Your information – privacy notice

The personal information we collect is provided directly from you for the following reasons: 

• you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
• you have sought funding for continuing health care or personal health budget support
• you have signed up to our newsletter/patient participation group
• you have made a complaint

We also receive personal information about you indirectly from others, in the following scenarios:

from family members or carers to support your care

from other health and care organisations involved in your care so that we can provide you with care

Personal information

We currently collect and use the following personal information:

• Basic details about you – name, address, date of birth, next of kin and GP.
• Additional contact information such as telephone numbers (home and/or mobile) and email address.

More sensitive information

We process the following more sensitive data (including special category data):

• data relating to criminal or suspected criminal offences
• data concerning physical or mental health (for example, details about your appointments or diagnosis)
• data revealing racial or ethnic origin
• data concerning a person’s sex life
• data concerning a person’s sexual orientation
• genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
• biometric data (where used for identification purposes)
• data revealing religious or philosophical beliefs

We may share information with other organisations including:

• your GP practice
  • As a trusted Healthcare partner, the University Hospitals Sussex NHS Foundation Trust clinical staff have been granted read only access to a limited view of your GP electronic patient record when supporting your care.

In conjunction with your GP practice, we will ensure access to your GP electronic record is strictly controlled and monitored. If you wish to prevent the hospital from accessing your GP electronic record, please contact your GP practice who can arrange this.

• other hospitals and community organisations (e.g. community care teams, care homes etc.) providing care services
• planners of health and care services (such as Integrated Care Boards)
• specialist companies providing diagnostic and testing services you might need
• those with parental responsibility for patients, including guardians
• carers without parental responsibility (subject to explicit consent)
• medical researchers for research purposes (subject to explicit consent, unless the data is anonymous)
• bodies with statutory investigative powers such as the Care Quality Commission, the General Medical Council, the Health and Safety Executive, the Parliamentary and Health Service Ombudsman National generic registries, for example the UK and Ireland Association of Cancer Registries
• third party data processors (such as IT systems suppliers)

The Specialist Cancer Drug Funding procedures require University Hospitals Sussex NHS Foundation Trust to submit patient information to NHS England on the prior approval system (currently Blueteq) to obtain funding for specialist drugs.

These procedures have been designed to:

• provide patients with faster access to the most promising new cancer treatments.
• drive stronger value for money for taxpayers in drugs expenditure.
• offer those pharmaceutical companies that are willing to price their products responsibly, a new fast-track route to NHS funding for the best and most promising drugs via an accelerated NICE appraisal process, and a new CDF managed access scheme.

Requests for specialist cancer drugs are shared with NHS England. This information is collected, used and shared for the purposes of public health with the aim of:

• making the public healthier and reducing differences between the health of different groups by promoting healthier lifestyles, advising government and supporting action by local government, the NHS and the public
• protecting the nation from public health hazards
• preparing for, and responding to, public health emergencies
• improving the health of the whole population by sharing our information and expertise, and identifying and preparing for future public health challenges
• supporting local authorities and the NHS to plan and provide health and social care services such as immunisation and screening programmes, and to develop the public health system and its specialist workforce.
• researching, collecting and analysing data to improve our understanding of public health challenges, and come up with answers to public health problems.

For more information about NHS England and the specialist cancer drug funding please visit NHS England » Cancer Drugs Fund.

In some circumstances we are legally obliged to share information. This includes:

• when required by NHS England to develop national IT and data services
• when registering births and deaths
• when reporting some infectious diseases
• when a court orders us to do so
• where a public inquiry requires the information

We will also share information if the public good outweighs your right to confidentiality. This could include:

• where a serious crime has been committed
• where there are serious risks to the public or staff
• to protect children or vulnerable adults

We may also process your information to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

Personal information

Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is:

(e) We need it to perform a public task – a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.

More sensitive data

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category):

(h) To provide and manage health or social care (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

In our use of health and care information, we satisfy the common law duty of confidentiality because:

• you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
• we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
• we have a legal requirement to collect, share and use the data.
• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case-by-case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service.

