Data Protection FAQ's
Can patients take their notes away with them?
No. Medical records are the property of the Trust and must be kept secure at all times, including in a sealed envelope when moving between appointments. If a patient wants a copy of their notes, they need to submit a Subject Access Request.
If a patient wishes to view their current medical records whilst still an inpatient at the Trust, this can be discussed with the clinical staff on the ward.
Who should I contact if I have Data Security and Protection issues and queries?
Contact the Data Security and Protection Team using the following email address: ngh-tr.dpo@nhs.net
Who is the Trust's Caldicott Guardian?
Hemant Nemade, Medical Director
What is the difference between the role of Caldicott Guardian and the Senior Information Risk Owner (SIRO) role?
The Caldicott Guardian and SIRO are both concerned with ensuring NHS data is protected and is not stored, accessed or used inappropriately, However, in practice both roles are different - the Caldicott Guardian (ideally a Board member who is a senior professional) is primarily concerned with the protection of patient and service user information by ensuring it is shared only with those who have a justified need for it; and only shared through appropriately safeguarded routes.
The SIRO role is proposed for a Board member or relevant equivalent, who is concerned with identifying and managing the information risks to the organisation and with its business partners. This will include oversight of the organisation's information security incident reporting and response arrangements. The SIRO will be supported in their role by one or more Information Asset Owners who have assigned responsibility for the information assets of the organisation.
Please note that in some smaller organisations these roles could overlap although they will be better served as separate responsibilities
How long does the Trust keep medical records for?
The Data Protection Act 2018 does not define how long records should be held for, just that they should not be kept for longer than needed. As a result, the Trust uses the NHS Records Management Code of Practice as the basis for Records Management. This can be found here: Records Management Code of Practice - NHS Transformation Directorate (england.nhs.uk)
The Trust also has a Retention and Destruction Policy.
Can emails be released as part of a subject access request or a freedom of information request?
Emails stored on Trust systems are considered to be an electronic record and therefore may be disclosed in response to a subject access request or a freedom of information request. To submit a subject access request.
Are my medical records accessible/shared with other healthcare providers?
Other NHS Trusts and healthcare providers would not routinely have access to your medical records unless the Trusts have a formal sharing agreement in place for the care to be provided at another provider. Other healthcare providers are able to request specific parts of your medical record to enable ongoing continuity of care (should you transfer to another provider during regular treatment) or, with your consent, for second opinions and/or private treatment.
How should individuals request a name change?
Individuals are free to change their name on their health record at any time they choose. They must provide us with a written request which is signed and dated. Signed requests must be sent to kgh-tr.Medical.Records@nhs.net. It is recommended by Primary Care Support England (PCSE) that individuals provide documentation displaying their correct name, so that their GP practice can assure themselves of the identity of the requester. It is up to you to determine what information you might reasonably request to verify a person’s identity. This could be a passport, marriage certificate or deed poll.
Will the Trust share information with the Infected Blood Compensation Authority (IBCA) to support compensation claims?
Yes, the Trust is fully compliant with the requirements of the Infected Blood Compensation Authority requirements for sharing information. The Trust has a nominated individual within the Data Security and Protection Team who will be the Trusts contact for liaising with IBCA.
Information on IBCA and how they will liaise with NHS Trusts can be found here: Sharing information relating to Infected Blood Compensation Authority claims - NHS Transformation Directorate