How your personal data is being used by NHS Royal Berkshire NHS Foundation Trust
Who we are?
Royal Berkshire NHS Foundation Trust is one of the largest general hospital Foundation Trusts in the country. The Trust provides acute medical and surgical services to Reading, Wokingham, and West Berkshire and specialist services such as cancer, dialysis and eye surgery to a wider population across Berkshire and its borders.
The Trust takes the same care of your information as we do about your health. For more information about how we protect and use your personal information, please continue to read the Trusts Fair Processing Notice.
The Trust is committed to being open about the information it collects about you, how it uses this information, with whom it shares it with, and how it stores and secures it. The Trust recognises the importance of protecting personal and confidential information in all that we do, and takes care to meet its legal obligations and other duties, including compliance with the EU General Data Protection Regulation, Data Protection Act 1998, the Human Rights Act 1998, the common law duty of confidentiality, and other relevant legislation.
What is this Fair Processing Notice About?
A Fair Processing Notice (also known as a Privacy Notice) lets you know what happens to any personal data that you may give the Trust or that it may collect from you or about you (as a patient, family member, carer or visitor). This notice is issued by the Royal Berkshire NHS Foundation Trust as a healthcare provider, and covers the information it holds about our patients, their families, and other individuals who may use our service.
If you require any additional information or explanation, requests for this should be sent to:
Postal: Royal Berkshire NHS Foundation Trust, Craven Road, Reading, Berkshire, RG1 5AN
Phone: 0118 3225335
The Trust will keep its Fair Processing Notice under regular review. This notice was last reviewed and updated on the 24 May 2018, in line with the new General Data Protection Regulation (EU) 2016/679 (GDPR).
Our commitment to Data Privacy and Confidentiality Issues
Royal Berkshire NHS Foundation Trust are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation. This includes the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any application national Laws implementing them as amended from time to time.
In addition, consideration will be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations.
Royal Berkshire NHS Foundation Trust is a Data Controller as defined under the GDPR. The Trust is legally responsible for ensuring that all personal information which it processes i.e. hold, obtain, record, use or share about you, is done in compliance with the Data Protection Principles as set out in Article 5 under GDPR.
All data controllers must notify the Information Commissioners Office (ICO) of all personal information processing activities. The Trusts ICO Data Protection Register number is Z7044786 and our entry can be found in the Data Protection Register on the Information Commissioners Office website.
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a care on behalf of the NHS, will use records about you in ways that respect your rights and promote your health and wellbeing.
The Trust would not share information that identifies you unless it has a fair and lawful basis such as:
The Trust is required by law to protect the public funds its administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
All information that the Trust holds about you will be held securely and confidentiality. The Trust uses administrative and technical controls to do this, and uses strict controls to ensure that only a limited amount of authorised staff are able to see information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of the Trusts staff, contractors and committee members receive role appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
Personal Information we collect and hold about you
As a healthcare provider the Trust needs to hold information about its patients to help ensure that they receive proper, necessary and effective treatment. The information includes:
The information the Trust holds about you helps it to:
The Trusts records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.
The Trusts records may be held on paper or in a computer system.
The types of information that we may collect and use include the following:
Legal basis for using your data
As part of the Trusts requirements under the law, it must demonstrate clear legal reason for collecting, using, sharing and retaining personal data about you. For personal data used in the provision of health and social care our basis is outlines as ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority’ under 6(1)(e)of GDPR. This is because the Trust is a public organisation providing a healthcare service and is required to use names, addresses or other personal data to deliver this.
The Trusts legal basis for using sensitive personal data (called ‘special categories of personal data’ under GDPR) is that this is necessary for the ‘provision of health or social care or treatment or the management of health of social care systems and service’ under 9 (2) (h) of GDPR. This is because the Trust must use health and social care information about you in the delivery of your care.
These points also cover the use of data for clinical audits, service improvement and sharing with other health or social care providers when necessary as part of our service delivery.
There may be times when the Trust uses other different legal bases for other services it provides (e.g. research):
Do we share your information with anyone else?
To help provide the best possible care, sometimes the Trust will need to share your information with others (which may include information about you or a family member). However, any sharing of information will always be governed by specific rules and laws ensuring the security, access and transfer of any data is protected. The Trust shares information with a range of health and social care organisations and regulatory bodies. As a patient/carer, you may be contacted by any one of these organisations for a specific reason, and they will have a duty of telling you why they have contacted you.
The Trust works with a number of other NHS organisations, independent treatment centres and clinics to provide patients with the best possible care. To support this, information about you may be securely shared.
For your benefit, the Trust may also need to share some of your patient information with authorised non-NHS authorities and organisations involved in your care. This might include organisations such as local authorities, social services, education services, the police, voluntary and private sector health and social services providers, and private healthcare companies. Private patient information may also be shared with insurers, debit collection agencies or third parties involved in the payment or delivery of care and this may include transfers to home countries outside the UK.
