Please click the drop down options below for more information.
This privacy notice explains what we do with your personal information where we care or have provided care to you. It tells you:
Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is ZB173305.
Please note that the information contained in this privacy notice is applicable to all Royal Berkshire NHS Foundation Trust sites:
"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:
Special category of personal data
"Special category of personal data" means information, which is thought to be "extra sensitive" such as ethnicity, sexual orientation and religion.
"Data controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.
"Processing," means anything that is done to the personal data we hold.
"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information.
We are Royal Berkshire NHS Foundation Trust and our head office is located at Craven Road, Reading RG1 5AN. We are a data ‘controller’, this means that we are responsible for deciding how we use your personal information.
In order to look after your health and care needs, the Trust may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care provider organisations, for example neighbouring GP practices, hospitals and NHS 111. We may also use the contact details we hold for you to send you public health messages, by text or email.
We may also share your personal/ confidential information with non-NHS organisations commissioned by NHS England to provide primary care services to you. This includes Ask A&E App. Ask A&E App is an online symptom checker that is used by the Trust during the Covid – 19 period to enable the patient to check their symptoms and get answers without having to go to the Trust A&E. A copy of Ask A&E App privacy notice is available on their website and also accessible via this link; https://www.babylonhealth.com/terms/privacy
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.
We also participate in research with other acute hospital providers, renowned universities and selected private organisations with the aim to establish any trends and find a vaccine or cure. Where possible, we will anonymise your data and ensure the data is kept in a safe and secure environment, giving minimal access by others.
Where possible, the Trust conducts appointments via video conferencing applications.
Our legal basis to process your personal information in these types of consultations does not differ from usual, face-to-face consultations as the Trust is still providing you with direct, medical care. Therefore, the legal basis for the Trust conducting video conferencing is “the performance of a task carried out in the public interest” under Art 6 (1) (e) GDPR and the “provision of health or social care or treatment or the management of health of social care systems and services” under Art 9 (2) (h) GDPR in combination with Schedule 1, Part 1, section 2(2) DPA.
By clicking on the video link to begin the consultation, you are providing your consent and agreement for the consultation to take place over the video call. Your personal/confidential patient information will be safeguarded in the same way as we would under normal circumstances.
We process your personal data in the main because the processing is necessary for the purposes of a contract of employment we have with you. In some cases, we may process information only once we have received your consent for us to do so. In other cases, we will process data in order to comply with legal requirements, both contractually and non-contractually. The reasons for which we may process your personal data may include (but are not limited to):
Surveying of staff to support organisational initiatives
There are a number of reasons why we may have to share your personal information with third parties for example:
The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.
If you choose to opt out of sharing your data, your personal health information will still be used to make sure you get the treatment and care you need. For example, your data may be shared so that you can be referred to hospital or get a prescription.
Patients can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by clicking on "Your Health" in the NHS App, and selecting "Choose if data from your health records is shared for research and planning".
For further information, please visit the NHS Digital website
National data opt-out statistics
Statistical analysis of national data opt-outs and how they might affect data used for research and planning.
Why and how we process your data in the National Data Opt-Out and your rights.
The Trust would not share information that identifies you unless it has a fair and lawful basis to do so:
The Trust is required by law to protect the public funds its administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
All information that the Trust holds about you will be held securely and confidentiality. The Trust uses administrative and technical controls to do this, and uses strict controls to ensure that only a limited amount of authorised staff are able to see information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of the Trusts staff, contractors and committee members receive role appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
The Trust needs to hold and maintain information about your health, treatment and care, so that you can be given proper, necessary and effective treatment.
As part of the Trust’s requirements under the law, it must demonstrate clear legal reason for collecting, using, sharing and retaining personal data about you. For personal data used in the provision of health and social care our basis is outlines as ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority’ under 6(1)(e) of GDPR. This is because the Trust is a public organisation providing a healthcare service and is required to use names, addresses or other personal data to deliver this.
The Trust’s legal basis for using sensitive personal data (called ‘special categories of personal data’ under GDPR) is that this is necessary for the ‘provision of health or social care or treatment or the management of health of social care systems and service’ under 9 (2) (h) of GDPR. This is because the Trust must use health and social care information about you in the delivery of your care.
These points also cover the use of data for clinical audits, service improvement and sharing with other health or social care providers when necessary as part of our service delivery.
