Staff extranet
HomeResourcesPrivacy notice for patients and service users

Privacy notice for patients and service users

How your personal information is used by South Tees Hospitals NHS Foundation Trust.

South Tees Hospitals NHS Foundation Trust (STHFT) is the largest hospital trust in
the Tees Valley with two acute hospitals and services in a number of community
hospitals, providing a range of acute inpatient, outpatient, and emergency services
for the people living in across Tees Valley and North Yorkshire.

For more information please see our website: www.southtees.nhs.uk.

This Privacy Notice explains how we use and share your personal information. We
will continually review and update this Privacy Notice to reflect changes in our
services and feedback from service users, as well as to comply with changes in the
law.

Security information

Confidentiality affects everyone: the South Tees Hospital NHS Foundation Trust collect’s,
stores and uses large amounts of personal and sensitive personal data every day,
such as medical records, personal records and computerised information.

This data is used by many people in the course of their work.

Everyone working for the NHS is subject to the common law duty of
confidentiality.

Information provided in confidence will only be used for the purposes
advised and consented to by the service user, unless it is required or permitted by
the law.

We take our duty to protect personal information and confidentiality very seriously
and we are committed to comply with all relevant legislation and to take all
reasonable measures to ensure the confidentiality and security of personal data for
which we are responsible, whether computerised or on paper.

At trust board level, we have appointed a Senior Information Risk Owner who is
accountable for the management of all information assets and any associated risks
and incidents, and a Caldicott Guardian who is responsible for the management of
patient information and patient confidentiality.

All staff are required to undertake annual information governance training.

We do transfer personal information to countries across the European Union (EU)
and internationally and this is reviewed on a yearly basis.

Where we share information outside of the EU, adequacy checks will be completed in line with legislation.

We do not rely on consent to use your information as a ‘legal basis for processing’.
We rely on specific legal provisions under Article 6 and 9 of the GDPR to provide you
with Healthcare, for the purposes described in this notice we will be lawfully using
your information in accordance with:

Personal data

6(1)(e) “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Trust (Data Controller)” and occasionally 6(1)(d) “ when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”.

Sensitive data

9(2)(h) – “necessary for the reasons of preventative or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” or, 9(2)(c) “when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent” or,
9(2)(j) “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes”.

This means we can use your personal information to provide you with your care
without seeking your consent. However, you do have the right to say ‘no’ to our use of your information but this could have an impact on our ability to provide you with care.

Why do we collect information about you?

All clinicians and health and social care professionals caring for you keep records
about your health and any treatment and care you receive from the NHS. These
records help to ensure that you receive the best possible care.

They may be paper or electronic and they may include:

  • Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
  • Contact we have had with you such as appointments or clinic visits.
  • Notes and reports about your health, treatment and care – accident and emergency visits, in patient spells or clinic appointments.
  • Details of diagnosis and treatment given.
  • Information about any allergies or health conditions.
  • Results of x-rays, scans and laboratory tests.
  • Relevant information from people who care for you and know you well such as health care professionals and relatives.

It is essential that your details are accurate and up to date. Always check that your
personal details are correct when you visit us and please inform us of any changes
to your contact details or GP Practice as soon as possible.

This will help reduce any risk of you not receiving important correspondence.

By providing the trust with your contact details, we will communicate with you about
your healthcare, i.e. by letter, voice message (telephone or mobile number), by text
message or by email. However, you do have the right to say “No” to our use of your
information but this could have an impact on our ability to provide you with care.

How your personal information is used

In general your records are used to direct, manage and deliver the care you receive
to ensure that:

  • The doctors, nurses and other health or social care professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.
  • Health or social care professionals have the information they need to be able to assess and improve the quality and type of care you receive.
  • Appropriate information is available if you see another clinician, or are referred to a specialist or another part of the NHS or social care.
  • Your concerns can be properly investigated if a complaint is raised.
  • Your care is administered appropriately (some administrative tasks may identify you, however wherever possible, processes will use anonymised information).

How long will you keep my information?

This Records Management Code of Practice for Health and Social Care 2016 is a
guide for the NHS to use in relation to the practice of managing records. It is relevant
to organisations who work within, or under contract to NHS organisations in England.

This also includes public health functions in local authorities and adult social care
where there is joint care provided within the NHS.

