Information Governance Team
Privacy Notice for patients, parents and guardians
On this page
- Introduction
- What do we collect and why?
- What types of information do we use?
- What is the lawful basis to process your information?
- What are your rights in relation to your personal information?
- National data opt-out
- How long do we keep your record?
- Who might we share your information with?
- Information we may receive about you which may not be supplied by you
- We are a teaching hospital
- Some organisations process information for us
- Sharing information to assess compliance with standards
- Other reasons to share
- Keeping your records up to date
- How you can get access to your health record
- What happens if we need to transfer your information abroad?
- What if we wish to use your information for another purpose?
- Further information and contact details
Looking After Your Records Privacy Notice Leaflet PIAG 59 (233kB pdf)
Introduction
Everyone in the NHS has a legal duty to keep information about their patients confidential, and great care is taken to ensure that high standards of confidentiality are maintained.
At Alder Hey we take the security of patient information collected very seriously. All staff are required to be trained every year on keeping information secure. We also issue regular reminders to staff and conduct audits to ensure good practice.
The information below summarises who we are, what information we hold about you, what we will do with the information we hold, including who we may share it with and how long we will keep the information for. This document also explains what rights you have to control how we use your information.
What do we collect and why?
For us to look after patients we must keep a record of their name, address, date of birth and family doctor.
We have to record information about the medical condition, related tests and treatment, drugs given or operations. We may record information about the illnesses of other family members, information from GPs, or other organisations where treatment has been received.
All personal information about patients is kept in the hospital case notes and/or on computer
What types of information do we use?
Personal data means any information relating to an identified or identifiable individual; an identifiable person is one who can be identified directly or indirectly.
Special category data means any information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union activities, physical or mental health, sexual life, genetic data or biometric data.
What is the lawful basis to process your information?
The General Data Protection Regulations and the Data Protection Act 2018 allow us to process your data under the following conditions:
Where we process your personal data, we will do so because it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Where we process your special category data we will do so because it is necessary for the purposes of preventive medicine, medical diagnosis, the provision of healthcare or treatment or the management of healthcare systems and services, or a contract with a health professional.
We have an obligation to protect the health of the general public and where we do this we will process your personal data for the performance of a task carried out in the public interest.
Where we process your special category data we will do so because processing is necessary for the reason of public interest in the area of public health.
As a healthcare provider, there may be occasions where we need to process personal and/or special category data because someone is at risk of serious harm and, where we do this, we will process the information to protect that person’s vital interests.
There may be occasions when we will be obliged to process your information in order to comply with a court order, coroner’s instruction, to prevent or detect crime or to comply with the law. Where we do this, we will process your personal and/or special category data to comply with a legal obligation to which the Trust is subject.
If we process your information for other purposes that are not described above, then we will seek your consent to do so before we process it. If the basis for processing your data is consent, and no other legal basis applies, you have the right to withdraw consent at any time for future processing (this does not make use based on consent up to that time invalid).
The Trust does not undertake automated decision-making or profiling of your personal information.
The Trust is registered with the Information Commissioner’s Office
(Registration Number is Z1435601).
What are your rights in relation to your personal information?
Unless subject to an exemption, you have the following rights with respect to your personal data:
- To be informed – this enables you to be informed how your data is processed.
- Right of access – this enables you to receive a copy of the personal information held about you and to check the lawful processing of it.
- To rectification – this enables you to have any incomplete or inaccurate information held about you corrected.
- To erasure – this enables you to ask to delete or remove personal information where there is no good reason for continuing to process it.
- To restrict processing – this enables you to ask to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- To data portability – this enables you to transfer your electronic personal information to another party.
- To object – this enables you to object where processing your personal information is for direct marketing purposes.
- In relation to automated decision making & profiling – this enables you to be told if your data is being processed using automated software.
Further information about your rights can be found via the Information Commissioners website
You also have the right to lodge a complaint with the Information Commissioners Office, if you believe that the Trust has not processed your data in line with the legislation.
National data opt-out
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. Further details can be found here
The Trust complies with the National data opt-out policy.
How long do we keep your record?
Each type of record is held for a certain amount of time before it is recognised as no longer required or needed and can be confidentially destroyed. The length of time we must keep records are shown in the NHS Records Management Code of Practice, which you can view here
Who might we share your information with?
We may have to share information with GPs, other hospitals, social services or schools. Our patients may be receiving or need care from other organisations who will need information from us in order that they can plan the best treatment.