Where sharing involves a non-NHS organisation outside the clear scope of care delivery, a specific information sharing protocol is put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.
Outside of providing healthcare, unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, the Trust will not disclose any information to third parties which can be used to identify individuals without consent.
Royal Berkshire NHS Foundation Trust outsources a limited number of administration and IT support services to external organisations. The majority of companies are based within the European Economic Area (EEA) and all services are provided under specific contractual terms, which are compliant with UK data protection legislation. The Trust (or third parties acting on our behalf) may store or process information that the Trust collect about you in countries outside the EEA. Where the Trust makes a transfer of your personal information outside of the EEA it will take the required steps to ensure that your personal information is protected to the standard required by UK and EU law. All flows of information outside of the EEA are annually reviewed.
Only organisations with a legitimate requirement will have access to personal information and only under strict controls and rules.
The Trust will not sell personal information for any purpose, and will not provide third parties with your information for the purpose of marketing or sales.
Sometimes the Trust is required by law to disclose or report certain information which may include details which identify you. However, this is only done after formal authority by the Courts or by a qualified health professional. This may include reporting a serious crime or identification of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information is released.
The Trust is required to send statutory information to the Department of Health, which is then held centrally and strictly controlled by NHS Digital. This organisation takes advice from independent board called the Security and Confidentiality Advisory Group, which reports to the government Chief Medical Officer.
There may also be occasions when the Trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure the Trust is legally complaint.
Some health records are needed to teach student clinicians about rare cases and diseases. Without such materials, new doctors and nurses would not be properly prepared to treat patients. It is also possible that individuals, such as student nurses, allied health professionals and medical students are receiving training in the service that is caring for you. If staff would like a student to be present, they will always ask you for your permission and you have the right to refuse without this affecting the care or treatment that your child is receiving.
The Trust also undertake audits within the Trust as part of our duty to review the care we provide to ensure it is of the highest standard and quality. Whenever possible the Trust will do this in an anonymised format but your information will only be accessible to appropriate NHS staff.
GDPR provides the following rights for individuals:
If you do not agree to certain information being processed or shared with the Trust or by the Trust, or have any concern, then please let us know.
You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. If you wish to discuss withdrawing consent please contact the Trusts Patient Relations team either by calling 0118 322 8338 or email firstname.lastname@example.org .
What is the Patient Opt-Out?
The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own direct care and treatment and to have your objections considered”.
Direct care is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation or suffering of an individual.
Indirect care is defined as work within the health and social care environment which does not involve the direct treatment or support of individuals e.g. research, commissioning and much of the work done in public health.
There are several forms of opt-outs available at different levels. These include for example:
Information directly collected by the Trust:
Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is no overriding legal obligation.
Information not directly collected by the Trust, but collected by organisations that provide NHS services:
Type 1 opt-out
If you do not want personal confidential information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’ with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register an opt-out with their GP practice.
Records for patients who have registered a ‘Type 1 Opt-Out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP practice.
Type 2 opt-out
NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. They have a legal duty to do this but also have an obligation to ensure the information is used and shared appropriately and safely, more information about this is available on NHS Digital website.
To support NHS constitutional rights, patients within England are able to opt out of their personal confidential information being shared by NHS Digital for purposes other than their own direct care; this is known as a ‘Type 2 Opt-Out’.
If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 Opt-Out’ with your GP practice.
Patients are only able to register an opt-out at their GP practice.
For further information and support about Type 2 Opt-Outs, please contact NHS Digital Contact Centre at email@example.com referencing ‘Type 2 Opt-Outs – Data Request’ in the subject line, or by calling on 0300 303 5678. You can also visit their website: http://digital.nhs.uk/article/7092/Information-on-type-2-opt-outs .
There may be occasions when it is not possible to exercise your right to “Opt-Out”; this will be in situations such as when we have an obligation by law or for the purposes of safeguarding.
It is also important to note that by exercising your right to “Opt-Out”, there could be consequences. These situations will be discussed with you by your GP or by NHS Digital depending on whether you choose Type 1 Opt-Out or Type 2 Opt-Out.
Complaints or questions
Royal Berkshire NHS Foundation Trust tries to meet the highest standards when collecting and using personal information. For this reason, the Trust takes any complaints it receives about this very seriously. The Trust encourages people to bring their concerns to its attention if they think that the Trusts collection or use of information is unfair, misleading or inappropriate. The Trust would also welcome any suggestions for improving its procedures.
Subject Access Request (Exercising the Right of Access)
Individuals can find out if the Trust holds any personal information by making a request under the Right of Access under GDPR, more commonly called a ‘Subject Access Request’.
If the Trust do hold information about you it will:
The Trust will hold Subject Access Requests for 3 years after closure at which time the retention period will be reviewed on an individual basis. If a Subject Access Request has been subject to an appeal the Trust will be required to hold your information for 6 years after closure at which time your information will be destroyed.
