Privacy notice for patients

Who we are

University Hospitals Birmingham NHS Foundation Trust (UHB) is one of the highest performing healthcare organisations in Europe, with a proven international reputation for its quality of care, information technology, clinical education and training and research.

The Trust employs more than 20,000 staff and runs the largest single-site hospital in the country.

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number is Z5568104.

• About us

Data Protection Officer

The Data Protection Officer at our Trust is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data and how it is being used. .

Data Protection Officer
Information Governance Team
3rd Floor, Nuffield House
Queen Elizabeth Hospital Birmingham
Mindelsohn Way
Birmingham, B15 2TH

• InformationGovernance@uhb.nhs.uk

Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.

• ICO website

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the ICO.

• How to make a complaint to the ICO

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

• 0303 123 1113
• 01625 545 745
• casework@ico.org.uk

Why we collect personal information about you

The staff caring for you need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care.

Our legal basis for processing personal information about you

Under UKGDPR, the Trust is required to have a lawful reason for processing your personal information – this is recognised as a ‘legal basis’. For the most part, the Trust relies on the following legal basis for delivering your care and treatment:

• “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” under chapter 2, article 6 (1) (e)
• "the provision of health or social care or treatment or the management of health of social care systems and services” under chapter 2, article 9 (2) (h) of the UK GDPR

In addition to the above, the Trust may rely on the following legal basis for processing your personal information:

Type of Processing	Art 6 GDPR	Art 9 GDPR
All health and adult social care providers are subject to the statutory duty to share information about a patient for their direct care. This would also include: preventive or occupational medicine, medical diagnosis, the provision of health care or treatment, the provision of social care, or the management of health care systems or services waiting list management performance against national targets activity monitoring local clinical audit	6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’	9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Emergency care and treatment (where the patient is physically or legally incapable of giving consent’)	Art 6(1)d (‘to protect the vital interests of an individual’)	Art 9(2)c (‘vital interests’)
Safeguarding of vulnerable adults and children	Art 6(1) c (‘legal obligation to which the controller is subject’)	Art 9(2) g (‘where the processing is necessary for the purposes of substantial public interest (protection of vulnerable individuals’
Commissioning and planning purposes (Commissioners may receive personal data in support of commissioning activities)	Art 6(1) c (‘legal obligation to which the controller is subject’)	9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’

For further information on this legislation please visit the Information commissioner Office (ICO) website.

• A guide to lawful basis | ICO

What personal information we need to collect about you and how we collect it

We collect personal information about you in a number of ways. Your information will be collected by your doctor and the team caring for you, who will record information about the care and treatment you receive at the Trust. We may also collect personal information from other routes which may include a referral from your GP or another hospital, or directly from your authorised representative (where applicable).

The collected information will be referred to as your health records, which may be stored either in paper format or electronically within a computer system. It is likely that we will hold the following basic personal information about you:

• Name, date of birth, NHS number, gender, address (including correspondence), telephone numbers
• Next of kin contacts
• GP details

We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred or maiden name.

More sensitive information

UK GDPR gives extra protection to more sensitive information known as ‘special category data’. Information concerning health and care falls into this category and needs to be treated with greater care. This information about you could include:

• notes and reports about your health, treatment and care, including:
• your medical conditions (physical and mental)
• results of investigations, such as X-rays and laboratory tests
• future care you may need
• personal information from people who care for and know you, such as relatives and healthcare or social care professionals
• other personal information, such as smoking status
• your religion and ethnic origin
• whether or not you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status)
• where applicable, the date and cause of a person’s death in our hospitals
• genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
• data concerning your sexual orientation
• biometric data (where used for identification purposes)

This personal information can be held in a variety of formats, including paper records, electronically on computer systems, and in video and audio files.

It is important for us to have a complete picture of you as this will help staff to deliver appropriate treatment and care plans in accordance with your needs.

CCTV/surveillance cameras

In addition to the personal information we collect, the Trust use surveillance cameras (CCTV and body-worn cameras) on and around our premises for the purposes of crime prevention and detection, to assist in traffic management and to monitor operational and safety related incidents. Through visiting the Trust, you will likely be captured with the surveillance systems in operation. Images captured by CCTV will not be kept for longer than necessary and will be held securely. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. The use of CCTV and any disclosure of images will be in accordance with the codes of practice issued by the Information Commissioner.

What we do with your personal information

Your records are used to directly manage and deliver healthcare to you to ensure that:

• the staff involved in your care have accurate and up to date information to assess and advice on the most appropriate care for you
• staff have the information they need to be able to assess and improve the quality and type of care you receive
• appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or healthcare provider

What we may do with your personal information

The personal information we collect about you may also be used to:

• remind you about your appointments and send you relevant correspondence
• review the care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research, for example the Friends and Family Test
• support the funding of your care, e.g. with commissioning organisations
• prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
• help to train and educate healthcare professionals
• report and investigate complaints, claims and untoward incidents
• report events to the appropriate authorities when we are required to do so by law
• review your suitability for research studies or clinical trials
• contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
• contact you with regards to Trust membership
• contact you to provide spiritual, religious and emotional support to all patients, regardless of faith, as part of our holistic approach to patient care

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.