We have to share information within the NHS to ensure that treatment is properly funded and carried out. The information may not identify individual patients and is usually to help plan future needs of the NHS to check that we are performing satisfactorily, or that a type of treatment is effective.
All information is kept securely and only those who need it to help with treatment, have access to it.
We only pass on the information about our patients if the other person has a genuine need to know, or to protect your health. We only pass on the information which is needed and no more.
We also carry out reviews ourselves to help improve investigation and treatment. This is called Clinical Audit.
Some conditions or infectious diseases are required to be added to national registers. Sometimes this does require a patients’ name but if this is the case, we will tell you.
All those who handle this information are fully aware that it has to remain confidential.
We will not share your information for marketing, social media or insurance purposes unless we have your consent to do so.
Information we may receive about you which may not be supplied by you
We may receive information about you which you haven’t provided to us.
This could be, for instance:
- If you have been referred to us for treatment
- If we are dealing with a legal claim to which you are a relevant party
- If we are dealing with the safety, security, health and wellbeing of someone associated with you
- If we are seeking payment for our services from the health care provider in your local area
- If we receive information in the form of an alert or warning and are legally obliged to act on it
We are a teaching hospital
Teaching and research are very important in the NHS and Alder Hey is a teaching hospital. We have a responsibility to the students’ universities and colleges to see that they are properly taught and supervised whilst they are with us.
Our patients have the opportunity to refuse to have any students take part in their treatment
Part of the students’ training may involve reviewing some patient records and test results.
If any of our students or staff involved in any research project would like to use information about individual patients, the patient or their parent/guardian will be informed. Consent from the patient or their parent/guardian will be asked for whenever it may be possible to identify any patient individually.
All students are fully aware that it is their duty to keep any information they use during their training confidential.
Some organisations process information for us
Some facilities at Alder Hey are operated in partnership with private contractors, and information about our patients may be seen by their employees. They are required to work to the same standards of confidentiality as all NHS employees, and we have agreements and contracts in place to ensure these standards are maintained.
If we have an incident or complaint
Sharing information to assess compliance with standards
The Care Quality Commission (CQC) monitor, inspect and regulate NHS services to make sure they meet fundamental standards of quality and safety. The CQC currently inspect NHS hospitals at least once a year against a set of agreed standards. More information about the CQC and the inspection process can be found on the CQC website
As part of the CQC’s inspection, the inspectors may look at a small number of patient notes, incident forms and complaints. None of these documents will be removed from the premises. The aim is to ensure that these documents are managed in accordance with appropriate policies and procedures: for example, whether they are written clearly, signed and dated and stored securely. The inspectors are not concerned with individual patient details.
The Trust may also record telephone conversations for training and monitoring purposes.
Other reasons to share
We may be required to pass on information from which patients can be identified without the patient’s (or their parent/guardian’s) permission. This may be for emergency treatment or for official Health Service statistics or if the law demands it.
Keeping your records up to date
Please help us to keep our information about you up to date by informing us if you change your name, address, GP or contact details
How you can get access to your health record
Patients or their parent/guardian are entitled to apply for access to their health records. You can do this by completing the form on the Trust website or writing to our Access to Health Records Department (at the address below).
What happens if we need to transfer your information abroad?
The Trust do not routinely transfer information outside the United Kingdom but if there is a need to do so we will ensure that the security and protections that are put in place are of equivalent standard to those standards that we would use internally when processing your information.
What if we wish to use your information for another purpose?
If we wish to use your personal information for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining the new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we ensure there is a legal justification for such processing.
Where the Trust wish to use your information that is for any reason not in line with administering the business of the Trust or complying with a legal obligation, then we will seek your consent to do so.
Further information and contact details
This Privacy Notice only gives general information. You must always discuss the individual treatment of your child with the appropriate member of staff. Do not rely on this Privacy Notice alone for information about your child’s treatment and use of their data. This Privacy Notice can be made available in other languages and formats if requested.
This information is also available via our website shown below.
If you have any concerns about the use of your information please write to: The Caldicott Guardian or to the Data Protection Officer (at the address below) or email either at [email protected]
The Caldicott Guardian is responsible for ensuring information about you is used properly at the Trust.
The Data Protection Officer informs and advises the Trust, monitors compliance, and acts as point of contact for the data subjects and the ICO, on a point of law.
This leaflet only gives general information. You must always discuss the individual treatment of your child with the appropriate member of staff. Do not rely on this leaflet alone for information about your child’s treatment.
This information can be made available in other languages and formats if requested.
PIAG: 59