Patient records and privacy

Patients

We have a duty to support and care for those most in need. To do this, we must hold records about you, your personal circumstance and the services/care you are receiving or may need to receive in the future. As well as basic contact information for carers.

This information will be held securely on an electronic record or in a secure paper file (within some areas of the acute setting)

The record may include:

• basic details about you, such as address, date of birth, postcode, contact phone numbers and emails, gender, first language, next of kin, carer, NHS number, ethnic group; in some cases, this might include marital status and sexual orientation
• current and past contacts we have had with you
• notes and reports about your health and social care and any treatment, care or support you need
• details and records about the services or care you receive and who is providing them
• results of your tests and diagnosis
• relevant information from other professionals, relatives or those who care for you or know you well
• any contacts you have with us such as home visits or outpatient appointments
• information on medicines, side effects and allergies
• patient experience feedback and treatment outcome information, you have provided
• photos or videos you have consented to be taken

Please note that this is not a full list of the types of information we hold or handle.

At the Trust, your records are electronic and are held on a secure computer system or a secure IT network. New ways of providing joined up services are being implemented, with closer working with local health and social care partners. To assist this, the use of other electronic patient record systems to share your information has been implemented. Please see the privacy notices for more detail.

You will be given the opportunity to object to this data sharing as part of your provision of care. To do this, please speak to the team providing your treatment.

Staff, volunteers, Governors, Non-executive Directors and job applicants

The Trust keeps information on employees, volunteers and job applicants in connection with their work for the Trust or their application. The legal basis for the Trust as a public authority for processing information for this under GDPR is as follows:

6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment…social protection law in so far as it is authorised by Union or Member State law..’

For individual contractors providing services to the Trust.

Article 6(1)(b)  is necessary  for a contract where the individual has a contract with the Trust or because the individual has asked the Trust to take specific steps before entering into a contract.

This information may include:

• your name, address and contact details, including email address and telephone number, date of birth and gender
• the terms and conditions of your employment/appointment
• details of your qualifications, membership of professional bodies, skills, experience and employment history, including start and end dates, with previous employers and with the trust
• information about your remuneration, including entitlement to benefits such as pensions or insurance cover
• details of your bank account and national insurance number;
• information about your marital status, next of kin, dependents and emergency contacts;
• information about your nationality and entitlement to work in the UK
• information about your criminal record;
• details of your schedule (days of work and working hours) and attendance at work
• details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
• details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
• assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence
• information about medical or health conditions, including whether or not you have a disability for which the trust needs to make reasonable adjustments; and
• equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief

The Trust may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, the trust may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.  Please note that references are provided in confidence and therefore exempt from the right of subject access.

SWL Recruitment Hub

The South West London Recruitment Hub is a collaboration between Croydon Health Services NHS Trust, Epsom & St Helier University Hospitals NHS Trust, St George’s University Hospitals NHS Foundation Trust and Kingston and Richmond NHS Foundation Trust.  The aim is to deliver a more efficient and cost-effective service to each of the partners in accordance with the strategic direction of the Partnership Board and to enhance the employment proposition in South West London and to support and facilitate partner workforce strategies to improve recruitment and retention of staff.

In 2024, we will be working towards implementing a new unified recruitment software system, making the process easier for applicants, recruiting managers and hub staff alike.

Visitors, relatives, friends, next of kin etc

It is possible that the Trust holds information on you as part of someone else’s record.  Under GDPR you may still be entitled to receive a copy of this information, so long as it would not breach the confidentiality of the person whose records hold the information, or there is another reason not to provide it.

The legal basis for the Trust as a public authority for processing information for your data under GDPR is as follows:

6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’

What the GDPR/DPA terms mean:

• Contract: the processing is necessary for a contract the individual has with the Trust, or because they have asked the Trust to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for the Trust to comply with the law (not including contractual obligations).
• Vital interests: the processing is necessary to protect someone’s life.
• Exercise of Official Authority: there are many Acts of Parliament which set out the responsibilities and authority of NHS bodies, such as Foundation Trusts of which Kingston Hospital is one.  For instance, the Health and Social Care (Community Health and Standards) Act 2003 and the Health and Social Care Act 2012.
• Public task: the processing is necessary for the Trust to perform a task in the public interest or for the Trusts official functions, and the task or function has a clear basis in law.

