Privacy Notice
We have updated this Notice, to incorporate the changes brought about by the General Data Protection Regulation (GDPR) that came into force on 25th May 2018. GDPR includes provisions on Privacy Notices in Articles 12, 13 and 14.
Covid-19 Supplementary Privacy Notice - your information
About us
Dorset HealthCare is responsible for all mental health services and many physical health services in Dorset, delivering both hospital and community-based care. We are the biggest provider of healthcare in Dorset, and our services continually evolve and develop to meet the needs of the local community.
We serve a population of almost 700,000 people and employ over 5,000 staff, covering a wide range of expertise and specialisms. Our staff provide healthcare at over 300 sites, ranging from village halls and GP surgeries to mental health inpatient hospitals and community hospitals - as well as in people's homes. Dorset HealthCare's services include:
- Dorset's 12 community hospitals and minor injuries units
- adult and children's community health services (physical and mental)
- inpatient mental health services
- specialist mental health services (perinatal, acute hospital liaison, forensic and eating disorders)
- primary Care mental health services across Dorset and Southampton (Steps to Wellbeing)
- specialist learning disability services
- community brain injury services.
Our community health services include: district nurses, health visitors, school nursing, end of life care, sexual health, safeguarding children, diabetes education, audiology, speech and language therapy, dermatology, podiatry, orthopedic services, wheelchair services, anti-coagulation services, pulmonary rehab, early discharge stroke services, Parkinson's care, community oncology and breastfeeding support services.
Our annual income is around £253 million.
We have University Trust status and work with Bournemouth University to provide benefits for patients and staff. Our University Trust status supports us in providing innovative care, promoting clinical excellence, and attracting and retaining high quality staff. The Trust also has active relationships with Southampton University and St Loyes.
What is a privacy notice?
A privacy notice is a statement by the Trust to patients, service users, visitors, carers, the public and staff that describes how we collect, use, retain and disclose personal information which we hold.
Why issue a privacy notice?
Dorset HealthCare recognises the importance of protecting personal and confidential information in all that we do and takes care to meet its legal and regulatory duties. This notice is one of the ways we can demonstrate our commitment to our values and to being transparent and open. It also shows our commitment to respecting diversity, acting with integrity, demonstrating compassion, striving for excellence and listening and supporting others.
This notice explains what rights you have to control how we use your information.
Who are we accountable to?
Information Commissioner’s Office
Our consultants, doctors, nurses, healthcare professionals and registered support staff are also regulated and governed by professional bodies including numerous royal colleges.
Legal basis for processing your information
We only process your information if we have a lawful reason to do so. We make sure you know how we use your information, and tell you about your rights.
We rely on the following specific conditions in Articles 6 and 9 of the GDPR to process your information:
6(1) (e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’
6(1) (c) ‘…for compliance with a legal obligation to which the controller is subject’
9(2) (h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
We do not rely on consent to use your information as a legal basis for processing.
What information do we collect from you, and why?
We may ask for or hold personal confidential information about you which will be used to help us deliver appropriate care and treatment. This supports us to provide high quality care.
These records may include:
- basic details, such as name, date of birth, address, phone number, mobile number and email address (where you have provided it to us)
- your next of kin and their contact details
- contact we have had, such as appointments and home visits
- notes and reports about your mental and/or physical health and any treatment, care or support you need and receive
- results of your tests and diagnosis
- information on medicines, side effects and allergies
- patient experience feedback and treatment outcomes information you provide
- information from people who care for you and know you well, such as other professionals involved in your care, and your family.
SMS texts
Where we hold your mobile number we may use SMS text messaging for the following reasons:
Appointment reminders
Notification request you to contact your clinician or clinic for a specific reason i.e. notification that test results are ready or to make an appointment.
To carry out post-treatment service quality surveys.
Records may also include personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions. It is important for us to have a complete picture, as this information helps staff involved in your care to give personalised care, deliver appropriate treatment and care plans and meet your needs.
Most of your records are electronic and are held on a computer system and secure IT network. Information is collected in a number of ways, via your healthcare professional, referral details from your GP or provided directly by you and others involved in your care.
How we use your information
- to help inform decisions that we make about your care
- to ensure that your treatment is safe and effective
- to work effectively with other organisations who may be involved in your care
- to support the health of the general public, ensure our services can meet future needs and review care to ensure it is of the highest possible standard
- to ensure our services can meet future needs
- for research and audit
- to prepare statistics on NHS performance
- to monitor how we spend public money.
It helps you because accurate and up-to-date information helps us to provide you with the best possible care and if you see another healthcare professional, specialist or another part of the NHS, they can more easily access the information they need to provide you with the best possible care
Where possible, when using information to inform future services and provision, non-identifiable information will be used.
Accuracy of information
The information we hold on you is only accurate as long as you keep us and your GP informed of any changes to your contact details. If you move address, change your phone, mobile number or email address please inform us and your GP at the earliest opportunity.
How we keep your information safe and confidential
Dorset HealthCare is committed to keeping your information secure. Information is retained in secure electronic and paper records and access is restricted to those who need it. Security and access controls, operational policies and procedures are in place to protect your information.
The GDPR regulates the processing of personal information.Strict principles govern our use of information and our duty to ensure it is kept safe and secure.
Dorset HealthCare University NHS Foundation Trust is registered with the Information Commissioners Office (ICO).
Everyone working for the Trust is subject to the Common Law Duty of Confidentiality, the Data Protection Act 2018 and the GDPR. Information provided in confidence will only be used for the purposes for which you have consented, unless there are other circumstances covered by the law.
Under the NHS Confidentiality Code of Conduct, all staff are required to protect information, inform you of how your information will be used and to allow you to decide if and how your information can be shared. This will be noted in your records.