For further information on how to make a request go to: http://www.royalberkshire.nhs.uk/freedom-of-information.htm .
If you require further advice, you can contact us on:
Postal: Freedom of Information Act Co-ordinator, Department of Corporate Governance, Royal Berkshire NHS Foundation Trust, London Road, Reading, RG1 5AN
Royal Berkshire NHS Foundation Trust will approach the management of its business records in line with its Records Management Policy which sets out roles and responsibilities for records management and the key operating principles for record keeping across the business and manages records in line with the Records Management NHS Code or Practice for Health and Social Care which sets the required standards of practice in the management of records for those who work within or under contract to NHS Organisation in England, based on current legal requirements and professional best practice.
The Trust records shall not be retained indefinitely. At the end of the retention, records shall be disposed of. In most cases this will mean controlled destruction; a small percentage of records may become archived meaning that they will be retained indefinitely under the Public Records Act.
Confidentiality Advice and Support
The Trust has an Executive Director responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian who oversees the arrangements for the use and sharing of patient information. The Caldicott Guardian plays a key role in ensuring that the NHS, Councils with Social Services and Public Health responsibilities and Partner Organisations satisfy the highest practical standards for handling patient information. Acting as the ‘conscience’ of the Trust, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share and advises on options for lawful and ethical processing of information.
The Caldicott Guardian for this organisation is:
Name: Lindsey Barker
Title: Medical Director
Phone: 0118 322 7445
The Trust has a Data Protection Officer (DPO) responsible for monitoring compliance with the GDPR and other data protection legislation, the organisations data protection policies, awareness-raising, training and audits. The DPO acts as the contact point with the ICO, our employees and the public. They co-operate with the ICO and will consult on any other matter relevant to Data Protection.
The DPO for this organisation is:
Name: Caroline Lynch
Title: Trust Secretary
Phone: 0118 322 5335
Information Governance is to do with the way organisation ‘process’ or handle information. It covers personal information relating to patients, service users, employees, and corporate information (financial and accounting records)
The organisations that we do business with are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.
Before awarding any contract, we seek to ensure that organisation will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.
If you have any questions or concerns regarding how we use your information, please contact us at:
Postal: Royal Berkshire NHS Foundation Trust, Craven Road, Reading, Berkshire, RG1 5AN
For independent advice about data protection, privacy and data –sharing issues, you can contact the Information Commissioner (ICO):
Postal: Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire ,SK9 5AF
Phone: 08456 306060 or 01625 545745
How to make a formal complaint about a health service
Many complaints can be resolved quickly by discussing them directly with the person providing the service or the manager concerned. However, if you do want to make a formal complaint, let us know as soon as possible, as there is a time limit of 12 months, although this can be waivered depending on the circumstances.
Independent Primary Care Contractors
If you have a comment or complaint about a GP, dentist, pharmacy or optician that cannot be resolved by the Practice Manager, you can contact NHS England.
Phone: 0300 311 2233
Address: NHS England, PO Box 16738, Redditch, B97 9PT
Health Service Ombudsman
We do our best to resolve your complaint however, if you feel that not all of the issues have been addressed, please let us know so that we can agree a way forward. After this, if we agree that local resolution has not been achieved and you remain unhappy with the outcome, it can be referred to the Parliamentary and Health Service Ombudsman (PHSO).
The Ombudsman is totally independent and will review your complaint. The Parliamentary and Health Service Ombudsman may investigate complaints on your behalf, but only if your complaint has already been investigated and all attempts at a local resolution have been exhausted. There is no charge for this service.
Phone: 0345 015 4033
Address: The Parliamentary and Health Service Ombudsman, Millbank Tower, Millbank, London, SW1P 4QP
Independent Complaints Advocacy Service (ICAS)
If you would like to receive independent advice from someone about the NHS complaints process, please contact Healthwatch Reading, who will offer help and support to those wishing to make a formal complaint about the NHS and can help you to write your letter of complaint and accompany you to any meetings.
Address: Healthwatch Reading, 3rd Floor, Reading Central Library, Abbey Square, Reading, RG1 3BQ
Phone: 0118 937 2295
Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found in:
The NHS Care Record Guarantee:
This guarantee is a commitment that NHS organisations and those providing care on behalf of the NHS will use records about you in way that respect your rights and promote your health and wellbeing.
The NHS Constitution:
The Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly effectively.
To share or not to share? Information Governance Review:
This was an independent review of information about service users shared across the health and care system led by Dame Fiona Caldicott and was conducted in 2012.
NHS Digital – Guide to Confidentiality:
NHS Digital are the trusted national provider of high-quality information, data and IT systems for health and social care and are responsible for collecting data from across the health and social care system.
Information Commissioner’s Office (ICO):
The ICO is the Regulator for GDPR and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.
Health Research Authority
The HRA protects and promotes the interests of patients and the public in health and social care research.