District Nurse or a Consultant at the hospital) can make more informed choices about the care and medical treatment needed by a patient.

"It also means that patients won't need to explain their medical history or conditions each time they see a different health care professional.

"Herefordshire One Record will save time and could potentially be life-saving in some circumstances."

Jane Ives, Managing Director for Wye Valley NHS Trust said: "Sharing data is essential if we are to provide the very best care to patients we can.

"Better information means better patient care. Herefordshire is working towards a vision of safer, secure and more efficient care and Herefordshire One Record will be a key enabler for this.

"Through this new digital system the quality of patient care will be improved through not only the better coordination but reducing the time spent updating health records on different systems by clinical teams and having to request information from other health care providers.

"It will assist with patient information being available in the right place at the right time. We also hope this will reduce admissions and readmissions and decrease duplicate testing. It will help our healthcare services in Herefordshire working in the most efficient ways possible.

Herefordshire One Record is part of a wider Herefordshire and Worcestershire Sustainability and Transformation Partnership (STP) digital strategy which aims to maximise and improve the way the NHS uses digital technology to enhance patient care as outlined in the NHS Long Term Plan. The Herefordshire One Record initiative is part of a longer term Herefordshire and Worcestershire programme to improve how information can be shared across care settings, the primary element of this stage of the One Herefordshire project has been to roll-out an Electronic Patient Record System (EMIS) across community teams, and making it possible to view primary and community care records in A&E.

Herefordshire One Record will roll out starting in Mid-September 2019. For more information visit Herefordshire One Record - Frequently Asked Questions. View the Herefordshire One Record Leaflet.

How do we keep your information confidential?

We protect your information in the following ways:

Training

Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community.

Access controls

Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. Many of our local systems also require smartcard access.

Audit trails

We keep a record in the newer electronic record systems of anyone who has accessed a health record or added notes to it. Some of the older computer systems only record who has amended a record.

Investigation

If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Records management

All healthcare records are stored confidentially in a secure location.

Legislation

There are laws in place to protect your information, including the General Data Protection Regulation, The Data Protection Act 2018 and the Human Rights Act 1998.

Caldicott Guardian

Within each NHS organisation there is a designated person named the 'Caldicott Guardian' whose responsibility it is to ensure that these laws are upheld. The Caldicott Guardian for the Wye Valley NHS Trust is Dr David Mowbray.

Our data protection policies and procedures

We have a number of approved policies and procedure which we follow relating to the handling and processing of information. These policies will be available to view shortly:

  • IG 03 Freedom of Information Policy
  • IG 05 Confidentiality Code of Conduct Policy
  • IG 08 Email Access and Use Policy
  • IG 12 Data Protection Act Policy
  • IG 16 Physical and Environmental Security of Information Policy
  • IG 25 Information Sharing Policy
  • IG 36 Mobile Working (Remote Access) Policy
  • IG 41 Transferring and receiving confidential information
  • IG 56 Corporate Records Retention Archiving and Destruction Procedures
  • IG 61 Image/s and Recording/s Policy and Procedure
  • IG 64 Privacy Impact Assessment Policy
  • IG 65 Subject Access Policy
How do I make a complaint?

If you are unhappy with the way in which your personal data has been processed you may in the first instance contact:

Wye Valley NHS Data Protection Officer
Mrs Pippa Whitfield
Email pippa.whitfield@wvt.nhs.uk
Phone 01432 364089

If you are still dissatisfied then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

You may contact the ICO helpline on 0303 123 1113.

Make a complaint directly to the ICO

Freedom of Information requests

The Freedom of Information Act 2000 (FOIA) gives members of the public certain rights to request information from public authorities.

Advice on making a Freedom of Information request

Bona Vacantia enquiries

We make appropriate enquiries to trace relatives of patients who pass away at the hospital with no next of kin. For those who we are unable to trace, their details are forwarded on to: Government Legal Department, Bona Vacantia Division (BVD), PO Box 70165, London WC1A 9HG.

We do not hold any information on the value of any estate the person may have had, nor can we make any additional information available on individual cases through Freedom of Information requests.

