Northern Lincolnshire and Goole NHS Foundation Trust privacy statement.
Coronavirus (COVID-19): notification to organisations to share information
Notification to healthcare organisations, GPs, local authorities and arm’s length bodies that they
should share information to support efforts against coronavirus (COVID-19).
Northern Lincolnshire & Goole Foundation Trust is working to ensure that the spread of COVID-19 Coronavirus is minimised.
The Secretary of State for Health and Social Care has directed NHS Digital to collect and analyse data from providers and other organisations involved in managing the Covid-19 response and then disseminate information and analysis to other bodies for the purpose of planning and managing the response. This direction was given under ss254 and 255 of the Health and Social Care Act 2012 (2012 Act). Northern Lincolnshire & Goole Foundation Trust have been given legal notice to act under the same Directions as NHS Digital and this is to ensure that confidential patient information can be used and shared appropriately and lawfully for the purposes of Covid-19 response. Link to NHS Digital.
Coronavirus (COVID-19) testing: privacy information
Privacy notice on COVID-19 virus testing for critical workers and their household members who are self-isolating because they’re showing symptoms. Link to Government guidance
- Coronavirus (COVID-19): notification to organisations to share information
- Coronavirus (COVID-19) testing: privacy information
- Security of Information and our Data Protection Officer
- How do we obtain your information?
- Why do we collect information about you and what information do we hold?
- How your personal information is used
- Who do we share personal information with?
- Data Privacy Impact Assessments DPIA
- National Opt-out service
- Humber Information Sharing Charter
- Disclosure of Information
- How your personal information is used to improve the NHS
- Call recording
- SMS text messaging
- Conducting video consultations
- Sending Data Overseas
- Patient Portal
- Digital appointment letters
- Retaining information
- How you can access your records
- What if I have concerns about how the Trust is handling my data?
- Your duty to inform us of a change
Security of Information and our Data Protection Officer
All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and the Data Protection Act18.
The processing of personal data in the delivery of health care and for providers’ administrative
purposes in this Hospital Trust and in support of health care elsewhere is supported under the
following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the
exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the
assessment of the working capacity of the employee, medical diagnosis, the provision of health or
social care or treatment or the management of health or social care systems and
We will also recognise your rights established under UK case law collectively known as the “Common
Law Duty of Confidentiality”* Further details on the Common Law Duty of Confidentiality are provided, below.
Confidentiality affects everyone: Northern Lincolnshire & Goole NHS Foundation Trust collects, stores and uses large amounts of personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.
We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
At Trust Board level, we have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.
The Trust has a Data Protection Officer who ensures the Trust is accountable and compliant with General Data Protection Regulation (GDPR), and Data Protection Act 2018. Our Data Protection Officer is Susan Meakin and can be contacted through:
New Beacon House
The Trust is registered with the Information Commissioner’s Office (Registration Number Z6405159).
Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, and inform you of how your information will be used. Everyone working for the NHS is subject to the common law of duty of confidentiality.
All staff are required to undertake annual mandatory information governance training which includes data security. This ensures that staff are aware of their information governance responsibilities and follow best practice guidelines, ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.
How do we obtain your information?
We obtain information from you yourself; generate it as part of the care and treatment we provide you, and sometimes from other professionals involved in your care or treatment such as your GP. We may sometimes receive information from family members, social services, the police or other sources.
Why do we collect information about you and what information do we hold?
The doctors, nurses and team of healthcare professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer. These records may include:
- Basic details about you such as name, address, date of birth, next of kin, etc
- Contact we have had with you such as appointments, clinic visits, and inpatient stays
- Notes and reports about your health, treatment and care
- Results of x-rays, scans and laboratory tests
- Relevant information from people who care for you and know you well, such as health professionals and relatives
- Visual images, personal appearance and behaviour, for example CCTV images are used for crime prevention and to enhance quality of care, treatment and patient safety at all times in certain high dependency areas.
- Job applicants, current and former Trust employee’s details
- Guest WiFi is available on the Trust sites
- Trust members.
It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.
How your personal information is used
Your records are used to direct, manage and deliver the care you receive to ensure that:
- Primarily to provide you high quality care that is safe and effective, taking into consideration you as an individual and ensuring care is relevant to you
- The doctors, nurses and other healthcare professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you
- Healthcare professionals have the information they need to be able to assess and improve the quality and type of care you receive
- Your concerns can be properly investigated if a complaint is raised
- Appropriate information is available if you see another doctor, or are referred to a specialist or another part of the NHS
- Ensure the hospital receives payment for the care you receive
- Help train and educate healthcare professionals
- As a Foundation Trust we have a legal requirement to process membership data to ensure we have representative membership which reflects our local population.