• How to make a complaint

Who we share your information with, and why

We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, NHS Digital, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.

We share your information with NHS Digital for the purposes of the National Disease Registration Service (NDRS) which records people with congenital abnormalities and rare diseases across the whole of England. The data collected is then used to establish how well treatments are working and to further improve patient care across the country. For further information, please see the NDRS web page.

• National Disease Registration Service

We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. However, we will not disclose any health information to third parties unless there are specific circumstances, such as when the health or safety of others is at risk, where current legislation permits or requires it or where we have your explicit consent.

There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

There may also be situations where we are under a duty to share your information due to a legal requirement. This includes, but is not limited to:

• disclosure under a court order
• sharing with the Care Quality Commission for inspection purposes
• sharing with the police for the prevention or detection of crime
• where there is an overriding public interest to prevent abuse or serious harm to others

The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented, unless there are exceptional circumstances, such as:

• when the health or safety of others is at risk
• where the law requires it
• where there is an overriding public interest to do so

Where there is cause to do this, the Trust will always do its best to notify you of this sharing.

International transfer of Data

For any request to transfer your data internationally outside the United Kingdom or the European Union (EU), we will make sure that an adequate level of protection is to be satisfied before the transfer. These include ensure safe and secure mechanism for transferring the information as well as introducing contractual obligations between the Trust and the other organisation involved.

Birmingham and Solihull Shared Care Record

University Hospitals Birmingham NHS Foundation Trust works with other health and social care organisations to share information that will form part of your Shared Care Record. The Shared Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other health and care professionals in Birmingham and Solihull, Coventry and Warwickshire, and Herefordshire and Worcestershire when they are involved in your health or social care.

For more information on how your data is used on the Shared Care Record and how to exercise your rights please see the full privacy notice on the Birmingham and Solihull Integrated Care System (ICS) website.

• Birmingham and Solihull ICS privacy notice

How we maintain your records

Your personal information is held in both paper and electronic formats (including audio recordings, electronic databases etc), for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the General Data Protection Regulation (GDPR) in conjunction with the Data Protection Act 2018, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:

• maintain full and accurate records of the care we provide to you
• keep records about you confidential and secure
• provide information in a format that is accessible to you

Your personal information will only be kept for as long as is necessary and will be destroyed in accordance with the Trust's Record Management and Information Lifecycle Policy.

Use of email

Some services in the Trust provide the option to communicate with patients via email. Please be aware that the Trust cannot guarantee the security of this information while in transit, and by requesting this service you are accepting this risk.

Further information can be found in our information governance policies.

Your rights

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. Under data protection laws, you have rights which you can exercise in relation to the personal information the Trust holds on you. Your rights will differ depending on the legal basis used to process your information, however more information relating to your individual rights can be found ‘A guide to individual rights | ICO’.

Below is a list of your individual rights:

The Right of Access

You have the right to request access to the personal information we hold about you, e.g. in health records. Further guidance on accessing personal information we hold about you can be found Request access to health records

Right to Rectification

You have the right to request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.

The Right to Object

The right to object to processing means that your data should no longer be processed. However, this right applies only when your data has been collected based on your consent. In most cases, we process your data based on a legal basis rather than consent, meaning this right may not apply for care related purposes.

If your data is used for other reasons, this right may be applicable and your right to object can be registered through the National data opt out programme. For further information, please see the National data opt-out programme

The Right to Erasure

You have the right to ask us to erase your personal information in certain circumstances.

The Right to Restrict Processing

You have the right to ask us to restrict the processing of your personal information in certain circumstances.

The Right to Data Portability

You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Use of profiling

You have the right to challenge any decisions made without human intervention (automated decision making) in some circumstances. Profiling refers to the automated processing of personal data to assess specific aspects of an individual. The Trust may use profiling techniques for healthcare planning purposes. One example of this is use of personal data to predict things such as an individual’s health.

National Data Opt Out

The information collected about you when you use health and care services at the Trust can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations.

Whenever possible information used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your personal information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do choose to opt out your confidential information will still be used to support your individual care but not the instances described above. Opting out your confidential information being used will need to be registered through the national data opt out programme.

Our Trust is currently compliant with the nation data opt out programme.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters .

To find out more information about how you data may be used for Research, please read the Trust Research privacy notices

You can change your mind about your choice at any time.

Personal information being used or shared for purposes beyond individual care does not include your information being shared with insurance companies or used for marketing purposes and information would only be used in this way with your specific agreement.

We will always try to keep your information confidential and only share information when absolutely necessary. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.