Download the Government's bona vacantia estates referral form
View further information on bona vacantia

Privacy notice review

This privacy notice was reviewed in January 2020.

Frequently asked questions

1. What is the GDPR and when does it become applicable?

The GDPR (General Data Protection Regulation) is European Union (EU) legislation that became applicable on 25 May 2018. There may be some changes as the UK is planning to leave the EU, further information will be published by the UK's Information Commissioner - Data protection and Brexit.

2. What is the difference between the GDPR and the Data Protection (DPA) Act 2018?

The GDPR is EU legislation that will be applicable as law in EU member States from 25 May 2018, irrespective of national legislation. The Data Protection Act 2018 is the UK's variation (Derogation) of GDPR and how the GDPR is applied in the UK.

3. How does this affect current UK law on data protection (DPA 1998)?

The DPA 1998 has been completely repealed.

4. What are the penalties for non-compliance?

Fines under the GDPR are up to a maximum of €20 million or 4% of turnover. For health and social care organisations, any fine would be likely to give rise to a loss of public trust, attract media attention and thereby inflict considerable reputational damage. Therefore, it is important organisations ensure their compliance.

5. How does this affect me?

The GDPR strengthens the controls that organisations (controllers) are required to have in place over the processing of personal data, including pseudonymised personal data.

Headline impacts are:

  • Appointment of Data Protection Officer (DPO) mandatory for all public authorities
  • Organisations are obliged to demonstrate that they comply with the law
  • Increased penalties for breaches of the Regulation
  • Legal requirement for security breach notification
  • No charges, in most cases, for providing copies of staff and patient records
  • Requirement to keep records of data processing activities
  • Data Protection Impact Assessments (DPIA) are required for high risk processing activity - which includes the large-scale processing of health-related personal data
  • Data protection risks must be reviewed and addressed in information processes
  • Transparency and fair processing requirements have been included
  • Tighter rules are applied where consent is the lawful basis for processing

6. What is a Data Protection Impact Assessment (DPIA)?

A DPIA is a mechanism for identifying, quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are in place when any new process, system or ways of working involving the use of high risk i.e. "health data" is introduced.

7. What/who is the Data Protection Officer (DPO)?

The DPO is responsible for monitoring the organisation(s) compliance with the GDPR. The DPO reports directly to an organisation's highest management level and may not be disciplined or dismissed for carrying out their tasks as a DPO.

8. Who can be a DPO?

Organisations must ensure that the DPO role is independent, free from conflict of interest. DPOs may be shared by multiple organisations that are 'public authorities' taking into account organisational structure and size, and may be either a member of staff or may fulfil the tasks on the basis of a service contract, provided there is no conflict of interest.

9. Do you need to re-seek consent if already obtained for the purposes of sharing data?

  • It will not be necessary to seek new consent if your existing consents are GDPR compliant although you will need to ensure that you have compliant documentation and consent withdrawal mechanisms in place.
  • If your existing consents do not meet the GDPR's requirements, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure the continued processing is transparent and fair (for example that the data subjects rights and freedoms are not undermined through a change in processing), or stop the processing
  • Any exercise to contact individuals to refresh consent must comply with the Data Protection Act and Privacy and Electronic Communications Regulations (PECR)

10. How will the right to erasure be applied in a healthcare setting?

  • A data subject's right to erasure is a fundamental right. However, it must be applied sensibly. There are legitimate areas under the GDPR where processing can lawfully continue and such a request refused. For example, where there is a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • There are other instances such as public interest in the area of public health (related to specific articles) or archiving
  • This right aims to strengthen the ability to remove information made available online especially when made public by a child and making this right available when they are an adult
  • A request from a data subject exercising this right should be taken seriously and reviewed on a case by case basis. Where it is legitimately not possible to erase the information, this should be communicated to the data subject promptly as per the requirements under Article 15 (right of access)

11. Is there a standard format to releasing information to the patient?

No. The GDPR describes what information should be provided to the patient but not the format of how it should it be provided.

 

© Wye valley NHS Trust 2020