Who do we share personal information with?
Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.
We will share information with the following main partner organisations:
- Other NHS Trusts and hospitals that are involved in your care
- Clinical Commissioning Groups (CCGs)
- General Practitioners (GPs)
- Ambulance Services
- NHS Digital, NHS Improvement, NHS England, Department of Health
- Care Quality Commission (CQC)
- Trusts are legally required to submit full returns of Maternity Services Data sets (MSDS)
data, as the Data Provision Notice (DPN) that will be issued under section 259(10)of the
Health and Social Care Act 2012 sets aside the common law of duty of confidence in respect
of this data
- Yorkshire and Humber Care Record website Home | Yorkshire & Humber Care Record (yhcr.org) NHS_YHCR_CareRecord_A5Leaflet V1.indd
You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:
- Social Care Services (including Safeguarding)
- Education Services
- Local Authorities
- Voluntary and private sector providers working with the NHS
We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on information. Information will only be shared with these other organisations where there is a statutory obligation to do so, or with the agreement of Northern Lincolnshire & Goole NHS Foundation Trust’s Calidicott Guardian.
If you choose to take part in research activities, you will be told more about how your data will be used as part of those projects.
Data Privacy Impact Assessments DPIA
All new projects processes and systems which are introduced must comply with confidentiality privacy and data protection requirements. Therefore before new processes or systems that are introduced they must be tested against a list of requirements. DPIA’s are structured assessments of the potential impact on data protection and privacy for new or significantly changed processes.
The Trust has carried out a number of DPIAs.
National Opt-out service
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
Find out more or to register your choice to opt out. On the NHS website you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply.
You can also find out more about how patient information is used at:
- NHS Health Research Authority (which covers health and care research); and
- Understanding Patient Data (which covers how and why patient information is used, the safeguards and how decisions are made).
You can change your mind about your choice at any time.
Humber Information Sharing Charter
Organisations often need to share information. This ensures that their services benefit local people and meet their needs. But they need to make sure they share only the information that is necessary. They must also protect people’s privacy.
The Humber Information Sharing Charter supports local data sharing in a number of ways:
– It sets out rules about how local organisations share information. It helps them and local people to understand those rules and the relevant laws. It explains what organisations can and cannot share, and says with whom, how and for what purposes they can share information.
– It helps keep information-sharing correct and secure. It will enable organisations to be open about how they protect information, and let others see what they have done. It also tells people about the rules governing which details the organisations can make public, and how people can get hold of that information.
By signing the Charter, organisations show they accept the need to share information effectively and securely. They do this so they can provide services for, and improve the lives of the population they serve.
For more information and a full list of organisations that are part of this initiative, please visit the Humber Data Observatory website.
Disclosure of Information
You have the right to request that the organisation considers restricting the information processed about you and who it is shared with, recognising the legal basis for processing information is for the provision of healthcare for individuals.
How your personal information is used to improve the NHS
Your information will also be used to help us manage the NHS and protect the health of the public by being used to:
- Review the care we provide to ensure it is of the highest standard and quality.
- Ensure our services can meet patient needs in the future.
- Investigate patient queries, complaints and legal claims.
- Prepare statistics on NHS performance.
- Audit NHS accounts and services.
- Undertaking health research and development (with your consent – you may choose whether or not to be involved).
- Helping to train and educate healthcare professionals.
You can sometimes ‘opt-out’ of personalised information about you being used in connection with some of these arrangements -please contact Nlgemail@example.com
Data Protection Officer.
Telephone calls to the Trust Single point of access service:
Northern Lincolnshire and Goole NHS Foundation Trust may undertake the recording of phone calls where it is necessary, to archive the content of the call in order to provide a record for any subsequent investigation, analysis of an incident or training purposes. Indiscriminate recording or monitoring of the content of telephone calls are not undertaken. Where voice recording or monitoring of calls is undertaken, parties will be informed by means of publicity, verbal or audible warnings. Authorisation for such recording or monitoring must be obtained from the Trust’s Governance committee.
SMS text messaging
When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.
Conducting video consultations
Where possible, the Trust will now offering appointments via video conferencing application Attend Anywhere. This is a secure NHS video service for pre-arranged appointments only.
Our legal basis to process your personal information in these types of consultations does not differ from usual, face to face consultations as the Trust is still providing you with direct, medical care. Therefore, the legal basis for the Trust conducting video conferencing is “the performance of a task carried out in the public interest” under Art 6 (1)(e ) GDPR and the “provision of health or social care or treatment or the management of health of social care systems and services” under Art 9 (2)(h) GDPR in combination with Schedule 1, Part 1, section 2(2) DPA.