As an example this code of practice requires the following records to be kept:

  • Adult healthcare records – for 8 years after your last contact with the service.
  • Maternity records – for 25 years after your last contact with the service.
  • Children’s healthcare records (including midwifery, health visiting, and school nursing – until the child reaches the age of 25 or 26 if they were 17 when treatment was concluded.
  • Or where there is a legal duty for the trust to store your records beyond this.

All patient records are destroyed in accordance with the NHS Records Retention
Schedule, which sets out the appropriate length of time each type of NHS records is
retained.

The trust does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Further information on the retention periods for healthcare records can be
found here.

When do we share information about you?

We share information about you with others directly involved in your care; and also
share more limited information for indirect care purposes, both of which are
described below:

Everyone working within the NHS has a legal duty to keep information about you
confidential. Similarly, anyone who receives information from us also has a legal duty
to keep it confidential.

Direct care purposes

  • Other NHS Trusts and hospitals that are involved in your care.
  • NHS Digital and other NHS bodies.
  • General practitioners (GPs).
  • Ambulance Services.

You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

  • Social care services.
  • Education services.
  • Local authorities.
  • Voluntary and private sector providers working with the NHS.

We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on information.

Indirect care purposes

We also use information we hold about you to:

  • Review the care we provide to ensure it is of the highest standard and quality.
  • Ensure our services can meet patient needs in the future.
  • Investigate patient queries, complaints and legal claims
  • Ensure the hospital receives payment for the care you receive.
  • Prepare statistics regarding NHS performance.
  • Audit NHS accounts and services.
  • Undertake heath research and development (with your consent – you may choose whether or not to be involved).
  • Help train and educate healthcare professionals.
  • Help administrate your care. We may require information that may identify you, however wherever possible, processes will use anonymised information.

Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information.

You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital’s websites.

When other people need information about you

Everyone working in health and social care has a legal duty to keep information about you confidential and anyone who receives information from us is also under a legal duty to keep it confidential.

From time to time we may need to share information with other professionals and
services concerned in your care.

This may be for instance, when your healthcare professional needs to discuss your case with other professionals (who do not work for the trust) in order to plan your care.

We do this in order to provide the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved.

There may be other circumstances when we must share information with other
agencies. In these rare circumstances we are not required to seek your consent.

Examples of this are:

  • If there is a concern that you are putting yourself at risk of serious harm.
  • If there is a concern that you are putting another person at risk of serious harm.
  • If there is a concern that you are putting a child at risk of harm.
  • If we have been instructed to do so by a court.
  • If the information is essential for the investigation of a serious crime.
  • If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object.
  • If your information falls within a category that needs to be notified for public health or other legal reasons, e.g. Certain infectious diseases.

Other ways in which we use your information

Health and care research

The trust actively promotes research with a view to improving future care.

When you agree to take part in a research study, the sponsor will collect the minimum personally-identifiable information needed for the purposes of the research project.

Information about you will be used in the ways needed to conduct and analyse the research study.

NHS organisations may keep a copy of the information collected about you.

Depending on the needs of the study, the information that is passed to the research sponsor may include personal data that could identify you.

You can find out more about the use of patient information for the study you are taking part in from the research team or the study sponsor.

You can find out who the study sponsor is from the information you were given when you agreed to take part in the study.

For further details on personal information in research please visit the health research
authority website.

Further information about specific research at South Tees Hospital NHS Foundation Trust (STHFT) is available here.

Teaching

Some medical files are needed to teach students about real and/or rare cases. These materials allow students to understand and learn real scenarios before qualifying.

NHS digital

On behalf of NHS England assess the effectiveness of the care provided by publicly-funded services – we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.

You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way.

For information about how you can Opt-Out of sharing your data with NHS Digital please visit the NHS Digital National Data Opt-Out Programme website.

Attend anywhere video calls

The trust is offering video consultations to some patients who have been selected by their doctor/nurse as someone who may benefit from this type of appointment and are happy to have a video appointment rather than attend hospital.

The trust does not collect or use any personal data about you on this system and the
associated Attend Anywhere website, apart from: information that you volunteer by
completing the online form to enter your name, phone number and date of birth; and
your IP address and access device type.

Information that is submitted via the online form is encrypted and securely transferred to us.

It is used solely for the purpose of identifying you to your clinical team. At end of the video call this information is deleted from the system.

Your IP address and access device type are used to process your call effectively and are deleted from the Attend Anywhere system within 12 months.

Your IP address is also sent to Google Analytics for web access statistical reporting.