The information that we keep is used to ensure that we can:

• contact you
• make informed decisions about your treatment and care
• plan your service and support
• refer on to another service if required
• investigate any concerns or complaints about your service
• review the care we provide to ensure it is effective
• work effectively with others who also provide you with care – i.e. your GP, other health providers, social care, or other providers of care
• monitor people receiving a service and the funding for that service
• carry out research in order to improve services and ensure they meet people’s needs
• produce statistics for central government and local planning (this information is used anonymously).

Your information will be safe and treated with the utmost respect.  If we ask you for personal information we promise to:

• make sure you know why we need it
• ask only for what we need and not collect too much or irrelevant information in order for us to carry out the various tasks within the delivery of your care
• have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored to protect it and make sure it is only available to authorised members of staff
• only collecting and using your information to provide you with your care and treatment and will not use it for anything else
• if the data is to be used for another purpose (not health or social care) we will get your consent to share it with other organisations and give you the chance to refuse permission
• not make your personal information available for commercial use
• consider your request if you ask us to stop holding and processing data about you
• notify you if your data is disclosed inappropriately
• only hold your information for as long as is necessary for your care. This time period is set out and agreed following national guidance. Please ask us for more information.

In return we ask you to:

• give us accurate information
• tell us as soon as possible if there are any changes to your personal circumstances such as your address. This helps us to keep your information reliable and up to date.

It is good practice for those providing your care to:

• discuss and agree with you what they intend to record about you
• give you a copy of letters and other documents they write about you
• show you what they have recorded about you
• let you know what they have told others about you and who those others are

How we keep your records confidential?

Everyone working for the NHS has a legal duty to keep information about you confidential.

You may receive care from other people as well as the NHS (like Social Services). We may need to share some information about you so that we can all work together for your benefit. We will only ever use, or pass on, information about you if others involved in your care have a genuine need for it such as our partner organisations which we have listed in this booklet.

All NHS organisations must comply with the NHS Care Records Guarantee. The document sets out the rules that govern how patient information is used in the NHS and what controls a patient can have over this.

We will not disclose your information to third parties outside health and social care without your consent unless there are exceptional circumstances.  These may be in situations when the health and safety of others is at risk, or where the law permits information to be passed on.  Anyone who receives information from us is also under a legal duty to keep it confidential.

We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional.

Occasions when we must pass on information include:

• Notification of new births.
• Where we encounter infectious diseases which may endanger the safety of others, such as meningitis, or measles (but not HIV/AIDS).
• Where a formal court order has been issued.
• Where a serious crime has been committed or a terrorist incident.

We have appointed a senior person, our Chief Medical Officer Dr Bill Oldfield, as our Caldicott Guardian.  The Caldicott Guardian is responsible for protecting the confidentiality of patients and enabling appropriate and lawful information sharing. 

Who are our partner organisations?

The principal partner organisations or people with which relevant information may be shared are:

• Other NHS Trusts and Foundation Trusts and Community Health Providers
• Integrated Care Boards (ICBs – who commission hospital services – usually information is partly or fully anonymised)
• Integrated Care System (ICS -health and social services within an ICB area)
• General Practitioners (GP)
• Ambulance services 
• Social services
• Private sector providers, such as care homes or home care delivery services
• Family, associates and representatives (with your consent or under Lasting Power of Attorney/Deputyship under Mental Capacity Act)

In particular, we have strong links with tertiary and specialist hospitals such as St George’s University Hospitals NHS Foundation Trust, who provide lab testing, and The Royal Marsden NHS Foundation Trust who provide cancer services on the Kingston Hospital site in the Sir William Rous Unit. 

The Trust also jointly runs the South West London Elective Orthopaedic Centre (SWLEOC) at Epsom Hospital in partnership with St George’s University Hospitals NHS Foundation Trust, Croydon Health Services NHS Trust and Epsom and St Helier University Hospitals NHS Trust

Relevant information may also be shared with the organisations below.  Where this is done it will be either to benefit your treatment plan or to help plan future services for others. Usually this is covered by a strict agreement describing how the information is to be used (a Purpose Specific Information Sharing Agreement).

• Local authorities
• Education services, such as research at universities
• Voluntary sector providers, such as patient groups or health charities

Only individuals who are those involved in providing your care will have access to your records. This will include staff from a number of other organisations (as listed below). We will share only the relevant and appropriate information to enable us to provide your care. Everyone involved in the provision of service has a legal duty to keep information about you confidential and secure.

We share your data with other professionals in order to provide the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved.