There may be times when the Trust uses other different legal bases for other services it provides (e.g. research). In most instances, the information will be made anonymous so that you cannot be identified. If this is not possible, we will ask your permission and may have to request approval from the NHS Health Research Authority's Confidentiality Advisory Group. In some instances, Confidentiality Advisory Group approval may already be in place if the information requested is part of a research project.
The Health Research Authority has further details on patient information and health and care research accessible via this link: https://www.hra.nhs.uk/information-about-patients/.
For further information on this please refer to the NHS Health Research Authority at; https://www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/ and The Health Research Authority at; https://www.hra.nhs.uk/information-about-patients/
We collect personal information about you in a number of ways. This can be from referral details from your GP or another hospital, or directly from you or your authorised representative.
It is likely that we hold the following personal information about you:
We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred or maiden name.
In addition to the above, we may hold special category personal information about you, which could include:
This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.
It is important for us to have a complete picture of you, as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.
Your records are used to directly manage and deliver healthcare to you to ensure that;
Staff information we hold:
The Trusts records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.
The Trusts records may be held on paper or in a computer system. Where possible, we will always look to anonymise/pseudonymise your personal information to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use or share the minimum information necessary.
To help provide the best possible care, sometimes the Trust will need to share your information with others. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, General Practioners (GPs), ambulance services, primary care agencies etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.
The Trust works with a number of other NHS organisations, independent treatment centres and clinics to provide patients with the best possible care. To support this, information about you may be securely shared. This includes;
Berkshire and Surrey Pathology Services (BSPS)
BSPS is contracted to provided pathology services to patients on behalf of the Trust
Connected Care Group
Local shared care records (Connected Care) are used by the Trust to share some key information from your records with other organisations, health, and social care professionals who may be involved in your care.
Role based access controls are implemented within the local shared care record systems and these controls make certain that only those roles that have a legitimate reason to access your data can do so. In addition to the technical access controls, all organisations that have been granted access to the local shared care records have committed to perform regular audits to ensure that the controls are properly applied.
The various types of organisation that may be required to view relevant aspects of your data using the local shared care record include one.
1Independent sector health care providers (when you have been referred to them);
Other health and social care organisations contribute the following types of data to your local shared care record: 1. Alerts, allergies, risks and warnings; 2. Admissions and discharges; 3. Ambulance, NHS 111 and Out of Hours calls; 4. Care plans; 5. Carer Details; 6. Diagnostic tests, imaging, results and reports; 7. Electronic documents and letters; 8. Next of kin; and 9. Referrals, appointments and consultations.
There are three main local care records that are made available to support your care across the local health and social economy. These are one. Share Your Care (which is also known as Connected Care). This local shared care record consolidates your important local data from all sources for access by authorised professionals when you need it; two. The GP clinical system used in practices and other non-hospital settings that can provide near real-time access to your GP data when you are being cared for elsewhere in the local health care economy; and 3. The local pathology and diagnostic system that can provide details of your tests and diagnostic reports to authorised professionals elsewhere in the local health care economy when you need it.
Your rights in respect of these local shared records are summarised below one. As required by law, you have a right to request a copy of your local shared care record and. 2. You also have a right to request that errors in your records be corrected. 3. For some uses of your data, you also have the right to object to your data being processed.
We aim to comply with these rights at all times.
For your benefit, the Trust may also need to share some of your patient information with non-NHS organisations involved in your care. This might include organisations such as local authorities, social services, education services, the police, voluntary and private sector health and social services providers, and private healthcare companies. Private patient information may also be shared with insurers, debit collection agencies or third parties involved in the payment or delivery of care and this may include transfers to home countries outside the UK.
Where sharing involves a non-NHS organisation outside the clear scope of care delivery, a specific information sharing protocol is put in place to ensure that only relevant information is shared and this is done securely in a way, which complies with the law.
Outside of providing healthcare, unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, the Trust will not disclose any information to third parties, which can be used to identify individuals without consent.
The Trust outsources a limited number of administration and IT support services to external organisations. The majority of companies are based within the European Economic Area (EEA) and all services are provided under specific contractual terms, which are compliant with UK data protection legislation. The Trust (or third parties acting on our behalf) may store or process information that the Trust collect about you in countries outside the EEA.
Where the Trust makes a transfer of your personal information outside of the EEA, a risk assessment is undertaken to ensure appropriate levels of Security are in place before the transfer.
