- Why we need your personal information
- The new data protection law (GDPR)
- What information we collect about you
- Where we get your information from
- Who we share your information with
- Why we share your information
- Integrating your care with our partners
- Personal health records
- Other uses of your personal information
- How we use your information for research
- Other ways your information is used
- How we keep your information secure
- Your legal rights
- What other information we collect
- Other bodies
- If you want to complain
- Further information
Why we need your personal information
We need to collect information about you mainly to provide you with health and care services. This is in accordance with the statutory obligations under the NHS Act 2006 and Health and Social Care Act 2012.
The information that we collect is used for medical purposes that include:
- preventative medicine
- medical diagnosis
- medical research
- provision of direct care and treatment
We collect your personal information so that your care team has accurate and up-to-date information to plan your treatment options.
The new data protection law (GDPR)
The General Data Protection Regulation (GDPR) is a new law which allows and regulates the processing of personal data. This includes where health and social care data are processed by a public authority, such as SLaM.
Health and genetic data are amongst special categories of data requiring special protection and subject to additional controls. Public providers of health and care are expected to:
1. demonstrate satisfaction of conditions set out in Article 6 of the GDPR
2. satisfy a condition under Article 9 of the GDPR when processing special categories of data, ie data concerning health
Under Article 6, processing is permitted where it is:
“Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1) (e)).
Commercial suppliers that work on behalf of the NHS (e.g. technology third-party suppliers to NHS Trusts), or private sections of public providers may also rely upon an alternative lawful basis. For example, where processing is necessary for the purposes of their ‘legitimate interests’ (Article 6(1)(f)).
Article 9(2) sets out the circumstances in which the processing of special categories of data, including data concerning health, which is otherwise prohibited, may take place. NHS Trusts as public bodies with healthcare provision as their statutory purpose, may process personal data where necessary to fulfil their public healthcare provision function, provided that they satisfy one of the following conditions:
9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
Article 9(2) also sets out the circumstances in which the processing of data concerning health may take place in academic organisations. Universities as public bodies with research either incorporated in their core function or as their statutory purpose may process personal data where necessary to fulfil their public research function, provided that they satisfy one of the following conditions:
9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
And
9(2)(i) – Necessary for reasons of public interest in the area of public health, such as protecting against serious cross- border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices.
Article 9 allows for the processing of a special category of personal data for health research where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. (Article 9(2)(j))
This means that where it is necessary to process special categories of data, such as data concerning health, for research purposes, then that processing is permitted by the GDPR (under Article 9(2)(j)).”
What information we collect about you
Health and care organisations have a legal duty to keep complete, accurate and up-to-date information about your health. This is so that you can receive the best possible care, both now and in the future.
This information is known as your ‘health record’ and is stored securely on managed systems. The information stored includes:
| Category | Data type |
|---|---|
| Identifiers | Your name, date of birth, NHS number |
| Contact details | Your address, telephone number, email address (if provided) |
| Support contact details | Names, contact details of carers, relevant close relatives, next of kin, representatives |
| Physical, social or mental health situation or condition | Your medical history, treatments, test results, referrals, care plans, care packages, medication, medical opinions and other relevant support you are receiving |
| Protected characteristics | Your ethnicity, religion, sexual orientation, gender, which are required for equality monitoring and ensuring that the services are suitable and provided in the right way for the people being cared for |
Where we get your information from
Most of the information we collect about you is from:
- Your GP
- Directly from you or a friend or relative
- Other health and care organisations
Information also comes from local authorities, schools and other government agencies.
Typically, we get information by referral. For example, if your GP decides you need an appointment with a hospital team or social care professional, they will provide those professionals with necessary information about you so that you can be supported appropriately. This may include identifiers, history, diagnosis and medications. This information is increasingly being made available electronically to improve the quality, safety and speed of delivery of care.
All care professionals and others working with them in care services have a legal duty to keep information about you confidential and secure and only use it for the purposes of providing and improving the care they provide. Similarly, anyone who receives information from us has a legal duty to keep it confidential.
Who we share your information with
We will share your information with those health and care partners who are directly involved in your care. These may include:
- Local NHS hospitals
- Your GP practice
- Local voluntary and private care providers
- Urgent and emergency care services, such as NHS 111 and the London Ambulance Service
You may be receiving care from other people as well as the NHS, for example social care services. Health and social care providers may need to receive or share some information about you if they have a genuine need. This may help them form a complete picture of your health needs and provide care and treatment that is most suited to your needs and preferences. They should only share information with your permission.
We will not normally give your information to any other third party for any reason outside your individual care and treatment without your permission. However, there may be exceptional circumstances where we may do so, such as if someone’s health and safety is at risk or if the law requires us to pass on information.
