As a Trust, we take your confidentiality and privacy rights seriously. The Trust is the Data Controller of personal data that is collected to help us provide and manage healthcare to  patients and relating to the employment of our staff.

This Privacy Notice explains how we collect, process, transfer and store your personal information and forms part of our accountability and transparency requirements to you under the General Data Protection Regulation/Data Protection Act 2018.

We aim to provide you with the highest quality health care. To do this, we must keep accurate records about you, your health, and the care that we have provided or plan to provide you with.

Our staff are trained to handle your information appropriately and protect your privacy. We aim to maintain high standards, adopt best practices for our record keeping and regularly check and report on how we are doing. Our guiding principle is that we are holding your records in the strictest of confidence.

Your information is never collected for direct marketing purposes and is not sold to any third parties.

Under the Data Protection Act, the Trust must provide a legal basis for the processing of your information without consent.  As the Trust is part of the NHS (which has a public duty to care for its patients), predominantly we will process your information under the following legal basis’:

  • Article 6(e) Necessary for the performance of a task carried out in public interest or in exercise of official authority.

and

  • Article 9(h) Necessary for the provision of health and/or social care, including preventative or occupational medicine.

Should the Trust need to use your personal information for any reason beyond those stated above, we will discuss this with you. You have the right to ask us to not use your information in this way, however there might be times when we are required to share your information; if this is the case, we will discuss this with you.

Communicating about your care within the Trust does not require your consent to process your personal data to deliver your healthcare and treatment. However, you do have the right to object to the processing of your information for purposes other than direct care e.g., performance management of services, external clinical audits. 

Further information https://digital.nhs.uk/services/national-data-opt-out

If you are a patient, NHS staff such as clinical, support workers, administration and other staff involved in your care will keep records about your health and any care or treatment you have received. This will include:

Demographic information

Data Purpose
Name, address, and date of birth

To enable communication to be sent about your care such as appointment letters.

Used to identify you and to distinguish you from other patients. A change of name or incorrect date of birth can result in misidentification; please inform us of any changes to your details.
Telephone numbers

To enable us to contact you about your care.

We will use your mobile telephone number to send text message reminders for any forthcoming appointments.
GP information Letters will be sent to your GP and a copy placed in your manual and electronic record. It is very important that we have your correct GP surgery details to ensure that information about your care is provided to your GP in a timely manner.
Next of kin

A person you would like to be contacted in an emergency.

The person you name as a 'next of kin' has no legal right to any confidential information held by the Trust about you, or to make any decisions relating to your care.

An individual who wishes to make decisions about your care must obtain the appropriate legal Power of Attorney.
Ethnicity We are legally required to collect your ethnicity to ensure that we provide a fair and open service to all patients who require treatment.  As a patient, your ethnicity could have a bearing on the type of illnesses you may be susceptible to.
Disability or language preferences This information is collected to enable the Trust to provide care which meets your needs; for example, accommodating wheelchair users, or providing Interpreters if required.
Religion We offer all patients a chaplaincy service. Your religion is passed onto the chaplains who run this service, who will visit you whilst you are in hospital if this is something that you would like to happen, and to ensure the pastoral and spiritual needs for patients, their families and staff members are adequately supported.

Details about your care and treatment

Data Purpose
Contact with you

The Trust holds manual and electronic information relating to your health and treatment detailing any inpatient, outpatient, and emergency department visits.

Information may include:

  • Clinic visits
  • Stays in hospital
  • Appointment letters
  • Hospital notes
  • X-rays
  • Test results / reports
Your treatment and care To ensure that the treatment and care provided to you by the Trust is appropriate and consistent, a record/details about the treatment and care you have received is kept on your hospital record. This ensures that a full and comprehensive record is available to all clinical staff who are involved with the provision of your care and treatment. 
Results of any x-rays and tests

You may have provided samples e.g., urine or blood etc., which will be processed by the Trust’s Laboratory or if a specialised test is required, this will be sent to a partner laboratory for processing.

The results of these tests and details of the drugs you have been prescribed are recorded by the Trust.

I you have had an x-ray as part of your treatment, the Trust will keep an electronic copy of your x-ray and may need to share this with other NHS Organisations who are involved with your care.  This information will also be included should you need to be transferred/discharged/or require out of hours services.
Relevant information from other NHS Professionals

When you visit your GP and they refer you to Frimley Health for treatment, they will write to the hospital detailing your current medical conditions and the treatment required. This is also the case should another NHS trust refer you to Frimley Health for treatment.

We may also obtain information to assist in giving you the best and most appropriate care from others, for example, health and social care professionals and / or relatives.

 

Our staff will work with you to deliver the best possible care, which will include discussions around the care that you will receive, as we strive to ensure that patients are involved with the decisions being made about their care.  You can also ask during your consultation/treatment whether a relevant member of staff can show you what they are writing in your medical record about the treatment that you are receiving.

Any letters sent to your GP about your care will also be copied to you.

It is good practice for the staff involved in your care within the NHS to discuss and agree with you what they are going to record about you in your record.

Your information is used to review the care you have received and to ensure that the care provided is appropriate, safe and effective.

