Patient privacy notice

The Kettering General Hospital NHS Foundation Trust (KGH) is a data controller under the Data Protection law as we collect and process personal information about you in order to provide health services and meet our statutory obligations.
 
The Trust is committed to protecting and respecting your privacy. Through this Privacy Notice we have sought to be as transparent as possible to fully explain how your personal data is held and processed. This notice explains how we collect, process, share, transfer and store your personal information and forms part of our accountability and transparency to you under Data Protection Law.

Where we get your information from

A lot of the personal information provided to us comes directly from our patients. In certain circumstances, we may also receive personal data from:
  • Health and social care professionals working with you such as GPs, support workers, social workers, hospices
  • Ambulance Trusts
  • Private healthcare providers
  • Carers, relatives or next of kin in situations where you are incapable of communicating with us
  • Local Authorities
  • Law enforcement agencies
  • CCTV images taken using our own CCTV systems

Personal Data we hold about you

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers, and other staff involved in your care – keep records about your health and any care and treatment you receive. Collectively, this is called your Health Record which may include:
  • Basic details such as name, address, date of birth, phone number, and email address - where you have provided it to enable us to communicate with you by email
  • Special Category Personal data such as:
    • Notes and reports about your physical or mental health and any treatment, care or support you need and receive
    • Results of your tests and diagnosis
    • Relevant information from other professionals, relatives or those who care for you or know you well
    • Ethnicity, religion and, where appropriate, genetic/biometric information and sexual orientation
    • Details of any contact you have with us such as home visits or outpatient appointments
    • Information on medicines, side effects and allergies
    • Clinical photographs for clinical imaging
  • We may also record CCTV images in public areas as part of the Trust's security arrangements and for criminal prevention
  • Other personal information such as your next of kin and their contact details, patient experience feedback and treatment outcome information you provide
  • Most of your records are electronic and are held on a computer system and a secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers. To assist this, the use of other electronic patient record systems to share your information will be implemented

Keeping your information up to date

It is essential that the personal data that the Trust holds about you is accurate and kept up to date. You should inform the hospital as soon as possible of any changes to your contact details, including Name, Address, Telephone and Mobile numbers, Email Address and GP provider. You can do this by speaking to the team at any reception within the hospital or by contacting the Medical records team by emailing: kgh-tr.Medical.Records@nhs.net.

Why we collect this information about you

We process personal data to enable us to provide healthcare services to our patients; carry out research; maintain our accounts and records; the use of CCTV systems for crime prevention; and data matching under the national fraud initiative. Records about you are used by those caring for you to:
  • Provide a good basis for all healthcare decisions by you and healthcare professionals
  • Enable you to work in partnership with those providing your care
  • Enable us keep all details of our contact with you, such as referrals and appointments and services you have received
  • Make sure the care we provide is safe and effective
  • Work effectively with others providing you with care
  • Remind you about appointments using 3rd party processors
  • Enable investigations if you and your family have a concern or a complaint about your healthcare
  • Facilitate you providing feedback on your experience to the Trust. You can opt out from this process either for a particular hospital attendance or permanently by informing a member of Trust staff who will advise the Information Department to remove your consent.
 
Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:
  • Move to another area
  • Need to use another service
  • See a different healthcare professional
 
Others within the Trust, the NHS and other government bodies may also need to use records about you to:
  • Assess the quality of care we give you (called clinical audit)
  • Protect the health of the general public
  • Keep track of NHS spending
  • Manage the health services we provide
  • Help us to plan new services
  • Help investigate untoward incidents, complaints or legal claims
  • Prevent fraud
  • Teach healthcare staff
  • Help with research
 
If we need to use information that identifies you for purposes other than your direct care (or to check the quality of that care), we will always seek your consent beforehand.

How your information is secured

Everyone working for the NHS has a legal duty to maintain the highest levels of confidentiality, and all KGH staff receive training on how to handle your information securely.
 
We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format. All paper files are kept in secure locked cabinets/cupboards and only relevant staff will have access to this information.
 
We ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
 
We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if the third party agrees to comply with those procedures and policies, or if it puts in place adequate measures.
 
All employees and our partner organisations are legally bound to respect your confidentiality, all staff must comply with our security operating procedures. Any breach of these procedures is treated seriously, and could result in disciplinary action, including dismissal.
 