See a short animation that explains how your personal data is used in health and care.
Find out about the structure of the NHS in England, core organisations and their roles
Why we share your information
People often access a range of services available to them to support their health and care needs. Care organisations are increasingly providing services in regional partnerships.
The Trust works in regional care partnerships, such as King’s Health Partners and Our Healthier South East London.
These services are not restricted by geographical boundaries or by organisational structures. There is also crossover in the information these services need to make sure the care they deliver is safe and of the highest quality. Health and care services use a range of IT systems and increasingly there is the ability to share special category personal data between systems. Care professionals and others supporting your care use IT systems developed and monitored according to strict rules to share your personal data securely and lawfully.
If care services do not share information about you, then they may be making decisions without the best available information. This may affect the quality and safety of care they give you.
You have a legal right to opt out of having your data shared between your care professionals. However, you should be aware of the risks to the safety and the quality of the care you receive.
Sharing information helps care professionals to work together across organisational boundaries. Up-to-date information about your health and care improves the quality of clinical decision making by care professionals. Health and care providers are increasingly using digital technology, subject to strict rules, to further improve your health. We will make every effort to inform you about new digital technology and point you to resources to help you access and use it securely. We will always respect your right to opt out if you do not wish to make use of it.
Integrating your care with our partners
Health and care partners in south east London, such as your GP, hospitals, mental health, community and social care services, work together to make best use of your personal data to improve your treatment and care. This collaborative work helps us to build a more complete picture of all your health and care needs.
South East London Integrated Care Records (Local Care Record in Southwark, Lambeth and Bromley) (Connect Care in Lewisham, Greenwich, and Bexley)
Integrated care records in south east London securely connect the electronic health record systems in your GP practice with similar systems in other care settings. These include south east London hospitals, care professionals in urgent and emergency care services (such as NHS 111 or 999), the London Ambulance Service and the National Record Locator Service, which is run by the NHS in England.
Integrating your care records means that your care teams can view your medications, previous treatments, test results and any other relevant care information at the touch of a button. This provides faster and improved communication between your health and care providers, making best use of clinical resources during your appointments or hospital stay.
Sharing health records is helping to improve your care by providing your care team with essential clinical information at the touch of a button. This reduces the need for repeated phone calls, missed fax messages and delayed letters.
Find more information about the integrated care records in south east London, including how to opt out of this form of data sharing.
Personal health records
Your health and care providers such as your GP and hospitals are increasing providing online secure platforms for you to access your health information.
GP online services is a secure online service, where you can book or cancel appointments, order repeat prescriptions, view parts of your GP record, including information about medication, allergies, vaccinations, previous illnesses and test results and some clinical correspondence such as hospital discharge summaries, outpatient appointment letters and referral letters.
Healthlocker is a secure online platform for you, your carers and families and your care teams. Its development has been supported by the NHS. Healthlocker promotes supported self-management of your care with secure online options to improve communication between you, your carers and care professionals. It also provides you secure online access to information about your treatment and care.
Other uses of your personal information
Using information for commissioning or regulatory compliance
Commissioning is when organisations plan and pay for health care services. Health and care commissioners need information from your GP practice, hospitals and other care providers about your treatment to review and plan health services. To do this, they need to be able to see information about your care but they do not need to know who you are.
The commissioners use intermediary services called Data Services for Commissioners Regional Office (DSRCO). DSRCOs specialise in analysing and converting coded clinical information within a secure environment into a format that commissioners can legally use. This is specific data about your care that does not reveal your identity or contact details.
NHS Digital, formally known as the Health and Social Care Information Centre (HSCIC), can provide coded data about your care securely to commissioners under the Health and Social Care Act (2012).
NHS Digital, through its DSCROs, is allowed by law to collect, hold and process your personal data. This is for purposes beyond direct patient care, to support care commissioning organisations and the commissioning functions within local authorities.
Service evaluation contributes to the overall quality and effectiveness of clinical services to you and a group of people with a similar condition. This routine quality assessment of care services falls outside the scope of your direct care. It covers:
- Care services management
- Preventative care and medicine
- Health and social care research
Service evaluations are routinely undertaken using anonymised data. Where identifiable information is to be used, we will always do it lawfully and securely in a way that will always protect your privacy.
How we use your information for research
Most care teams are working with researchers to find ways to develop better treatments for care. The information in your health records can also be used to help NHS researchers understand more about the causes of illnesses and how best to treat them. They need to follow strict rules to make sure your personal data is always kept secure and confidential.
Where possible, researchers will make efforts to take out any information that could identify you, such as your name, address and postcode. If they cannot practically take out such information, it is their legal responsibility to ask for your explicit permission (consent).