Examples of who we share personal information with:

• ambulance services
• external care providers
• social care
• GPs
• hospitals and other health partners
• housing organisations
• police
• voluntary organisations

The information from your patient record will only be used for purposes that benefit your care - we would never share it for marketing or insurance purposes. Please see the privacy statements (tab at the top of the page) for information on specific data sharing.

You have the right to object to information sharing at any time. Please discuss this with your relevant care professional as this could have implications in how you receive further care, including delays in you receiving care.

However, a person’s right to object is not absolute and there may be other circumstances when we must share information from your patient record with other agencies.  Examples of this are:

• if there is a concern that you are putting yourself at risk of serious harm
• if there is concern that you are putting another person at risk of serious harm
• if there is concern that you are putting a child at risk of harm
• if we have been instructed to do so by a Court
• if the information is essential for the investigation of a serious crime
• if you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
• if your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious disease

NHS England assess the effectiveness of the care provided by publicly funded services, therefore. we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations. This information will be anonymised.

If you would like to opt out of sharing your information for research and planning, please see more about opting out of sharing your data with NHS Digital

How your patient records are used to help you

• Your doctor, nurse or any other healthcare professional involved in your care needs to have accurate and up-to-date information to assess your health.
• A record of any treatment or care you receive needs to be kept, in case you return for further treatment.
• This information is available should you have to see another clinician at the Trust, or receive treatment elsewhere in the NHS.
• Your records are a good basis for staff to assess the type and quality of care you have received.
• Your concerns can be properly investigated if you need to complain.

How your patient records are used to help the NHS

• Review the care we provide for you and other patients, to ensure it is of the highest standard.
• Helps to ensure sure our services can meet patients’ needs in the future.
• Teach and train healthcare professionals.
• Conduct health research and development.
• Make sure the Trust gets paid for your treatment.
•  Audit NHS services and accounts.
•  Prepare statistics on NHS performance.
•  Investigate complaints, legal claims or untoward incidents.

Some of this information will also be held centrally by the NHS where it is used for statistical purposes in order to plan ahead. This is known as Secondary Use.  Strict security measures are taken to ensure that individual patients cannot be identified.

Anonymous statistical information may also be passed to organisations with a legitimate interest in health care and its management, including universities, community safety units and research institutions.

Where it is not possible to use anonymous information, personally identifiable information may be used for essential NHS purposes such as research and auditing.  This will only be done with your consent, unless the law permits the information to be passed on to improve public health or the research has been approved by the Confidentiality Advisory Group (CAG – a national body comprised of ethicists, data protection experts as well as lay people).

There are times when it may be necessary to be able to track back to the patient.  In these cases the patient detail is replaced by a code and we keep the decode in the Trust.  This is called pseudonymisation and is sometimes known as partial de-identification.

We manage, maintain and protect all information according to legislation, our policies and best practices. We have security measures in place to maintain and safeguard the confidentiality, reliability and availability of our systems and data.

All information is stored, processed and communicated in a secure manner and made available only to authorised members of staff on a need to know basis. Only the minimum amount of information required will be shared.

The trust is registered with the information commissioner’s office, registration number: Z2593470

All the IT systems used by the trust are implemented with robust information security safeguards to protect your personal information.

The trust is accredited to Cyber Essentials standard and meets the requirements of the mandatory data security and protection toolkit.

We hold your records in line with the Records Management Code of Practice for Health and Social Care.

This code is relevant to organisations working within, or under contract to, the NHS in England. The Code also applies to adult social care and public health functions commissioned or delivered by local authorities.

To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information, for example with the NHS Integrated Care Systems (ICS) for both North West London and South West London . The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled.  

In order to ensure that we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally with in our Trust.

If you would like to opt out of sharing your information for research and planning, please see the link below. More about opting out of sharing your data with NHS Digital

The trust actively promotes research with a view to improving future care. Researchers can improve how physical and mental health can be treated and prevented. If we use your patient information for research, we remove your name and all other personal data which would identify you. If we need the information in a form that would personally identify you, we will ask for your permission first.

For further details about how we use your information for research, please refer to the Health Research Authority website.

Please see the Trust Research pages for details about our current projects.

If you would like to opt out of sharing your information for research and planning, please see the link below. More about opting out of sharing your data with NHS Digital

National opt-out

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.

The national data opt-out allows you to choose if you do not want your confidential patient information to be used for purposes beyond individual care and treatment.

You can find out more or register your choice to opt out here.

On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: hra.nhs.uk/information-about-patients (health and care research)

understandingpatientdata.org.uk/what-you-need-know (why patient information is used, the safeguards and how decisions are made). You can change your mind about your choice at any time.