Therefore, it is vital to ensure that:

  • The care that you have received is recorded correctly and this information will be communicated with your GP.
  • Copies of letters sent to your GP will be saved in your electronic record.
  • Where appropriate, information about your care will be securely shared with other organisations, which will enable the continuation/support of your care, e.g., with other NHS Hospitals, Hospices, Community and Social Services.
  • Assess the quality of care provided.
  • To ensure/facilitate a robust investigation should you or your family have a concern or a complaint about your healthcare that you want to raise.

To help us to monitor our performance, to evaluate, and develop the services that we provide, it is necessary to review and share minimal information.

Type of use Reason
Auditors External auditors will audit the treatment of patients to provide assurance to the Trust and its commissioners on the care and treatment provided to patients. In some instances, the auditors may review a patient’s medical records.
Clinical audits – internally The Trust has an annual clinical audit programme which requires all clinical staff to participate. Clinical staff review medical records to audit the care provided and to identify ways in which to improve future care.
Clinical audits - nationally The Trust is mandated by the Department of Health and Social Care to undertake clinical audits on care delivered to patients. These will be undertaken by clinical staff either employed directly by us, or by external auditing companies. If your data is used for these audits, you will be informed by the clinical team.
Complaints / concerns The Trust will investigate any complaints or concerns that have been raised. Staff within the Trust’s complaints department or legal team will access your medical records and may share this information with other staff as well as external third parties where applicable, e.g., trust solicitors or NHS resolution; your consent will be obtained beforehand.
Manage the services provided by the Trust / delivering the right services to the right patients

Every NHS Trust is performance managed. statistical information about patient care is collated by the Trust, e.g.,

  • Length of time patients are treated in the emergency department.
  • Length of stay in hospital.
  • How long patients have waited for an outpatient appointment.

The Trust will use and share coded patient information to undertake statistical analyses on the management and performance of NHS services locally and nationally.

We use statistical information about patients to improve the services we provide, such as reviewing the length of time a patient has stayed in hospital or the number of hospital infections. The information is coded so that individual patients cannot be easily identified.

NHS England has commissioned the National Clinical Audit and Patient Outcomes Programme (NCAPOP), which has been set up to improve the ‘health outcomes’ of patients through monitoring the care delivered to patients. The Trust participates in this programme which will entail sending surveys and questionnaires to patients about the care and treatment provided by the Trust, which is then shared with NHS England.

To achieve these standards the Trust will work with other NHS organisations to share information relating to patients to provide them with the best possible care e.g., frequent emergency department attenders.

To help ensure the Trust is meeting the needs and satisfaction of the patients it provides care and treatment to, we commission companies to run questionnaires or surveys on the Trust’s behalf; only the minimum information will be securely shared with these companies, who are bound by strict confidentiality clauses.
National end of life care audits / survey A patient’s next of kin may be contacted to ask if they would like to participate in the audit or survey. Participation with these audits, helps the Trust and the NHS to improve end of life care for patients.
NHS spending

The Trust receives payment for the services provided to patients.

Clinical Commissioning Groups (CCG’s) are responsible for paying us for these services. To be paid for the services delivered, information on patient’s treatment needs to be passed onto these CCG’s. 

The information will be coded so that individual patients cannot be identified.

In some cases, the names of the patients will need to be included; for instance, when requesting funding for high-cost drugs, specialised care such as IVF treatment, or for Individual funding requests to the CCG. However, this will be discussed with you before your information is shared.
Patient safety The Trust takes any concerns about patient safety seriously. If an incident occurs which was not expected, this will be investigated. The investigation will be carried out alongside staff that were involved in your care with support from the risk management department.
Research and development Undertaking research is an important element of providing healthcare. Clinical staff are actively encouraged to participate in research trials. The research and development department manages all Trust research projects. Your participation in a research project will only take place with your explicit consent. 
Sharing your information with NHS / external organisations

We will share your information with other organisations, to assist with giving you the best care possible.

When we share your information with these organisations, they are subject to strict information sharing protocols. Anyone who receives information from the Trust has a legal duty to keep your information confidential and secure. Only information that is required and appropriate to support your care and treatment will be provided.

Where we share your information with other organisations that do not form part of your care, your permission will be required before sending the information onto them; unless we have a legal obligation to provide the information, or that it is considered that the interest of the public is of greater importance.

Further information about how / where we share information, can be found in the patient sharing of information document.
Staff training

The Trust partners with several universities / colleges to teach and train students and newly qualified doctors and nurses to help them gain valuable experience and the practice of delivering medical care.

If you do not wish for your medical records to be used for teaching and training new clinical staff, please contact the information governance department.
Surveys

We run surveys such as the Friends and Family Test (FFT) to improve the quality of care and treatment provided to patients.

The Trust will contact patients after they have been discharged from hospital.

 

All staff working for the NHS are bound by strict confidentiality agreements. This means that only staff involved with your care are entitled to access information relating to you, which is detailed within the confidentiality agreements signed by staff as soon as they start working within the Trust.