We work with healthcare partners, researchers and technical experts to develop computer systems, such as the Clinical Record Interactive Search, encryption techniques, such as pseudonymisation (using special codes), to enhance your privacy and protect your confidentiality before using your information for research. For more information on such local research systems and initiatives, visit the King’s Health Partners website.
In more exceptional cases, researchers may seek special support from the Secretary of State under the health service (control of patient information) regulations (also known as ‘section 251 support’). This can allow researchers to use your personal data without your permission, only when it is not practical to seek permission. They must also have reassured an independent committee who have reviewed the purpose and data security arrangements. You can find more information on trials where researchers have used this special support known as ‘section 251’ support.
Clinical data linkages
Regional partnerships between care providers, such as your GPs and NHS hospitals and universities, such as King’s College London is leading to better opportunities to use clinical data for better care services and treatments by securely joining or ‘linking’ information from different clinical sources within a secure and regulated NHS environment. This joins two or more independent healthcare data sources, for example someone’s GP record and their hospital record, in order to improve the quality of information and to enable NHS researchers to look at your healthcare in more detail. Any information that may identify individuals are all removed prior to any research. You can find more information on the data linkages we have undertaken and how to opt out.
Research recruitment (consent for contact)
You can give your care coordinator an advance permission for researchers to contact you in the future if you match the criteria of a trial. Your advance permission, known as ‘consent for contact’ will be noted in your health records. You will only hear from a research nurse, who will explain what that study will entail in more detail. You can find more information about consent for contact and ways to sign up for future research.
Other ways your information is used
We may also use your personal data in the following areas:
- Any complaints you have made about services
- Any incidents you may have been involved in while you were receiving treatment and care from us
- Any paid, un-paid work with us, including your involvement in volunteering, public engagement or other projects (eg social, community, art, consultation) we run solely or with partners
- Any training, education, supervision delivered to you by us
- CCTV (closed-circuit television) and use of multimedia device
How we keep your information secure
As a health and care provider, we store and use large volumes of sensitive personal data every day, such as your health records. Your health records are stored electronically.
Other personal data and computerised information are stored on various other systems across your health and care providers. These systems are managed by NHS IT departments or under contract with an approved public framework supplier.
Find more information on how your information is kept securely on NHS information systems.
Important information used by the Trust
| Purpose | System name |
|---|---|
| Electronic health records | ePJS |
| Electronic staff records | ESR |
| Complaint and incident records | Datix |
| Clinical observations | eOBS |
| Clinical incident records | SafeCare |
| Personal health records | Healthlocker |
| Business intelligence | Microsoft BI |
| Translational research using de-identified data | CRIS (research pipeline) |
| Internal staff communication | Intranet |
| Staff rosters | eRoster |
| Workforce recruitment | TRAC |
| Workforce training and professional development | LEAP |
| Enterprise network and email | Office365 / UK Azure Cloud |
| Finance system | eFinancials |
| Procurement system | eProcurement (eFinancials module) |
| Invoicing system | ITSOFT |
| Contracts monitoring | Soles |
| IT service desk | SDE Service Desk (new platform in Q2) |
| Estates and facilities helpdesk | PlanetFM |
| VoIP | Cloud Telephony |
The information we collect is used by people in their work for the purposes stated in this notice. We take our duty to protect your personal information and confidentiality very seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
- We encrypt all outgoing email containing personal data
- We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems
- We provide training to all staff on how to handle all types of data
At the most senior level, we have:
- a senior information risk owner who is accountable for the management of all information and any associated risks and incidents (Mr Stephen Docherty)
- a Caldicott guardian who is responsible for the management of patient information and patient confidentiality (Dr Nicola Byrne)
- a Data Protection Officer oversees all activities related to the use of data. They make sure data use is done within the law and best practice (Dr Murat Soncul)
You can contact these senior officers by writing to dataprotectionoffice@slam.nhs.uk.
or
Data Protection Office
Maudsley Hospital
Denmark Hill
London
SE5 8AZ
Your legal rights
You have several rights under the data protection law:
a. Right to be informed: you have a right to be informed about uses of your information, with an emphasis on transparency. This fair processing notice, in support of other privacy notices makes sure that your right to be informed is upheld.
b. Right of access: you have a right to receive:
- confirmation of what information is recorded about you
- confirmation of how your information is used
- access to your personal health information and other information we hold
- To exercise your right of access, you will be asked to complete a subject access request (SAR) form, provide proof of identification and may be asked to explain exactly what information you require.
Your request must be made to the following address:
South London and Maudsley NHS Foundation Trust
Information Governance Office
Maudsley Hospital
Denmark Hill
London SE5 8AZ
Email: dataprotectionoffice@slam.nhs.uk
You will not be charged for this service.
