Privacy Notice for Patients

• Identity details: name, date of birth, NHS Number and contact details such as address, telephone, email address
• 'Next of kin': the contact details of a close relative or friend
• Details of any contact we have had with a patient, such as A&E visits, in-patient spells or clinic appointments
• Results of any scans, X-rays and pathology tests
• Details of any diagnosis and treatment given
• Notes and reports about a patient's health and treatment received, including clinic and operational visits and medicines administered
• Information about any allergies and health conditions.

By providing the Trust with their contact details, patients are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by e mail (e mail address).

The Trust has a duty to:

• Maintain a full accurate record of the care given to a patient
• Keep records confidential, secure, accurate and accessible
• Dispose of your information confidentially when it is no longer needed
• Provide copies of healthcare information in an easy to understand format

Everyone working for the NHS is subject to the Common Law Duty of Confidence the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Patient information is shared with the clinicians involved in the direct care of patients and also for necessary administration to support that care such as appointment booking and payment.

This sharing is based on the following lawful bases under data protection law:

• Article 6(1)(e) - for the performance of a task carried out in the public interest, or in the exercise of the official authority of the data controller; and
• Article 9(2)(h) - the provision of health or social care or treatment or the management of health or social care systems

Any sharing of information for purposes beyond enabling direct patient care will only occur where advised and consented to by the patient, except in circumstances where the law requires or allows the Trust to act otherwise.

Under the Confidentiality Code of Conduct, all Trust staff are required to protect patient information, to keep patients informed of how their information will be used, and to allow patients to decide about how their information can be shared.

This will be noted in patients' records.

The Trust shares patient information with a range of organisations or individuals for a variety of lawful purposes, and may disclose information to:

• GPs, other NHS staff or private healthcare providers for the purposes of providing direct care and treatment to the patient, including administration
• Junior health and care staff who are involved in your care and are being trained and/or supervised
• Overseas health professionals in an emergency where radiological images need to be assessed in a time-critical situation. This could be within the EU, Australia, Canada or North America
• Social workers or to other non-NHS staff involved in providing healthcare
• Specialist organisations for the purposes of clinical auditing
• Those with parental responsibility for patients, including guardians
• Carers without parental responsibility (subject to explicit consent)
• Medical researchers for research purposes (subject to explicit consent, unless the data is anonymous);
• NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services
• Bodies with statutory investigative powers - e.g. the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman
• National generic registries - e.g. the UK Association of Cancer Registries
• Organisations processing data on our behalf for the purposes of your care and managing your appointments
• Organisations providing systems, software or tools for care purposes or for the management of healthcare services, including Cloud providers

Also, where necessary and appropriate, to:

• Non-statutory investigators - e.g. Members of Parliament
• Government departments other than the Department of Health
• Solicitors, the police, the Courts (including a Coroner's Court), and tribunals and enquiries
• The media (normally the minimum necessary disclosure subject to explicit consent)

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

• When there is a Court Order
• When there is a statutory power to share patient data
• When the patient has given his/her explicit consent to the sharing
• When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006

Patient information may be shared, for the purposes of providing direct patient care, with other NHS 'provider' organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc; also, partner organisations including, but not limited to, Medvivo Group (who operate the BSW GP Surgeries) and Virgin Care (who operate community and primary care settings).

The Trust, along with our integrated care alliance partners have launched a coordination centre to help bring together all system partners wrapped around the needs of individual patients in the Swindon and wider localities. The coordination centre allows for patients across our communities to be more easily identified at the earliest opportunity. It also aims to case manage individual patients within the acute Trust, Virtual Ward or community to maintain flow through the system. It also has a key role in providing real time progress on patients who are ready to leave hospital.

The Centre is hosted in the Great Western Hospital and will provide real-time sharing and access to patient information between partners in ambulance and patient transport services, mental health and End of Life care providers, community providers, social care providers and primary care.

The South 4 Pathology Partnership is one of 29 pathology networks nationwide established in 2018 as a means of improving efficiency and removing unwarranted variation in pathology services.