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will:

• securely dispose of your information by shredding paper records, or wiping hard drives to legal standards of destruction.
• archive historically significant information at the West Sussex Record Office

Under data protection law, you have rights including:

Your right of access – You have the right to ask us for copies of your personal information (known as a subject access request).

You will soon be able to access your My health information through the NHS App.

Please read the My healthcare privacy information: PKB Manual – Legal (patientsknowbest.com)

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.

• Right to object to your healthcare data being uploaded to My Healthcare Application (App) or Portal. If you wish to object to your healthcare data being uploaded to the My healthcare App, please email the Trust’s Data Protection officer: [email protected].

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Automated decisions

This is called automated decision making and profiling for example, completing an online aptitude test using a pre-programmed algorithm and or criteria when applying for a job vacancy with the hospital.

You can ask for information to understand the reasons behind the automated decisions. The request can be made verbally or in writing. We recommend that you follow up any verbal requests in writing by contacting the Trust’s Data Protection Officer explaining your request.

Profiling

Profiling means information about you is used to analyse or predict things like:

• The risks associated with a medical condition
  • Computerised analysis of MRI scans to improve a patient’s diagnosis and recovery performance at work
  • Your personal financial status
  • Your health, personal preferences, and interests.

You can object to the collection of profiling information if it includes direct marketing.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at [email protected] if you wish to make a request.

• we are applying the national data opt-out because we are using confidential patient information for planning or research purposes

The information collected about you when you use health and care services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• planning services
• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified, and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

The Trust participates in the use of Artificial Intelligence (AI) which is the use of digital technology to create systems that can perform tasks commonly thought to require human intelligence.

AI can help a Health and Care professional to reach a decision about your care, e.g., diagnosing a condition you have or to help you in choosing treatment options.

Decisions will not be made solely by the AI system; Health and Care professionals will always review and provide you with advice, allowing you to make the final decision on the care and treatment you receive.

Examples of where AI technology is used within the Trust:

• analysing Dermoscopic images to streamline the referral process for skin cancer and direct listing for surgery where appropriate
• comprehensive interpretation of chest x-rays and CT brain scans

Closed Circuit Television (CCTV) and Body Worn Cameras (BWC) are to assist in the prevention of crime, against persons and property and to reduce the risk of crime for Trust staff, service users and carers.

For safety and security reasons, the Trust security personnel wear BWC while on duty.  Recordings will not be continuous and security staff will make an announcement if they need to turn the cameras on. To maintain privacy and dignity, recordings will not be permitted in areas of the hospital where examinations or procedures are being undertaken or if there is likely to be nudity. Anyone present may object to the recording but will need to show the need for privacy outweighs the need to protect the public.

The Trust’s security services, including the use of CCTV and BWC, are managed internally.

The Trust remains the data controller of this data and any disclosures to third parties such as the Police, will only be done with the permission of the Trust.

Integrated Care Record (ICR)

Health and care organisations across Sussex are working to improve the care our population receives through a wide-reaching programme of digital transformation designed to use digital technology to provide better care for local people and use our resources in a more effective and efficient way.

Part of this digital transformation programme is focusing on the development of Integrated Care Records (ICRs).

An ICR enables the different health and care organisations involved in an individual’s care to access relevant information about them without the need to access multiple IT systems.

For more information, please see the Sussex Health & Care – My Health and Care Record.

The NHS Federated Data Platform (NHS FDP)

The NHS Federated Data Platform (NHS FDP) – is a series of separate data platforms, known as instances. University Hospitals Sussex NHS Foundation Trust has its own instance of the NHS FDP which makes it easier for health and care organisations to work together, compare data, analyse it at different geographic, demographic, and organisational levels and share and spread new effective digital solutions. The NHS FDP can connect and share information between health and care organisations when it’s helpful and where legal data sharing agreements are in place. For example, to discharge a patient from hospital into a care setting.

In this Trust, the NHS FDP will be used for inpatient and outpatient care co-ordination and for the RTT (Referral to Treatment Time) validation tool. The respective privacy notices for each of these areas can be reviewed using the links below:

• Inpatient CCS Privacy Notice
• Outpatient CCS Privacy Notice
• RTT Privacy Notice

The NHS FDP is not a data collection; it is software procured by NHS England that will help to connect disparate sets of data and allow them to be used more effectively for care. If you would like to find out more about this, please visit: NHS England » Data platform frequently asked questions.

