How we use your information
Why we need your personal information
We need to be able to provide you with healthcare services. In order to do this we need to be able to collect information about you. This is in accordance with the statutory obligations under the NHS Act 2006.Health and Social Care Act 2012 and Data Protection Act 2018.
The information that we collect is used for medical purposes that include:
- preventative medicine
- medical diagnosis
- medical research
- provision of direct care and treatment
We collect your personal and sensitive information so that your care team has access to accurate and up-to-date information to support you with your treatment.
The new data protection law
The General Data Protection Regulation (GDPR) is a relatively new law which allows and regulates the processing of personal data. This includes where health and social care data are processed by a public authority, such as Southern Health NHS Foundation Trust.
Mental health data is special category data, which requires special protection and is subject to additional controls. Public providers of health and care are expected to:
- demonstrate satisfaction of conditions set out in Article 6 of the GDPR
- satisfy a condition under Article 9 of the GDPR when processing special categories of data, ie data concerning health
Under Article 6, processing is permitted where it is:
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1) (e)).
Commercial suppliers that work on behalf of the NHS (e.g. technology third-party suppliers to NHS Trusts), or private sections of public providers may also rely upon an alternative lawful basis. For example, where processing is necessary for the purposes of their ‘legitimate interests’ (Article 6(1)(f)).
Article 9(2) sets out the circumstances in which the processing of special categories of data, including data concerning health, which is otherwise prohibited, may take place. NHS Trusts as public bodies with healthcare provision as their statutory purpose, may process personal data where necessary to fulfil their public healthcare provision function, provided that they satisfy one of the following conditions:
9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
Article 9(2) also sets out the circumstances in which the processing of data concerning health may take place in academic organisations. Universities as public bodies with research either incorporated in their core function or as their statutory purpose may process personal data where necessary to fulfil their public research function, provided that they satisfy one of the following conditions:
9(2)(h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
and
9(2)(i) - Necessary for reasons of public interest in the area of public health, such as protecting against serious cross- border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices.
Article 9 allows for the processing of a special category of personal data for health research where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. (Article 9(2)(j))
This means that where it is necessary to process special categories of data, such as data concerning health, for research purposes, then that processing is permitted by the GDPR (under Article 9(2)(j)).
What information we collect about you
Category | Data type |
Identifiers | Your name, date of birth, NHS number. |
Contact details | Your address, telephone number, email address (if provided). |
Support contact details | Names, contact details of carers, relevant close relatives, next of kin, representatives. |
Physical, social or mental health situation or condition | Your medical history, treatments, test results, referrals, care plans, care packages, medication, medical opinions and other relevant support you are receiving. |
Protected characteristics | Your ethnicity, religion, sexual orientation, gender, which are required for equality monitoring and ensuring that the services are suitable and provided in the right way. |
Where we get your information from
Most of the information we collect about you is from:
- your GP
- directly from you or a friend or relative
- other health and care organisations
Information also comes from local authorities, schools and other government agencies.
Typically, we can get information by referral. For example, if your GP decides you need an appointment with a mental health team or health and social care professional, they will provide those professionals with necessary information about you so that you can be supported appropriately. This may include identifiers, history, diagnosis and medications. This information is increasingly being made available electronically to improve the quality, safety and speed of delivery of care.
All care professionals and others working with them in care services have a legal duty to keep information about you confidential and secure and only use it for the purposes of providing and improving the care they provide. Similarly, anyone who receives information from us has a legal duty to keep it confidential.
Volunteers
The personal information provided by candidates and volunteers for their applications and registration is used for the purpose stated in each case. The Voluntary Services Department may analyse statistical trends based on the information given however, this analysis does not include identifiable personal information.
Volunteer records are stored in accordance with the Trust’s Information Governance Policy and will conform to the Data Protection Act 2018.
Other bodies
There are some exceptional circumstances where we must share information with official bodies or other organisation about employees without their express permission. These include circumstances owing to a legal or statutory obligation. These bodies may include:
- Disclosure and Barring Service
- Home Office
- Her Majesty’s Revenue and Customs (HMRC)
- financial institutes, for example banks and building societies for approved mortgage references
- educational, training and academic bodies
- Department for Work and Pensions (DWP)
- Care Quality Commission (CQC)
If you want to complain
If you think that information in your NHS health records is wrong, please talk to the health professional looking after you and ask to have the record amended. You can also ask for the information to be amended by contacting the Information Governance team. You will find contact details in the 'Further information' section.
If your request to have your records amended is turned down because the information is not wrong, we will add a statement of your views to the record.
If you are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO), which regulates and enforces the Data Protection Act. For details of how to do this:
- visit the ICO website at www.ico.org.uk
- telephone 0303 123 1113
Further information
Information Governance Team
Health Records Team
Information Commissioner's Office
0303 123 1114
ico.org.uk