It is a collaborative partnership of four local trusts, all of which supply shared patient care on a routine basis:

• Oxford University Hospitals NHS Foundation Trust (lead trust)
• Buckinghamshire Healthcare NHS Trust
• Great Western Hospitals NHS Foundation Trust
• Milton Keynes University Hospital Foundation Trust

As a means of improving interoperability, efficiency and resilience of services, the Partnership has agreed to replace its current diverse Laboratory Information Management Systems (LIMS) with a single integrated LIMS operating across the four trusts.

Information may also be shared with other organisations in order to protect someone's vital interests under Article 6(1)(d).

This is usually in relation to child or adult safeguarding matters and will be when consent is inappropriate.

The organisations/individuals that may be involved include the Council, Primary Care settings, and BSW Together, including the Named GP for Safeguarding.

This list is not exhaustive and may also include other organisations as required to protect vital interests, such as the police.

In such cases, the shared data must always identify the patient for safety reasons.

When a child is known to social services and is a Looked After Child or on a Child Protection Plan, basic information about that plan is shared securely with the NHS.

This is known as the Child Protection - Information Sharing (CP-IS) project.

The CP-IS project is linking the IT systems used across health and social care and helping organisations to change business processes so this basic information can be shared securely between them.

The information can only be accessed securely by trained professionals involved in a child's care.

For more information, please see the NHS Digital website: Child Protection - Information Sharing project.

The Trust ensures that patient feedback is used to inform improvements and the development of the NHS.

We may share your contact information with an NHS approved contractor for the purpose of administering the survey on our behalf.

For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations, such as the local Integrated Care Boards (ICBs), and the Health & Social Care Information Centre (part of NHS England).

In such cases, the shared data is made anonymous, wherever possible, by removing all patient-identifying details, unless the law requires the patient's identity to be included.

Each financial year the Trust makes a patient level cost submission (PLICS).

This includes pseudonymised patient data for inpatients and outpatients. The scope of the PLICS submission is being expanded each year, driven by NHS Improvement's costing transformation programme.

NHS Improvement have powers under sections 255 and 256(2)(a) of the Health and Social Care Act 2012 to obtain information, which they have enforced.

All NHS Trusts are under a legal requirement to provide this data.

The information gathered from this collection will be used to enable NHS Improvement to perform its pricing and licensing functions under the Act more effectively, including informing new methods of pricing NHS services, contribute to NHS Improvement's strategic objectives and also help trusts to maximise use of their resources and improve efficiencies.

The data will be uploaded securely to NHS Digital, who will collate the data and provide it to NHS Improvement.

The Trust sends routine letters and information electronically where possible.

Many people rely on electronic devices to manage their daily lives and to reflect this and to make our services more efficient, information will be sent via email or text message which would normally have been sent by post.

Some services may ask you to complete a questionnaire or provide information ahead of your future appointments.

The first time we need to contact you, we will ask if you agree to receive communications in this way and you can choose to continue receiving information in the post.

For more information, please see:

• DrDoctor website: We care about your privacy
• Amplitude website: Amplitude's Commitment to Privacy and the GDPR

By agreeing to use DrDoctor, your appointment information will also be available to download and view on the NHS app. No information will be shared unless you choose to view your information in this way. If you select to view your appointment data on the NHS app then the relevant information will be extracted from the DrDoctor system so that you can view and manage your upcoming appointments.

There are clinicians employed by the Trust who cannot see patients face-to-face because of COVID-19 but are able to provide an expert opinion on how to care for patients remotely.

In some clinical settings, the Trust will be using Microsoft HoloLens.

HoloLens is a head-worn computer with a built-in camera that allows a live, encrypted video stream to be transmitted to a remote observer.

A poster will be displayed in areas using HoloLens, and the video stream is not recorded or stored.

The only people who can view the video stream are Trust clinicians who would have normally seen you in person.

In the event that the device wanted to be used to teach medical students, we will ask for your consent first.

Data will be shared with the National Congenital Anomaly and Rare Disease Registration Service (NCARDRS).

NCARDRS is part of the National Disease Registration Service (NDRS), which is part of Public Health England (PHE) and records people with congenital abnormalities and rare diseases across the whole of England.

The sharing will involve NHS England and NHS Improvement.