There may also be situations where we are under a duty to share your information due to a legal requirement. This includes, but is not limited to;
The Trust is required to send statutory information to the Department of Health, which is then held centrally and strictly controlled by NHS Digital. This organisation takes advice from independent board called the Security and Confidentiality Advisory Group, which reports to the government Chief Medical Officer.
The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented, unless there are exceptional circumstances, such as:
If you do not agree to certain information being processed or shared with the Trust or by the Trust, or have any concern, then please let us know.
You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. If you wish to discuss withdrawing consent please contact the Trusts Patient Relations team either by calling 0118 322 8338 or email firstname.lastname@example.org
The NHS Constitution states, “You have the right to request that your confidential information is not used beyond your own direct care and treatment and to have your objections considered”.
Direct care is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation or suffering of an individual.
Indirect care is defined as work within the health and social care environment which does not involve the direct treatment or support of individuals e.g. research, commissioning and much of the work done in public health.
For further information and support about National Opt-Out, please contact NHS Digital Contact Centre at email@example.com referencing ‘Type 2 Opt-Outs – Data Request’ in the subject line, or by calling on 0300 303 5678. You can also visit their website: http://digital.nhs.uk/article/7092/Information-on-type-2-opt-outs
To access the personal data we hold about you, please contact our Information Governance Team via;
Royal Berkshire NHS Foundation Trust
To access a copy of your medical records, please contact medical records team via;
By email: firstname.lastname@example.org
Access to Medical Records
Royal Berkshire NHS Foundation Trust
The Trust will hold Subject Access Requests for 3 years after closure at which time the retention period will be reviewed on an individual basis. If a Subject Access Request has been subject to an appeal the Trust will be required to hold your information for 6 years after closure at which time your information will be destroyed.
Your personal information is may be held in both paper and electronic formats and will be held for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care 2016 and National Archives Requirements.
We hold and process your information in accordance with the General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the guidance of NHS Digital Records Management Code of Practice for Health and Social Care 2016, and Trust Policy [CG059].
The Trust has an Executive Director responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian who oversees the arrangements for the use and sharing of patient information. The Caldicott Guardian plays a key role in ensuring that the NHS, Councils with Social Services and Public Health responsibilities and Partner Organisations satisfy the highest practical standards for handling patient information. Acting as the ‘conscience’ of the Trust, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share and advises on options for lawful and ethical processing of information.
The Caldicott Guardian for this organisation is:
Name: Dr William Orr
Title: Interim Chief Medical Officer
Phone: 0118 322 7230
The Trust has a Data Protection Officer (DPO) responsible for monitoring compliance with the GDPR and other data protection legislation, the organisations data protection policies, awareness-raising, training and audits. The DPO acts as the contact point with the ICO, our employees and the public. They co-operate with the ICO and will consult on any other matter relevant to Data Protection.If you have any queries during this time with how your personal data is being processed by the Trust, please contact the Data Protection Officer:
Via Email: Caroline.Lynch@royalberkshire.nhs.uk
Corporate Governance Department
Royal Berkshire NHS Foundation Trust
Craven Road, Reading
Berkshire RG1 5AN
For independent advice about data protection, privacy and data –sharing issues, you can contact the Information Commissioner (ICO):
The ICO is the Regulator for GDPR and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.
Postal: Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire ,SK9 5AF
Phone: 08456 306060 or 01625 545745
If you have any questions or concerns regarding how we use your information, please contact us at:
Postal: Royal Berkshire NHS Foundation Trust, Craven Road, Reading, Berkshire, RG1 5AN
Royal Berkshire NHS Foundation Trust tries to meet the highest standards when collecting and using personal information. For this reason, the Trust takes any complaints it receives about this very seriously. The Trust encourages people to bring their concerns to its attention if they think that the Trusts collection or use of information is unfair, misleading or inappropriate. The Trust would also welcome any suggestions for improving its procedures.
You have the right to complain to the Information Commissioner's Office (the ICO) if you are not satisfied with the way we use your information.
You can contact the ICO by writing to:
Information Commissioner's Office
Mrs Caroline Lynch
Data Protection Officer
Royal Berkshire NHS Foundation Trust
Tel: 0118 322 5335
Mr Clive Wewerka
Health Records Manager
Royal Berkshire NHS Foundation Trust
Tel: 0118 322 8163
Dr Will Orr
Acting Chief Medical Officer
Tel: 0118 322 7230
Senior Information Risk Owner
Chief Finance Officer & Senior Information Risk Owner
Tel: 0118 322 6904