Patient and Service User Privacy Notice

A Privacy Notice is a statement by Woking and Sam Beare Hospice (“The Hospice”) to patients, visitors, carers, and the public that describes how we collect, use, retain and disclose personal information that we hold about you. This privacy notice is part of our commitment to ensure that we process your personal information fairly and lawfully.  It explains what information we collect, why we collect it, how we use it, with whom we may share your information and how we keep it secure.  It also explains what rights you have to control how we use your information and our legal obligation.

The Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR) 2018 controls how your personal information is used by organisations. Under the Act, the Hospice is defined as a ‘data controller’ of personal information that we hold. We collect information to help us provide and manage healthcare for our patients.

The Hospice is registered with the Information Commissioner’s Office (Registration Number ZA088704).

The Hospice must have a legal basis to process your personal information. There are a number of legal bases under which we are permitted to do this. The legal basis is determined under Articles 6 and 9 of UK GDPR.

Whatever data is processed, and the basis under which it is processed, is determined and recorded on an individual basis. You can ask to have this legal basis clarified through your right of access to your personal information.

The lawful grounds for processing personal data set out in Article 6 of the GDPR are:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller (except where those interests are overridden by the interests or rights and freedoms of the data subject).

 The lawful grounds for processing special category data set out in Article 9 of the GDPR are:

(a) the data subject has given explicit consent;

(b) for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

(c) to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) to carry out legitimate business activities;

(e) when processing relates to personal data which are manifestly made public by the data subject;

(f) for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) for reasons of substantial public interest;

(h) for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;

(i) for reasons of public interest in the area of public health;

(j) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

We keep records about your health, treatment and care you receive from us. This helps to ensure that you receive the best possible care from us.  These records may be held on paper or electronically and we have a legal duty to keep these secure at all times.  The information we collect normally includes:

• Name, address, date of birth, NHS number and next of kin details,
• Contacts we have had with you, such as appointments and/or home visits,
• Information about your health, such as details of diagnosis, health conditions, allergies and the treatment and care you have received,
• Relevant information from other health and social care professionals, carers or relatives, in order to support the care you receive from us.

As a specialist palliative healthcare provider the Hospice may also collect sensitive data such as your religious and spiritual beliefs and your racial and ethnic background. This information is used to personalise the care you may receive.

When you visit the Hospice there are surveillance cameras outside and in public places. These record CCTV images for your safety and the prevention and detection of crime. The images collected are considered personal data and are retained for 30 days and only accessed should there be a bona fide reason to check the recordings.

The Hospice aims to provide you with the highest quality of health care.  To do this we must keep accurate records about you, your health and care we have provided, or plan to provide for you.  The information in the record may come directly from you, or other care providers e.g. GP, Hospital or Social Care.    

The Hospice uses your personal information to provide healthcare to you and for purposes directly related to that healthcare (such as booking and managing appointments).

Your information may be used for clinical audit, where the team involved in your care and those working to support them will check the quality and outcomes of the treatment provided.

If you receive care from other health and social care professionals, we may share the information we hold about you with them to improve your care.

Some of the organisations that we may share information with are:

• NHS Partners including, NHS Trusts and other Community Services
• General Practitioners (GP)
• Ambulance services
• Social services
• Private sector providers, such as care homes or home care delivery services
• Family, associates, and representatives (with your consent or under Lasting Power of Attorney / Deputyship under Mental Capacity Act - Personal Welfare)

The Hospice has an electronic patient record system known as EMIS. This means that all patient-related information (with the exception of the Inpatient Unit) is recorded in the system and is used by staff for the purpose of providing the service of direct care. Access to information follows the principle of 'need to know', using a role-based approach across user accounts. Access is additionally governed by our Confidentiality and Data Protection Policy and the Confidentiality NHS Code of Practice.

Data sharing agreements are in place with Central Surrey Health and General Practitioners who also use the EMIS system.  Providing a shared record improves communication over the many different clinical pathways that a patient may go through during his / her care and treatment, giving clinicians access to timely information to provide the best possible care.

The Hospice may use information about you, and the care you have received, to improve the healthcare we provide to all patients. This includes medical research, monitoring and improving our services, and for other medical purposes where we believe there is a public benefit. If your information is to be shared outside the team that provided care to you, or those working to support them, we would anonymise it so that you cannot be identified.

In order to improve services, we also participate in national schemes, such as patient surveys to gain feedback from patients about their experience at the Hospice. These are completed voluntarily, and we may, on occasion, contact you to discuss the feedback you provided if you supplied contact details. The Hospice employs third party services to collect and process the data for some surveys. The Hospice only appoints processors who can provide sufficient guarantees that the requirements of the GDPR are met and that the rights of patients are protected.