If any of your personal information is to be processed overseas (i.e. outside the EU) a full risk assessment would be undertaken to ensure the security of the information.

Legal basis for processing your information

We will process your personal information only when we are permitted to do so by law. We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as when:
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • processing is necessary for medical purposes
 
Please be aware that we do not normally use consent as a legal basis for processing your personal information under UK GDPR. This is different to consent to treatment. This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information, but this could have an impact on our ability to provide you with care.

Sharing your information with third parties

Information sharing for purposes of direct care

We may need to share your information with trusted organisations when they are caring for you and are providing you with treatment. This includes outside agencies, such as social services, public service authorities and private healthcare organisations in addition to other NHS organisations.
 
Please note the circumstances below when we may share your information with these organisations:
  • To ensure the provision of your direct care
  • To ensure the provision of the most appropriate treatment and support for you and your carers
  • Sharing your information via the Northamptonshire Care Record (NCR) to enable effective collaboration with other professionals who are directly involved in your care
  • To deliver services relating to your direct care e.g. processing of blood tests
  • For research, statistical and data analysis to give us insight on how we may improve the services we provide (please note that we will ask your explicit consent when processing your identifiable data for research purposes)
  • For conducting patient surveys to support care improvements facilitated by the Trust
  • To help us monitor and evaluate performance to develop the services we provide
  • To meet our NHS contract obligations
 
We have processes in place to ensure that we do not share excessive information with any organisations. We only share information that is relevant, necessary, and adequate to the care you are receiving at any given time.
 
We have relevant assurances in place to ensure that third-party organisations will not disclose your information without explicit written consent of the Trust, and this will only be provided if it is necessary to do so for the provision of your care.
 
The third-party organisations with whom we share your information for the purposes of your direct care include:
  • Northamptonshire Health and Care Partnership – key health and care providers in the county working in partnership to improve health and care for people living in Northamptonshire
  • Other partnerships working together to provide health and care for you such as, The East Midlands Radiology services (EMRAD) and National Pathology Exchange (NPEx)
  • GPs
  • Independent Contractors such as dentists, opticians, pharmacists, medical concierges
  • Private Sector Healthcare Providers
  • Charities and other Voluntary Sector Providers such as Hospices
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police and Judicial Services
  • Funeral Service providers
  • Other National and Government agencies e.g. National Confidential Enquiry into Patient Outcome and Death, National Cancer Registration and Analysis Service and Public Health England
 
We may also need to share your information with third party suppliers. These suppliers may not be directly involved with your care, but they provide us with support services in order for us to provide direct care to you. The support services they provide include:
 
  • supplying us with management information systems, databases and solutions used for administration processes and data-driven care delivery
  • diagnostic and health monitoring solutions
  • radiology services including medical and diagnostic imaging services
  • healthcare technologies and solutions
  • innovative prosthetic services
  • consulting, auditing, counter fraud, data analytics and innovation services
  • computer disposal and data destruction services
  • solutions for risk management, monitoring patient safety, reporting incidents and adverse events and ensuring the cyber security, availability, integrity and confidentiality of our information
  • survey services
  • systems for managing policies, training and learning content
  • physical security solutions and services
  • managing and maintaining the sites and systems to ensure they work effectively
  • technical support on the systems when required
 
Information shared with these organisations are subject to strict information sharing agreements established following robust risk assessments. Personnel from these organisations may have access to your information during the course of providing the above support services. However, it will be limited to only personnel who need access in order to deliver the services they provide. The information disclosed will be limited to what is relevant, necessary and adequate for the purposes for which we have engaged with the third-party supplier.

Legal Basis for sharing with third-party organisations

The legal basis relied on by the Trust to share your personal data with third party organisations and suppliers is set out in Article 6(1)(e) of the GDPR which allows data to be processed where the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
 
Where special category personal data such as health records are shared, the Trust relies on an additional condition set out in Article 9(2)h of the GDPR which allows data to be processed where “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional subject to safeguards.”