All staff are required to undertake annual training in data protection, confidentiality, IT/cyber security, with additional training for specialists, like people who look after healthcare records, data protection officers and IT staff.
Who we share your information with
To provide best care possible, your information will be shared with the team who are caring for you and providing treatment to you.
The NHS, social services and private healthcare organisations work together so we may need to share information about you with other health and care professionals and services involved in your care. As of the 1 November 2020 this includes 'Provide' the newly commissioned Child Health Information Service. We do this to provide you with the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved.
We share information with the Dorset Care Record. This brings together information from health and social care services (such as GPs, acute and community hospitals, community and mental health services) into one shared record for health accessed by care professionals directly involved in your care. From your patient record we share your name, address, contacts i.e. your next of kin, diagnosis, allergies and alerts as well as information about your appointments, care plans, immunisations and referrals. If you do not want your information shared with the Dorset Care Record, please discuss this with your health and care professional.
You have the right to opt out of your information being shared in this way at any time. Please discuss this with your health care professional as this could have implications in how you receive further care.
A person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent.
Examples of this are:
- if there is a concern that you are putting yourself at risk of serious harm
- if there is concern that you are putting another person at risk of serious harm
- if there is concern that you are putting a child at risk of harm
- if we have been instructed to do so by a Court
- if the information is essential for the investigation of a serious crime
- if you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object.
We will not disclose any health information to other third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires the disclosure of information.
Sharing information for improving services
To help us monitor our performance, evaluate and develop the services we provide we need to review and share minimal information with organisations that commission our services (such as Dorset Clinical Commissioning Group) and organisations that regulate and monitor our services (such as NHS England and NHS Digital).
To ensure that we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally within our organisation.
On occasion we may use information for research or strategic planning as a Trust that takes part in and runs research projects we will not share your identifiable data unless you have explicitly given your consent and where ever possible use pseudoanonymised data that means we have put the data beyond identification.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit your NHS data matters.
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/%20 (which covers health and care research); and https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until March 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is compliant with the national data opt-out policy.
Contacting us about your information
Each organisation has a senior person responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian. You can contact Dorset HealthCare University NHS Foundation Trust’s Caldicott Guardian by using the Contact Us section of this website. There is also a Data Protection Officer to meet our requirements under the GDPR.
If you have any questions or concerns about the information we hold on you, the use of your information or would like to discuss further, please contact the Information Governance team:
Information Governance Team
Dorset HealthCare University NHS Foundation Trust
Sentinel House
4-6 Nuffield Road
Poole
BH17 0RB
Phone: 01202 277327
Email: dhc.informationgovernance@nhs.net
How can I access the information you hold about me, and what are my rights?
Under the current Data Protection Act 2018 and the GDPR a person may request access to information (with some exemptions) that is held about them by an organisation. This is called a Subject Access Request. From 25 May 2018 (GDPR) there is no fee for this unless a request is unfounded or excessive, particularly if it is repetitive. In that case, a reasonable fee may be charged.
To submit a Subject Access Request, please email to dhc.sar.enquiries@nhs.net
Your Rights under the GDPR are:
1. Right to be informed
2. Right to access
3. Right of rectification
4. Right to erasure
5. Right to restriction of processing
6. Right to data portability
7. Right to object
8. Automated individual decision-making, including profiling
We will comply with your rights and our responsibilities as stated above
Data breaches under GDPR
Under the GDPR we have a duty to report certain types of data breach (where information has not been appropriately protected) to the Information Commissioner’s Office (ICO). If the breach creates a risk to your rights and freedoms we will notify you without undue delay and the ICO within 72 hours of becoming aware of the breach, where possible.
If the breach is likely to bring a high risk of adversely affecting your rights and freedoms, we will also inform you without undue delay.
Further information
To find out about other resources to help put you in charge of your healthcare
Contacting us if you have a complaint or concern
We try to meet the highest standards when collecting and using personal information.We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint through the Trust’s Complaints Procedure, which is available on our website , or you can write to:
The Complaints Department
Dorset HealthCare University NHS Foundation Trust
Sentinel House
Nuffield Industrial Estate
4-6 Nuffield Road
Poole
BH17 0RB
If you are still dissatisfied with the Trust’s decision following your complaint, you may wish to contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
You can find more information on their website at www.ico.gov.uk
The Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to the Trust.
Copyright
Our copyright and database right material is licensed for use and re-use under the Open Government Licence (OGL).To view this licence, visit www.nationalarchives.gov.uk/doc/open-government-licence or write to:
Information Policy Team
The National Archives
Kew, Richmond
Surrey
TW9 4DU
Use of information expressly made available under this licence indicates your acceptance of the terms and conditions as set out in the OGL. When you use our information under the OGL, you should include the following attribution: [Insert name of information resource, Dorset HealthCare University NHS Foundation Trust, date of publication], licensed under the Open Government Licence www.nationalarchives.gov.uk/doc/open-government-licenceFor information where the copyright is owned by another person or organisation, you must apply to the copyright owner to obtain their permission to use/re-use.
The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988. You are free to use it for your own purposes, including any non-commercial research you are doing and for the purposes of news reporting. Any other re-use, for example commercial publication and subscription charge, would require the permission of the copyright holder. In accordance with the Re-Use of Public Sector Information Regulations 2005, information provided to you may not be used for commercial publication, subscription charge or sold on to a third party, without the permission of
Dorset HealthCare University NHS Foundation Trust
If you need further clarification, please contact the Information Governance team on 01202 277327 or email dhc.informationgovernance@nhs.net
Where any contact details are given for members of Trust staff, notice is hereby given, on behalf of the individual or individuals that this personal information may not be used for the purposes of direct marketing.