The video and audio elements of your call are not recorded in the Attend Anywhere system. However, details of your consultation may be entered into your health record.

Any queries regarding your medical or care record should be made to STHFT who is providing the service. Contact details: [email protected]

Due to changes in EU legislation, which came into force on 26 May 2012, we need to
inform you about cookies we store on your device.

Cookies are small files stored in your browser and are used by most websites to help personalise your web experience.

Some features on this site will not function if you do not allow cookies.

To allow us to meet the legislation we have implemented a ‘consent’ solution where to
tick to accept the Terms of Use, Privacy Policy and Cookie Policy.

In order to use the site, you are required to accept the Cookie Policy. If you do not want to accept the use of Cookies, please contact your clinical service provider to arrange an alternative appointment.

Patient Engagement Portal (PEP)

Patient Engagement Portal (PEP)

The trust collect and share demographic and appointment information with our trusted third party PEP supplier DrDoctor to enable us to send you digital letters and appointment reminders and notifications by text message and email.

Messaging is secure.

You can opt out of receiving digital letters, text messages or emails by contacting the trust or by updating your preferences within the PEP.

DrDoctor will not share your contact details or appointment information with anyone else.

Call recording

Telephone calls to the Trust maybe recorded for the following purposes:

  • To make sure that staff act in compliance with trust procedures.
  • To ensure quality control.
  • Training, monitoring and service improvement.
  • To prevent crime, misuse and to protect staff.

Operation of CCTV

We employ surveillance cameras (CCTV) and body worn video (BWV) on and around our sites in order to:

  • Protect staff, patients, visitors and trust property.
  • Apprehend and prosecute offenders and provide evidence to take criminal or civil court action.
  • Provide a deterrent effect and reduce unlawful activity.
  • Help provide a safer environment for our staff.
  • Assist in traffic management and car parking schemes.
  • Monitor operational and safety related incidents.
  • Help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance.
  • Assist with the verification of claims.

You have a right to make a Subject Access Request of surveillance information
recorded of yourself and ask for a copy of it.

Requests should be directed to the address below and you will need to provide further details as contained in the section ‘How you can access your records’.

The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems.

We reserve the right to withhold information where permissible by data protection
legislation and we will only retain surveillance data for a reasonable period (nominally 30 days) or as long as is required by law.

In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose surveillance data for legal reasons.

When this is done there is a requirement for the organisation that has received the images to adhere to the data protection legislation.

National patient surveys and audits

is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services.

We may share your contact information with an NHS approved contractor to be used for the purpose of national surveys and audits.

You do not have to participate in these surveys and the information will contain contact details to opt out.

Data processors

As a trust we have entered into contracts with other organisations to provide services for us.

These range from software companies to provide Electronic Patient Records to contractors who provide specialist clinical services that help provide a better service to you as a patient.

These contractors may hold and process data including patient information on our behalf.

These contractors are known as ‘Data Processors’ and subject to the same legal rules and
conditions for keeping personal information confidential and secure.

We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy.

These conditions are written into legally binding contracts, which we will enforce if
our standards of information security are not met and confidentiality is breached.

Great North Care Record

The Great North Care Record is a way of sharing patient information with health and care staff. It covers the 3.6 million people living in the North East and North Cumbria.

It means information recorded about your health such as illnesses, hospital admissions and treatments can be accessed by different people who are involved in your care.

Previously, different hospitals, GPs and other health workers record separate pieces of information about you, which wasn’t easily shared.

By sharing this information with the Great North Care Record, health and care workers can access the most current details about you 24/7.

This can help them make choices about your care, as they know more about you.

It is your choice to be part of the Great North Care Record.

Everyone living in the North East and North Cumbria is automatically opted-in to their medical record being accessible via the Great North Care Record, unless they have previously opted out of sharing GP records.

If you are happy for your records to be available, you don’t need to take any action.

Opting out of great North Care Record

You can prevent your patient record being made available on the Great North Care Record by completing the opt out form on this website.

The information you provide will only be accessed by Newcastle Hospitals who manage the Great North Care Record on behalf of the region.

They will remove you from sharing electronic records as part of the Great North Care Record.

We urge you to read this information which explains more about what opting out means. The information you submit is held securely and is only held for the purposes of opting you out.

The information is deleted once it is retrieved by Newcastle Hospitals.

The opt out is registered on the Great North Care Record’s Health Information Exchange.