The Trust ensures that all staff complete annual Information Governance training, which includes the Data Protection legislation and the Common Law Duty of Confidentiality. This ensures staff know and understand that they have an obligation to always keep your information secure and confidential.

All clinical staff are bound by strict professional codes of conduct which incorporate confidentiality clauses. Further information can be found on the British Medical Association (BMA), General Medical Council (GMC) and Nursing and Midwifery Council (NMC) websites.

We audit staff’s access to patient information to ensure that staff continue to abide by the Common Law Duty of Confidentiality.

The Trust’s digital services department has deployed technical security measures to keep your information secure when being stored or transferred electronically, this includes ensuring all security software and encryption is up to date, helping to prevent the risk of a cyber-attack.

If any of your personal information is to be processed overseas e.g., outside of the UK, a full risk assessment would be undertaken to ensure the security of your information.

Data Protection Law gives individuals rights relating to the personal information that we hold about you. These are:

  • To be informed of why, where, and how we use your information

This is detailed in the Patient information Notice that you are reading now.

  • Ask for access to your information

Under the Data Protection Act, individuals have the right to make a Subject Access Request (SAR) which allows you to request a copy of your information that is held by us. There are several ways to request a copy of your medical records:

  • Email
  • Letter
  • Verbal request

You will need to provide documentation to confirm your identity and clarification of the information that you are requesting to support your request. The Access to Health Records Team will ask for the following information:

  • Proof of identity, e.g., copy of your valid passport / driver’s licence.
  • Proof of address, e.g., utility bill dated within the last year.
  • Details of information being requested.

It is important to note that the staff who process your request for information have met you, and we need to ensure that we are providing your confidential information to the correct person.

If you wish for another person to process your request on your behalf, they will need to obtain your written permission to do so before the Trust can provide copies of documentation held in your medical record.

We are legally obliged to respond to your request within a calendar month of receiving both your request and identification. If we do not have the relevant information to process your request, we will contact you to ask for it, as we will be unable to process your request until all relevant information has been received.

The Common Law Duty of Confidentiality continues after death; therefore, the Trust is unable to provide copies of documentation from a deceased patient’s medical record.  These requests will fall under the legislation of the Access to Health Records Act 1990, which has a criterion that must be met before information can be released. The Access to Health Records Team handle these requests and they are assessed on an individual basis; the Team can provide more information upon application.

Any individual requesting information from the Trust who is unhappy with how their request has been managed/processed, is asked to submit their complaint to the Trust’s Data Protection Officer.

Additionally, all individuals have the right to appeal to the Information Commissioner’s Office (ICO), further information can be found at www.ico.org.uk

  • Ask for your information to be corrected if it is inaccurate or incomplete

We have a legal obligation to ensure that your information is accurate and up to date.

Trust staff will check with you that we have the most up to date contact information when you attend your appointment.  You are also able to update your information by:

  • Contacting the Trust’s Data Quality Team
  • Downloading the MyFrimleyHealth App and updating your demographics within the App
  • Ask for your information to be deleted or removed where there is no need for us to continue processing it

We have a legal obligation to store your medical information. The length of time that we store your information is set out by the Records Management Code of Practice 2021. The longest we will keep a patient’s record is 30 years after their care has stopped. For further information on the retention of records within the NHS can be found on the NHS Digital website: https://digital.nhs.uk/codes-of-practice-handling-information

We will not usually delete healthcare related data before the expiration of the relevant retention period. We may also need to retain data for regulatory purposes, or in case you make a legal claim against us.

  • Ask us to restrict the use of your information

In some circumstances, we must ‘pause’ the processing of our use of your personal data if you ask us to. We do not have to comply if we need to retain your personal information if you make a legal claim against us.

  • Object to how your information is used

You have the right to object to the processing of your information in certain circumstances; as the Trust has a legal basis for processing your information to provide direct care, the right to object is limited. The NHS uses coded patient information to support the delivery of healthcare to patients, e.g., performance management of services, planning of NHS Services.  If you wish to find out more information, or do not wish for your information to be used in this way, please visit www.nhs.uk/your-nhs-data-matters.

  • Challenge any decisions made without human intervention (automated decision making)

The Trust does not make any decisions that involve automated decision making.

Contact Details

Throughout this privacy notice we have mentioned the following areas:

Department Purpose Contact details
Access to health records Processing of requests for copies of your information fhft.request.records@nhs.net
Complaints team For the submission of formal complaints to the Trust

Frimley Park – 0300 613 6530

Heatherwood – 0300 615 4081

Wexham Park – 0300 615 4081
Data quality team Updating of incorrect address and contact information

0300 615 3931 and 0300 615 4121

fhft.dataquality@nhs.net

or via the MyFrimleyHealth Records app

Information governance department

Data protection officer

To opt out of how your information is used

To correct inaccurate information

Concerns or queries about how your information is being used		 fhft.information.governance@nhs.net
Patient advice and liaison service (PALS)

Provide information in a format that is accessible to you

(e.g., large type if you are partially sighted)

Frimley Park – 0300 613 6530 
fhft.palsfrimleypark@nhs.net

Wexham Park – 0300 615 3365 
fhft.palswexhampark@nhs.net

 

More information