By clicking on the video link to begin the consultation, you are providing your consent and agreement for the consultation to take place over the video call. Your personal/confidential patient information will be safeguarded in the same way as we would under normal circumstances. For more information about this service follow the link below.
Sending Data Overseas
On occasions your data maybe processed outside the UK, in most circumstances it will remain within the European Economic Area (EEA).The same protection would be applied as if processed within this country. If your data is transferred outside the EEA we are required to comply with the Data Protection Act, and ensure there is adequate protection is in place.
Northern Lincolnshire and Goole NHS Foundation Trust (NLaG) utilises surveillance cameras (CCTV) in and around the Trust’s sites.
The legal basis for collection of CCTV images is that processing is necessary for the purpose of the legitimate interests pursued by the controller, NLaG (GDPR Article 6(1) (f)). Our legitimate interest in doing so is in order to:
• Protect staff, patients, visitors and Trust property;
• Apprehend and prosecute offenders and provide evidence to take criminal or civil action in the courts;
• Provide a deterrent effect and reduce unlawful activity;
• Help provide a safer environment for our staff;
• Assist with the verification of claims
• Assist with Human Resource investigations which may include
o Acts which constitute Gross Misconduct in accordance with Trust policy.
o Practices that seriously jeopardise the health and safety of other staff, patients or visitors.
o Inappropriate treatment of patients.
We do not perform any covert surveillance and all buildings where CCTV is fitted will display awareness signs.
The benefits of a patient portal are highlighted in the NHS long term plan, which expects to give every patient a new digital ‘front door’ to give people secure digital access to their own health records. Patients Know Best is a national project developing across multiple services from July 2021.
It gives patients online access to their health records via a portal and lets them see their appointments, medical correspondence, test results and more.
To find out how more, visit the trust’s website at:
Digital appointment letters
A new patient portal is available where patients can view their appointment letters https://www.nlg.nhs.uk/patients/digital-appointment-letters/
We will only retain information for as long as necessary. All personal information will be kept in line with the retention periods in the Department of Health Records Management Code of Practice for Health and Social Care Records 2016.
How you can access your records
If you are a patient you have the right to obtain Access to your Health Records under General Data Protection Regulation 2018. This means you have the right to request and receive any information held on you by the hospital.
If you are a patient, relative, next of kin or personal representative of a patient, under the Access to Health Records Act 1990 (which also includes deceased patients), you also have the right to request and receive any information held within the hospital on the individual concerned.
How do I make a request to access the health records?
If you are a patient, the Next of Kin or a patient’s personal representative and wish to apply for Access to Health Records, you will be asked to complete an application form. This will assist us with collating all the relevant information you require.
The application form is supplied by the Subject Access Department. This department is centralised at Scunthorpe General Hospital. You can collect a form from the department or contact us on the telephone number below and we can send a copy in the post. We can also email you a copy electronically, the form will need to be completed, signed and scanned back to the Subject Access Department:
Contact Details for Further Information
Subject Access Department
Scunthorpe General Hospital
Direct Dial: 03033 302191
Central Trust Hospital Number: 03033 306999
We will aim to deal with requests within a month. In order to respond to requests as promptly as possible, the Trust would encourage applicants to view the health record to ensure the correct information is selected which prevents additional work in providing information which is not necessary.
Will I get charged for accessing a health record?
No – under the new General Data Protection Regulation there is no charge levied for access to your own records. We may charge a reasonable fee for administrative costs if a request (or otherwise not respond substantively to a request) is manifestly unfounded or excessive. Should this situation arise, applicants would be provided with more information about how we have reached these conclusions.
How will I receive a copy of my health records after viewing?
Paper or electronic copies of the relevant information from the health record will be provided to the applicant after they have viewed the records and decided which sections of the record are relevant in paper format. If posted they will be sent out special delivery and the recipient will have to sign for them. For further information on obtaining copies of electronic information please contact the Medico-Legal Department.
Freedom of Information
The Freedom of information Act 2000 provides any person with the right to obtain information held by Northern Lincolnshire & Goole NHS Foundation Trust, subject to a number of exemptions. If you would like to request some information from us, please visit http://www.nlg.nhs.uk/support/freedom-of-information/. Please note: if your request is for information we hold about you (for example, your health record), please instead see above, under “How You Can Access Your Records”.
Freedom of Information Department
Diana Princess of Wales Hospital
E mail address firstname.lastname@example.org
What if I have concerns about how the Trust is handling my data?
Please speak to us first. If the Trust is unable to comply with your request, or if you are unhappy about how we have used your data, you can contact the to the Information Commissioners Office.
Information Commissioner’s Office
Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate)
Telephone: 01625 545 745 (national rate)
Fax: 01625 524 510
Your duty to inform us of a change
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.