If you want to opt back into sharing your record at any time, contact the Great North Care Record helpline on 0344 811 9587 or [email protected]

More information is available at: https://www.greatnorthcarerecord.org.uk/opt-out/

Flu vaccines and the COVID-19 response

On average, flu kills over 11,000 people each year – some years this number is
much higher – and it hospitalises many more. This is anything but a typical year due
to the potential impact of flu and COVID-19 circulating at the same time.

This year, as well as GP practices inviting key eligible groups to receive their
vaccination, reminders have gone out nationally to supplement this.

COVID-19 vaccines will also be managed centrally once they are available. Given the potential time gap required between the flu and COVID-19 vaccines, it is important that the invites, reminders and uptake of the vaccines are carefully managed together and
regarded as part of the response to the COVID-19 pandemic.

This guidance describes how data is being used to help ensure that those who are
entitled to a flu vaccine receive one. This includes data relating to both health and
care staff and patients.

Lateral flow testing

What happens to my personal information after I submit my test results?

The trust is required by the department of health and social care, Public Health
England and as part of the national NHS Test and Trace programme to provide the
details of staff tests undertaken.

This fulfils the statutory reporting requirements for COVID-19 testing.

Information that will be provided includes; your full name, gender, date of birth, address, email address, mobile phone number date of your test and test result.

The sharing of this data is covered under the Control of Patient Information regulation (https://digital.nhs.uk/coronavirus/coronavirus-covid-19-response-information-governance-hub/control-of-patient-information-copi-notice) and your data will be handled in strict confidence.

For further information and to view a copy of the national privacy notice please visit this
link: https://www.gov.uk/government/publications/coronavirus-covid-19-testingprivacy-information/testing-for-coronavirus-privacy-information–2

Data subject rights

Under the current data protection legislation individuals have the following rights:

  • A right to confirmation that their personal data is being processed and access to a copy of that data which in most cases will be free of charge and will be available within 1 month (which can be extended to two months in some circumstances).
  • Who that data has or will be disclosed to.
  • The period of time the data will be stored for.
  • A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed.
  • Data Portability – data provided electronically in a commonly used format.
  • The right to be forgotten and erasure of data does not apply to an individual’s health record or for public health purposes.
  • The right to lodge a complaint with a supervising authority (see Raising a concern).

Your right to object

You have the right to restrict how and with whom we share information in your
records that identifies you.

If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision.

If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable.

Please discuss any concerns with the clinician treating you so that you are aware of any potential impact.

You can also change your mind at any time about a disclosure decision.

How you can access your records

You can request access to the information that the trust holds about you and you should do this by contacting the trust’s patient access team.

They will provide you with guidance on the Trust’s processes. Once your request has been received and your identity / entitlement verified, your request will usually be completed within one calendar month. However, if your records are extensive we may take longer to
process your request but will inform you from the outset where possible, and in any case within 30 days.

To submit a formal request, please contact:

Patient Access Office
South Tees Hospitals NHS Foundation Trust
The James Cook Hospital Site
Marton Road
Middlesbrough
TS4 3BW
Or email: [email protected]

Information you are entitled to

As well as receiving a copy of the information that the trust holds and processes you
are also entitled to the following:

  • To be told whether any personal data is being processed.
  • Given a description of the personal data, the reasons it is being processed,and whether it will be given to any other organisations or people.
  • Given a copy of the personal data together with its source (where this is available).

Data controller

South Tees Hospital NHS Foundation Trust (STHFT) is registered with the information commissioner’s office (ICO) as a data controller and collects data for a variety of purposes.

The Trust Registration Number is: Z5832686

Data protection officer

The trust’s data protection officer (DPO) is responsible for ensuring that the trust complies with the GDPR and DPA 2018.

The DPO is the person to contact if you would like to know more about how we use your information, require this information in any accessible format or language or if (for any reason) you do not wish to have your information used in any of the ways described please contact:

South Tees Hospitals NHS Foundation Trust
The James Cook Hospital
Marton Road
Middlesbrough
TS4 3BW
Main switchboard: 01642 850850
[email protected]

Raising a concern

Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact the Patient Advice and Liaison Service (PALS).

If you have any concerns about how we handle your information you have a right to
complain to the Information Commissioners Office about it:

Information commissioner’s office
Wycliffe House, Water Lane
Wilmslow, SK9 5AF

Telephone: 08456 306060

Website: ico.org.uk