We always keep your information securely and have strict rules about who can access it and how it can be used. We do our best to keep it accurate and up to date, so we will often check this with you.  The circumstances in which we may share your information with other organisations is described in this Privacy Notice.

We have a legal duty to keep information about you confidential. We expect all our partner organisations to apply the same strict security to your records, and we make sure appropriate safeguards are in place before sharing any information.

We will only share your information in strict accordance with the law, and we never use or sell it for commercial purposes.

How the Hospice and care services use your information.

The Hospice is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

In most cases, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information is not needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

The Hospice has systems and processes in place to ensure compliance with the national data opt-out and to apply your choice to any confidential patient information we use or share for purposes beyond your individual care. The Hospice is compliant with the national data opt-out policy.

What your objection covers

Your objection applies to all information held about you which is not related to your own direct care.

The Hospice is required by law to report certain information to other public authorities, including notifications of deaths and infectious diseases.

Under data protection law you have the following important rights relating to the information we hold and how we use it:

The right to be informed

This right means that we must be transparent in how we use your personal information and ensure you are informed about how and why we process it. You have the right to have clarity around all processing including how long we retain your data and with whom we share it.

The right of Access

You have the right to submit a Subject Access Request (SAR) to receive a copy of your personal information that we hold.  There are some exemptions to this right and you may not always receive all the information we process.

You will need to provide details of the information required and proof of your identity.  If you wish for another person to process your request on your behalf, they will need to obtain your written consent to do so.

Those who hold a Lasting Power of Attorney for Health and Welfare for an individual can apply for that patient’s information.

The right to rectification

You have the right to request that we rectify information that you think is inaccurate. You also have the right to request that we complete information that you think is incomplete.  The Hospice may refuse this request if it believes that the information is accurate / complete or if there is a legal basis to do so and you will be notified of this.

The right to erasure

You have the right to request that personal information be erased. This right is not absolute, however, as we may be required for ongoing care reasons or legal obligation to retain this information.

The right to restrict processing

You have the right to request that the processing of your personal information be restricted. This is not an absolute right and will depend upon the legal basis for processing your information. 

The right to object to processing

You have the right to object to the processing of your personal information in certain circumstances.  The Hospice will, however, be able to continue to process the data if we can  show that we have a compelling reason for doing so.

The right to data portability

You have the right to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal information easily from one IT environment to another in a safe and secure way, without affecting its usability.

This right only applies to personal information you have provided to the Hospice.

Any requests must be submitted in writing to; the Quality Assurance Manager, Woking & Sam Beare Hospice, Goldsworth Park Centre, Woking, Surrey, GU21 3LG or email; [email protected]

The Hospice must respond within 30 calendar days.

Your right as a carer

If you have lasting power of attorney for health and welfare, you can make decisions on behalf of the patient. We will ask to see evidence of that power.

Otherwise, please speak to the health professional treating the patient. The health professional will be able to make a decision based on the patient’s best interests, taking your views into account.

All patient records are destroyed in accordance with the Department of Health’s Records Management Code of Practice for Health and Social Care 2021 https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/

which sets out the appropriate length of time each health record is retained. All records are securely destroyed once their retention period has been met and the Hospice has made the decision that the records are no longer required. 

If you have and queries or concerns about the processing of your personal information, please speak to the Senior Nurse or Manager on duty in the first instance.

Alternatively, you can contact the Hospice’s Caldicott Guardian who is responsible for protecting the confidentiality of a patient’s health and care information and making sure it is used properly. You should email: [email protected].

You also have the right to contact the Information Commissioner’s Office (ICO) who is the data regulator, should you have concerns about how your data has been processed. You can contact the ICO at: Contact us | ICO or alternatively call 0303 123 1113.

Under data protection legislation the Hospice is required to have a Data Protection Officer (DPO) and it is their role to:

• Inform and advise the organisation and its employees about their obligations to comply with applicable data protection legislation;
• Support and monitor compliance with applicable data protection legislation;
• Be the first point of contact for individuals whose data is being processed.

The Hospice uses an external company (BLS Stay Compliant) to provide a DPO service.

Further information regarding the role of the DPO and more about your rights can be found on the Information Commissioner’s Office website - www.ico.org.uk

Other people with related responsibilities:

In addition to the DPO, the Hospice has in place the following people with related responsibilities:

• The Director of Finance and Information acts as Senior Information Risk Owner (SIRO) and they are accountable and responsible for information risk across the organisation. They have responsibility for ensuring the organisation complies with data protection legislation and that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.
• The Director of Clinical Services and the Medical Director act as Caldicott Guardian’s and they have responsibility for protecting the confidentiality of people’s health and care information and for making sure it is used properly.
• The Information Governance Team support the above roles in discharging their data related responsibilities.