Patient Privacy Notice

The Royal Devon is one of the highest performing healthcare organisations in Europe with a proven international reputation for its quality of care, information technology, clinical education and training and research. The Trust employs more than 9,500 staff.

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018) and our registration number is:

• NDHT registration number Z7485161
• RD&E registration number Z5368894

For further information please refer to the ‘Information Governance’ page 

The staff caring for you will need to collect and maintain information about your health, treatment and care, so that you can be given the best possible care. This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

The Royal Devon and the former is a public body established by the NHS Act 2006 as amended by the Health and Social Care Act 2012. As such, our business is based upon statutory powers which underpin the legal bases that apply for the purposes of the GDPR.

The legal bases for the majority of our processing is:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we process special categories data, for example, data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR.

Where we are processing special categories of personal data for purposes related to the commissioning and provision of health services the condition is:

• Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…

The Trust may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
• Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special categories of personal data for these purposes, the legal basis for doing so is:

• Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
• Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

Personal information about you is collected in a number of ways. This can be from referral details from your GP or another hospital, directly from you or your authorised representative.

We will likely hold the following basic personal information about you:

• your name
• address (including correspondence)
• telephone numbers
• date of birth
• next of kin contacts and your GP details, etc.

We might also hold your email address, marital status, occupation, overseas status, place of birth and preferred name or maiden name.

In addition to the above, we may hold sensitive personal information about you which could include:

• Notes and reports about your health, treatment and care, including:
• • your medical conditions
  • results of investigations such as x-rays and laboratory tests
  • future care you may need
  • personal information from people who care for and know you, such as relatives and health or social care professionals
  • other personal information such as smoking status and any learning disabilities
• Your religion and ethnic origin
• Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status)

It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.

Your records are used to directly, manage and deliver healthcare to you to ensure that:

• The staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
• Staff have the information they need to be able to assess and improve the quality and type of care you receive
• Appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider

The personal information we collect about you may also be used to:

• Remind you about your appointments and send you relevant correspondence
• Review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement
• Support the funding of your care, e.g. with commissioning organisations
• Prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies
• Help to train and educate healthcare professionals
• Report and investigate complaints, claims and untoward incidents
• Report events to the appropriate authorities when we are required to do so by law
• Review your suitability for research study or clinical trial
• Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients

Where possible, we will always look to anonymise/ pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/ share the minimum information necessary.

We may need to share relevant personal information with other NHS organisations. For example, we may share Information Governance – Patient Privacy Notice information with and why? your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies, etc.

We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs. We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. However, we will not disclose any health information to third parties without your explicit consent unless there are circumstances, such as when the health or safety of others is at risk or where current legislation permits or requires it.

There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).

For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.

The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, the Trust will always do its best to notify you of this sharing.

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the Data Protection Act 2018 as amended by the GDPR 2016, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:

• maintain full and accurate records of the care we provide to you
• keep records about you confidential and secure
• provide information in a format that is accessible to you

Use of Email - Some services in the Trust provide the option to communicate with patients via email. Please be aware that the Trust cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting this risk.

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

• Request access to the personal data we hold about you, e.g. in health records. The way in which you can access your own health records is further explained in our ‘Access Your Personal Data / Health Records’ web page available here
• Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards. This is also explained in our ‘Data Subject – Individual Rights’ web page available here
• Refuse/withdraw consent to the sharing of your health records: Under the Data Protection Act 2018, we are authorised to process, i.e. share, your health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research). Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal.
• Request your personal information to be transferred to other providers on certain occasions.
• Choose if data from your health records is shared for research and planning purposes: In certain circumstances you may have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (e.g. to plan and improve health and care services, to research and develop cures for serious illness). Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your Information Governance – Patient Privacy Notice choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is currently’ compliant with the national data opt-out policy which allows you to make your choice by using the online service at www.nhs.uk/your-nhs-data-matters or by calling 0300 3035678.
• We will always try to keep your information confidential and only share information when absolutely necessary.

If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

Data Protection Officer (Interim) – Phil Milverton

Information Governance Office
Devonshire House
Riverside Road
Barnstaple
EX31 1SW

Email: ndht.dpo@nhs.net

Show more...