Surrey, Sussex and Frimley Imaging Network (SSFIN)

The Surrey, Sussex and Frimley Imaging Network (SSFIN) is a joint venture between:

1. Ashford and St Peter’s NHS Foundation Trust (ASPH)
2. East Sussex Healthcare NHS Trust (ESHT)
3. Frimley Health NHS Foundation Trust (FHFT)
4. Queen Victoria Hospital NHS Foundation Trust (QVH)
5. Royal Surrey NHS Foundation Trust (RSFT)
6. Surrey & Sussex Healthcare NHS Trust (SASH)
7. University Hospitals Sussex NHS Foundation Trust (UHSussex)

Ashford and St Peters NHS Foundation Trust is the host organisation entering into contracts on behalf of SSFIN.

SSFIN respects your privacy and is committed to protecting your personal data.

The type of information we hold about you

In connection with providing your care, the images we take will be shared across SSFIN where we will collect, store, and use the following categories of personal and sensitive personal information about you:

• The information we receive from a clinician requesting a radiology exam for you. This includes details of your name, surname, date of birth, address, NHS number, hospital number, gender, details of the radiology exam being requested
• The information you may provide to us in connection with the radiology exam we carry out for you
• The results of your radiology exam (we will share the results with the requesting clinician).

Who is your personal information processed by?

We process personal information about you from the following sources:

• Clinicians requesting radiology exams for you.
• From the Partner Organisations which make up Surrey, Sussex and Frimley Imaging Network (SSFIN):
  • Ashford and St. Peter’s Hospitals
  • East Sussex Healthcare NHS Trust
  • Frimley Health NHS Foundation Trust
  • Queen Victoria Hospital NHS Foundation Trust
  • Royal Surrey NHS Foundation Trust
  • Surrey and Sussex Healthcare NHS Trust
  • University Hospitals Sussex NHS Foundation Trust

• Other NHS Organisations:
• Surrey, Sussex and Frimley GP practices
• Surrey and Borders Partnership NHS FT

We share with other NHS and authorised external organisations your information for direct care, when you are being treated.

How will we use information about you?

We will use the personal information we collect about you for direct care to:

Provide radiology services, which includes:

• processing, analysing and reporting to the requesting clinician on imaging taken
• providing imaging requesting and imaging delivery management tools
• for process management and improvement
• notifying you or your clinician about changes to SSFIN projects/ services and to otherwise manage our communications with you; and/or
• to comply with legal and/or regulatory requirements

Why might you share my personal information with third parties?

We may disclose/ share your information with selected third parties including:

• the Partners of SSFIN (listed above)
• suppliers, sub-contractors required for the performance of any contract SSFIN entered into with them, you or your clinician
• for the purposes of investigating any potential legal claims against SSFIN and/or any of the Partners, your information may be shared with our insurers and/or legal representatives to obtain advice and services
• national screening or public health monitoring schemes such as Public Health England

We may also share/ disclose your personal information to third parties if SSFIN and/or any of the Partners are under a duty to disclose or share your information to comply with any legal obligation, or to deliver the radiology services in the public interest.

When we share such information, we ensure that we are only sharing as much information as it required to fulfil the purpose for which we are sharing it.

We have put in place security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have deployed technical security measures to keep your information secure when being stored or transferred electronically, this includes ensuring all security software and encryption is up to date helping to prevent the risk of cyber-attack.

Data protection concerns and complaints

University Hospitals Sussex NHS Foundation Trust takes seriously its obligations to protect the rights and freedoms of patients, staff, volunteers, trainees, and contractors. The Trust is committed to building privacy by design and default into our systems and services, to minimise any risks to data subjects that might arise through our processing activities.

However, we recognise that there may be circumstances in which members of the public or staff raise concerns or complaints about the way the Trust is processing their personal data. The described procedure gives a framework for managing data protection complaints consistently and transparently, to ensure fair and equitable outcomes for complainants. It will also clarify the relationship between the procedure and other complaints and grievance procedures at the Trust, and related data protection procedures, such as our Data Breach Reporting Procedure and our Data Subject Access Request appeal process.