Exceptions

We will always seek your permission to share your information with third party organisations for purposes other than your direct care. However, in exceptional situations we may need to share your information without your permission if:
  • It is in the public interest – for example, there is a risk of death or serious harm to yourself or another person or a child
  • The Registrar of Births, Deaths and Marriages asks for the contact details of the next of kin, to help carry out their statutory duty to register the birth or death of a patient.
  • There is a legal need to share it – for example, to protect a child under the Children Act 1989
  • A court order tells us that we must share it
  • We are subject to the Care Quality Commission’s powers under the Health and Social Care Act 2008 to access and use information where they consider it necessary to carry out their functions as a regulator.
  • There is a legitimate enquiry from the police under the Data Protection Act for information related to a serious crime
  • You are subject to the Mental Health Act (1983), there are circumstances in which your nearest relative must receive information even if you object
  • Your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases.

Further Information

If you would like further information on a specific third-party organisation or supplier with whom we share information, please contact the Data Security and Protection team at:
 
Data Security and Protection Team
Kettering General Hospital
Rothwell Road
Kettering
NN16 8UZ

Transfer of personal data outside of UK

The Trust may sometimes use service providers who process information in other countries, both within and outside the European Economic Area (EEA).
 
As a result, it may sometimes be necessary for personal data to be transferred overseas. However, before any transfer is made, the Trust will carry out the necessary risk assessments including Data Protection Impact Assessments to make sure that appropriate safeguards are in place so that the transfer of the data, its processing, storage, and retention are securely controlled and in full compliance with the requirements of the Data Protection law.
 
If your data is transferred overseas there will be a contract in place, and a Data Processing Agreement that ensures responsibility for safeguarding data.

How long do we keep your information?

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including the purposes of providing health care services and satisfying any legal obligation.
 
Retention periods for personal data will vary according to the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We ordinarily follow the retention periods set out in the NHS Records Management Code of Practice.
 
You should be aware that Care Records are ordinarily retained for eight years after which, it will be reviewed and transferred to the place of deposit if appropriate for archiving.
 
If we are able to anonymise your personal data so that you can no longer be identified from it, we may use such information without further notice to you.
 
The Trust has a IG07 Records Management Policy. This is based on the NHS Records Management Code of Practice.

Your Rights

For information on your rights and how you may exercise them, please see your 'Your rights ’ section on the Trust website.

Use of photographs, video and audio recording

The Trust may use photographs, video footage and audio recordings where an individual can be clearly identified for the purposes of promoting its work. We will only use your image or audio if we have obtained your explicit written consent. You can request the photo, video or audio to be removed from the KGH photo library at any time by contacting kgh-tr.comms@nhs.net. Every effort will be made to remove the content however it may not be possible to control use of the photograph, video, or audio completely.
 
Photographs, videos, and audio recording may be:
  • Used in promotional materials such as posters or adverts
  • Used on the KGH website, social media channels and other digital communications
  • Used in news media and their associated websites and social media channels including print, television and radio

Telephone Call Recordings

The Trust has the ability to record telephone calls. Calls are recorded for the purposes of quality and training, protection of patients and staff, documenting information on your medical record or identifying issues in processes with a view to improving them. Calls may be shared internally with healthcare professionals and support staff who are involved in your direct care provision on a need-to-know basis. In the event of an incident, certain members of staff in the Audit, Risk or Governance teams may have access to call recordings to facilitate the investigation of the incident. Call recordings will not be shared outside of the Trust unless we have a legal requirement to do so.
 
All records held by the Trust are subject to the Records Management Code of Practice for Health and Social Care Act 2016 (the Code). The Code sets out best practice guidance on how long we should keep your information before we are able to review and securely dispose of it. We will keep your call recordings as long as we are required to do so by the Code. Recordings for children are kept for a maximum of 25 years and recordings for adults are kept for a maximum of 15 Years.
 
You have a right to access your call recordings under data protection law, this is called a Subject Access Request (SAR). You may request access to your call recordings through a secure electronic method. To make your request, choose “Don’t have an account? Sign up”, then you can either: register on the site or enter as a guest. Then choose the most appropriate on-line application form.
 
If you have any problems accessing the on-line form, please give the Access Team a call on 01604 544776. Your Subject Access Request (SAR) will be dealt with under the terms of the Data Protection Act 2018, the General Data Protection Regulation 2016 and the Access To Health Records Act 2018. Find out more about Subject Access Requests.