Other people can also apply to access your health records on your behalf. These include anyone authorised by you in writing (such as a solicitor), or any person appointed by a court to manage your affairs if it decides you cannot manage them yourself.
c. Right to rectification: rectification means correcting inaccuracies or incomplete data we hold about you. This often applies to factual information only such as identifiers and next of kin. We are unable to remove or alter professional opinions that you may disagree with. You do however have the right to include your personal statements alongside professional opinions.
- To rectify your information please contact your clinical team.
d. Right to deletion: in some circumstances you can request that we delete the information we hold about you. This right will apply only if the processing has been based on consent which is withdrawn, the processing of data is found not to be lawful or the information is no longer required. We will tell you about activities to which this right applies
There are exceptions to the right to deletion. Your health and care providers are legally required to maintain your records in accordance with the retention guide in the Record management code of practice for health and social care
e. Right to object: you do not have a general right to object to processing of your personal information for your individual care, however you can object if the information is used for a secondary purpose, such as:
- marketing
- scientific or historical research
- statistical purposes
- purposes in the public interest or under an official authority (eg NHS Act 2006)
- public patient involvement groups
f. Right to restrict processing: the right to restrict processing means that, if you have disputed the accuracy of information, objected to its use or require data due for destruction to be maintained for a legal claim, you can have the data stored by the Trust but not allow other uses until the dispute is settled. To request restriction to processing, please contact the data protection officer.
We will respect your rights under the data protection legislation whether you are an adult or a child. We will respect the wishes of parents’ (or legal guardians’) in respect of data rights of children who are younger than 14 years old.
You should also tell us how you would like us to contact you. Your preferences may include post, text messaging and phone. You should notify your care team about your preferences and ask it to be recorded in your health and care record. You can change your mind later as long as you give timely notifications to your care team about any changes to your preferences.
What other information we collect
We collect information on all staff we employ, as well as volunteers, people with honorary contracts and agency staff for the purposes of running our services. We use the information for administrative, academic and statutory purposes and to support health and safety.
The information we collect includes:
| Data type | Purpose of collecting |
|---|---|
| Names, addresses and telephone numbers | Employment contracting |
| Spouse, partner, emergency contact, close relative, next of kin names, address, telephone and email details |
Emergency contact |
| Employment records (including professional membership, references, appraisals,professional development plans, education and training records) |
Statutory requirement of employment, performance management, professional development |
| Bank, National Insurance number and pension details | Payment of salaries and other expenditure claims |
| Nationality / domicile | Proof of eligibility to work in the UK |
| Ethnicity | Equality monitoring, equal opportunities |
| Medical information including physical health or mental condition |
Appropriate adjustments to work arrangements, management of disability rights and other occupational health services |
| Religious beliefs | Spiritual support, equal opportunities, equality monitoring |
NHS Shared Business Services provide electronic staff records and other corporate systems, such as employment and finance.
Other bodies
There are some exceptional circumstances where we must share information with official bodies or other organisation about employees without their express permission. These include circumstances owing to a legal or statutory obligation. These bodies may include:
- Disclosure and Barring Service
- Home Office
- Her Majesty’s Revenue and Customs (HMRC)
- financial institutes, for example banks and building societies for approved mortgage references
- educational, training and academic bodies
- Department for Work and Pensions (DWP)
If you want to complain
If you think that information in your NHS health records is wrong, please talk to the health professional looking after you and ask to have the record amended. You can also ask for the information to be amended by contacting the information governance team.
If your request to have your records amended is turned down because the information is not wrong, we will add a statement of your views to the record.
If you are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO), which regulates and enforces the Data Protection Act. For details of how to do this:
- visit the ICO website at www.ico.org.uk
- telephone 0303 123 1113
Further information
Please talk to the team looking after you if you want to know more about how we use your health records, or if you do not want your information used in any of the ways described in this leaflet.
Patient Advice and Liaison Service (PALS): freephone 0800 731 2864 or by email at pals@slam.nhs.uk.
NHS Choices: provides online information and guidance on all aspects of health and healthcare, to help you make choices about your health. Visit www.nhs.uk.
Support us by becoming a member: membership is free and it is up to you how much you get involved. Members and governors are at the heart of our organisation. Members support SLaM on a voluntary basis and provide us with feedback, local knowledge and support. You can join the Trust as a public member if you live in England or Wales and have:
- used, or care for someone who has used our services in the past five years
- worked or volunteered for us
To join please call 020 3228 2441, email membership@slam.nhs.uk or visit: www.slam.nhs.uk/getinvolved.