The registration service provides a resource for clinicians to support high quality clinical practice, including epidemiology and monitoring of the frequency, nature, cause and outcomes of these disorders.

Activity data from a number of sources within the Trust (including the Electronic Patient Record (EPR)) is imported into a system called SLAM. The activity data is grouped by national diagnostic codes and a national tariff applied. This allows invoices to be raised to commissioners for activity undertaken. This process uses a cloud based (hosted) solution – this is in line with the UK government’s ‘cloud first policy’ and the GWH digital strategy. The system is hosted by CIVICA and all data is held within the EU in line with data protection requirements.

For further details, please see the National Disease Registration Service letter dated 30 September 2021.

Health and care organisations across BaNES, Swindon and Wiltshire are working to improve the care our population receives through a wide reaching programme of digital transformation designed to use digital technology to provide better care for local people and use our resources in a more effective and efficient way.

Part of this digital transformation programme is focusing on the development of Integrated Care Records (ICRs).

An ICR enables the different health and care organisations involved in an individual's care to access relevant information about them without the need to access multiple IT systems.

For more information, please see the Bath and North East Somerset, Swindon and Wiltshire ICB website: Your Care Record.

The NHS Federated Data Platform (NHS FDP) is a series of separate data platforms, known as ‘instances’. This hospital trust has its own instance of the NHS FDP which makes it easier for health and care organisations to work together, compare data, analyse it at different geographic, demographic and organisational levels and share and spread new effective digital solutions. The NHS FDP has the ability to connect and share information between health and care organisations when it’s helpful and where legal data sharing agreements are in place. For example, to discharge a patient from hospital into a care setting.

In this Trust, the NHS FDP will be used for inpatient and outpatient care co-ordination and for the RTT (Referral to Treatment Time) validation tool. The respective privacy notices for each of these areas can be reviewed using the links:

• Inpatient Care Coordination Solution FDP Product Privacy Notice
• Outpatient Care Coordination Solution FDP Product Privacy Notice
• Referral to Treatment Validation Tool FDP Product Privacy Notice

The NHS FDP is not a data collection; it is software procured by NHS England that will help to connect disparate sets of data and allow them to be used more effectively for care. If you would like to find out more about this, please visit: NHS England » Data platform frequently asked questions

PHM is aimed at improving the health of an entire population; it is being implemented across the NHS.

It is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair, timely and equal.

PHM helps to reduce the occurrence of ill-health and looks at all the wider factors that affect health and care.

In most cases, the information used will be anonymised or pseudonymised so that individual patients cannot be identified. For the project reviewing prescribing services, an identifiable dataset will need to be shared in order to link the data with other datasets held by the ICB. Access will be restricted and patients that are part of the National Data Opt Out will not have any data shared. There are strict agreements between the parties to restrict the uses of this data.

The Government has announced a new Data Saves Lives Strategy and stated that:

"Putting this strategy into action will deliver better treatment for patients, better health results for people who need care and support, and better decision making, research, and support for our colleagues on the front line.

"It also sets out how we will support the developers and researchers whom we've all seen have so much potential to transform health and care.

"They save and improve lives, every day."

As a health and care provider, the Trust will be involved in data collection processes and/or data sharing of existing data.

At this trust, we will always ensure that there is a lawful basis to share data, that data protection impact assessments are completed, and that the wishes of our patients are respected.

To view the Government's strategy, please see the UK Government website: Data saves lives: reshaping health and social care with data.

We collect feedback on our services, known as the Friends and Family Test (please see Feedback).

If you have been a patient in one of the applicable areas, then you will be asked for your opinion on the overall service that you received.

This may be via a paper feedback form, a telephone call or an SMS message.

The Trust uses third parties to process this data on our behalf and the feedback collected is anonymous.

In order to provide the service, your phone number will need to be shared with the provider.

If you have opted out of services using your information for secondary uses via the National Data Opt Out then your phone number will not be shared.

(If you want to opt out, please see the NHS Digital website: National data opt-out.)

If you receive a form, a call or a text, you are under no obligation to respond.

The lawful basis for processing this data is Article 6(1) (e) a task carried out in the public interest.

Maternity Services may ask for consent where it is appropriate or possible, but this will be for additional checks and will not be the main lawful basis for using data.