If Trust staff, or members of the public wish to refer or make a complaint, raise a query about the procedure, or otherwise need to get in touch, please contact the Information Governance team:

Confidentiality

Any complaint or concern you raise will be treated in confidence. We will only share your identity or the details of your complaint with a third party with your consent, or if it is necessary to do so to fully investigate your complaint.

Records relating to your complaint will be held securely in restricted areas of the Trust’s IT network or system. The records relating to your complaint will be retained in line with our data retention policies (for ten years from the end of the calendar year in which the final action on your complaint takes place at the time of writing).

It may be necessary during the investigation to reveal to you the identities and personal data of staff or other third parties involved in responding to the complaint. This information will be provided to you only as required, and you must always respect the confidentiality of third parties.

Grievance and representation

Any complaint or allegation cannot be made anonymously.

A third party may submit the complaint on your behalf with your written and signed authorisation, subject to approval by the Data Protection Officer or their delegate.

Internal concerns and complaints procedure

The Data Protection Officer or their delegate will write an initial letter to you, usually within 5 working days, to acknowledge receipt of your complaint. The letter will inform you:

1. Whether your complaint is eligible for consideration under this procedure. If it is not considered eligible, you will be told why.
2. The terms of your complaint, and the breaches of the Data Protection Legislation to be investigated, so that the complainant can understand the scope of the investigation.
3. The expected deadline for completion of the investigation

The Data Protection Officer or their delegate will aim to conclude the formal investigation and provide you with an outcome within 20 working days of sending you the initial letter.

At the end of the review the Data Protection Officer will provide you with an response summarise the complaint and examination process, this may including further evidence gathered from yourself, colleagues or any other relevant third party, and an assessment of the extent to which specific concerns raised in the complaint contravene the Trusts Data Protection policies and procedures and Data Protection Legislation, to help you better understand the outcome of the review. The outcome section of the report will tell you whether your complaint is:

1. Fully upheld
2. Partially upheld
3. Not upheld

The response will set out any recommendations proposed by the Trust. The Data Protection Officer may recommend the case is referred for further consideration under the relevant internal disciplinary procedure. This might include, for example, cases where the investigation identifies a serious breach of the Trust’s Data Protection policies and procedures by an individual subject to said policies and procedures, or an infringement of Data Protection or Computer Misuse legislation.

The response marks the final stage of the Trusts Data Protection Complaints procedure. The Trust will aim to put in place any recommendations within one calendar month of the date of the report, where possible.

If the review finds that a person has processed your personal data and infringe sections 170-173 of the Data Protection Act (2018), the matter may be referred to the Police if the Trust believes that one or more of the criminal offences listed below has been breached:

1. a) Unlawfully obtaining, disclosing or retaining personal data:
2. b) Re-identifying de-identified personal data
3. c) Altering, defacing, blocking, erasing, destroying, or concealing personal data to prevent disclosure to a data subject

If the Police investigate a Trust employee about an offence, the Trust will consider whether internal disciplinary procedures should continue or be paused until the outcome of the police investigation is known.

Right to representation

You have the right to be accompanied at any meeting arranged under this procedure to investigate your complaint. You may choose to be accompanied by a friend, and staff by a work colleague or a trade union representative. This procedure does not permit any party to have legal representation at meetings. The identity of your representative should be made known to other parties to the meeting prior to the date of the meeting.

If you need us to make any reasonable adjustments under the Equality Act (2010) in connection with meetings or other proceedings under this procedure, please inform the Data Protection Officer in advance. You can also seek advice from or make a complaint to the Information Commissioner’s Office (ICO) who is the UK data protection regulator.

Your Right to an External Review

If you reject the outcome of the formal investigation, you can make a complaint to the Information Commissioner’s Office (ICO) using their online reporting tool or via:

Whilst you have the right to make a complaint to the ICO without seeking a remedy through this procedure, we recommend that you follow this procedure in the first instance to advance the resolution of your complaint.