The Trust's registered charity (reference 1050892) is called Brighter Futures.

It supports the staff, patients and families of Great Western Hospital and community health services across Wiltshire.

No patient information or contact information is shared with the charity.

Anyone wishing to donate or register must do this directly with the charity by visiting the Brighter Futures charity website.

For the benefit of the patient, the Trust may also need to share patient health information with non-NHS organisations which are also providing care to the patient.

These may include social services or private healthcare organisations.

However, the Trust will not disclose confidential health information, other than for direct care, to third parties without the patient's explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires disclosure.

Where patient information is shared with other non-NHS organisations, or for reasons other than direct patient care, it is good practice for an information sharing agreement to be drawn up to ensure that information is shared in a way that complies with all relevant legislation.

The possible consequences of refusing consent will be fully explained to the patient at the time, and could include delays in receiving care.

In those instances where the legal basis for sharing of confidential personal information relies on the patient's explicit or implied consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.

In instances where the legal basis for sharing information without consent relies on HRA CAG authorisation under Section 251 of the NHS Act 2006, then the patient has the right to register their objection to the disclosure, and the Trust is obliged to respect that objection.

In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.

NHS Digital has developed a system to support the national data opt-out which will give patients more control over how their identifiable health and care information is used.

The system offers patients and the public the opportunity to make an informed choice about whether they wish their identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. The Trust complies with the national data opt-out.

Patients can view or change their national data opt-out choice at any time by using the online service on the NHS website: Your NHS data matters.

They can also use the postal service or phone the helpline:

NHS Digital Contact Centre
Tel: 0300 303 5678

For more information please see the NHS Digital website: National data opt-out programme.

All patient records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained.

The Trust does not keep patient records for longer than necessary.

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Occasionally measures may have to be put in place to secure the retention of all documents and information relevant to a public inquiry.

In this case, the Trust will not destroy or delete any health records which may be relevant until notified to do so.

If the Trust holds information about a patient, they have the right to:

• Restrict or object to the use of their data in certain circumstances
• Request a copy of their medical records held in paper and/or electronic format (see below)
• Ensure that accurate information is held by the Trust
• Be advised of how long their information will be stored before destruction
• Seek advice from or make a complaint to the Information Commissioner's Office (ICO) who is the UK data protection regulator

If you would like to view or receive a copy of your medical records, please see Health records.

CCTV (closed circuit television) is utilised to protect the safety of our patients, staff and members of the public.

The Trust's security services, including the use of CCTV, are managed by Serco.

The Trust remains the data controller of this data and any disclosures to third parties such as the police, will only be done with the permission of the Trust.

For safety and security reasons, the Serco security personnel will also be using body-worn video cameras while on duty; this follows a three-month trial period.

Recordings will not be continuous and security staff will make an announcement if they need to turn the cameras on.

To maintain privacy and dignity, recordings will not be permitted in areas of the hospital where examinations or procedures are being undertaken or if there is likely to be nudity.

Anyone present may object to the recording but will need to show the need for privacy outweighs the need to protect the general public.

The National Fraud Initiative (NFI) is an exercise that matches electronic data within and between public and private sector bodies to prevent and detect fraud.

From 2017/18, NHS bodies were added to the mandatory list of responders.

The full core datasets required are:

• Trade Creditors History
• Trade creditors standing data

Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact:

The Patient Advice & Liaison Service (PALS)
PALS Office
Great Western Hospital
Marlborough Road
Swindon
SN3 6BB

Tel: 01793 604031
Email: gwh.pals@nhs.net

Please note that calls to PALS are recorded for security purposes and to protect the safety of our staff, patients and visitors. Recordings may be kept as part of complaint files and/or security files, and where necessary may be shared with third parties such as the police.

If you wish to report a concern or inaccuracy within your record or would like to restrict who your medical data is shared with, please speak to your clinician or contact:

Information Governance
Great Western Hospital
Marlborough Road
Swindon
SN3 6BB

Tel: 01793 605675
Email: gwh.info.gov@nhs.net

Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Trust has handled or shared their personal information:

The Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 or 01625 545745

Or please see the Information Commissioner's Office website.