Privacy Notice
The General Data Protection Regulation 2016 (GDPR) allows individuals transparency and control over the way in which their personal data is used. Personal information can be anything that can be used to identify you. This notice is a statement by the Royal Orthopaedic Hospital to detail the ways in which we use, disclose, and manage your information. It fulfils a legal requirement to inform you as the patient as to what happens with your personal information and what rights you have in relation to such data.
What kind of information do we collect about you?
We want to give you safe and effective care and to do this we need to keep records about your health and any care you receive from the Royal Orthopaedic Hospital. This is your health record which may be stored in a paper form or on computer systems and will include:
- Basic details such as your name, address, date of birth, NHS number, gender, next of kin, and ethnicity
- Details of your hospital appointments/visits
- Notes and reports about your health, treatment and care
- Results of x-rays, scans and laboratory tests
- Information from health professionals and relatives
We will check your personal details with you when you come to the hospital, please let us know of any changes. We use your mobile number to send you text message reminders a few days before your appointments. If you do not wish to receive text messages please let us know.
Where do we collect information from?
We will collect data about you in a numbers of ways. The main method of collection is from you directly.
Face to face:
Most of the information we hold about you will be collected from you at the time you engage with our service. Any data provided will be used for the reasons listed in this notice and will only relevant data will be requested and recorded.
Telephone calls:
The information you disclose over a telephone call may be recorded by the the Royal Orthopaedic Hospital, either to support your care or as a record of the conversation. We will inform you if we record or monitor any telephone calls you make to, or receive from us. This is to increase your security, for our record keeping of the phone call and for training and quality purposes.
Emails:
If you email us we may keep a record of your contact plus any attachments and your email address for our record keeping.
Other organisations:
We may receive information from other organisations that are also required by law to share information with us about you, to help us have a full picture of your needs and provide you with care, including referrals. We may receive referrals or a transfer of your notes to specific specialties as a result of your care being transferred to our organisation. This can be from another hospital provider, your GP or any health or social care provider initiating a referral.
The Royal Orthopaedic Hospital and its staff may have access to specific clinical systems from other organisations such as the summary care record or other clinical systems in order to access information about you that is relevant to your care delivery. All systems are auditable and access is on a need to know basis
Why do we collect information about you?
We need accurate and up-to-date information about you so that we can give you the best possible care and have full information available should you need to see another doctor or be referred to another part of the NHS. We also want to make sure we contact you at the right address and phone number.
How do we use your information?
Your records are used to direct, manage and deliver your care so that:
- Clinical staff involved have accurate and up-to-date information to assess your health and decide on the best care for you.
- Administrative staff can arrange your appointments, deal with queries, produce letters etc.
- Information can be passed to other health and care providers involved in your care.
We also use information we hold about you to:
- Review the care we give you to make sure it is of the highest standard and quality and meets patients’ needs in the future.
- Help train and educate healthcare professionals.
- Conduct patient satisfaction surveys about the services and care you had so we can improve the way we deliver healthcare to you and other patients, for example, the Friends and Family Test.
- Inform you about resources or help to support your care.
- Investigate patient queries, complaints and legal claims.
- Ensure the hospital receives payment for the care you receive.
- Assess our performance.
- Audit NHS accounts and services.
- Review your suitability for research studies or clinical trials.
- Contact you about Foundation Trust membership.
- Carry out important health research.
We will not contact you with marketing material.
More information about how and why patient data is used can be found here: https://understandingpatientdata.org.uk/what-you-need-know
Who do we share information with?
We will share your information with other health and social care professionals directly involved in your care. For example, every time you attend the hospital as a patient, we will send your GP a summary of any diagnoses, test results or treatment given.
We are part of the West Midland Shared Care Record which means we can share your healthcare information with health and social care staff in other locations providing your health care. Access is strictly controlled to only those directly involved in your care. You have the right to object and opt out of this sharing, but please talk to your clinician first who will explain how this may affect you. Please be aware that if you make this choice we may not be able to give you the best care. However, we will respect your choice unless there are legal reasons why we can’t. For more information go to: Shared Care Record :: Birmingham and Solihull ICS
We may share information about you with the following agencies in order to support the delivery of your care:
- Department of Health and other NHS bodies
- Integrated Care Board
- Other providers involved in your care, such as hospitals
- GPs
- Ambulance service
- Mental health services
- Social services
We may also share your information, with your consent and subject to strict sharing protocols about how it will be used with:
- Education services
- Local authorities
- Voluntary sector providers
- Private sector e.g. care homes
We may also share your information with others that need to use records about you to carry out the following:
- Check the quality of treatment of advice we have given you
- Protect the health of the general public e.g. national registries
- Manage the health service
- Help investigate any concerns or complaints you or your family have about your healthcare
- Confirm entitlement to NHS care i.e. overseas visitors
- Confirm eligibility for benefits.
There are some circumstances when you may need to share personal data with a law enforcement authority to enable it to carry out its law enforcement functions:
- Where we want to proactively share personal data; for example, we need to report a crime to the police and provide relevant personal data that we hold;
- Where we receive a request from a law enforcement authority for personal data that we hold; for example, the police may request personal data from us to help them investigate a crime; or
- Where a court order or another legal obligation compels us to share personal data with a law enforcement authority.
We sometimes work with other providers of healthcare services to bring you new technologies to help us offer you a better service and give you a better care experience. There will be rigorous protocols or agreements in place to govern the sharing of data to ensure it is adequate and relevant to the purpose listed above.
Some information we have to share is used for statistical, research or audit purposes and in these instances, we take strict measures to ensure that individual patients cannot be identified and use anonymisation and pseudonymisation techniques to protect your identity.
Anyone who receives information from us has a legal duty to keep it confidential and secure and your information is always transferred securely.
National Data Opt Out
The information collected about you when you use the Royal Orthopaedic Hospital services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. Confidential patient information about your health and care is only used like this where allowed by law.
If you are happy with this use of information you do not need to do anything, however, there is a National Data Opt-Out programme where you can choose to opt out of data being used for research and planning. If you do want to opt out, you can record your objection with the National Data Opt-Out scheme. . To find out more or to register your choice to opt out, please visit Overview – Choose if data from your health records is shared for research and planning - NHS (www.nhs.uk). You can change your mind about your choice at any time.
More information about patient data being used for research can be found here: https://www.hra.nhs.uk/information-about-patients/
Your rights
Below is a list of the rights you have in relation to your data and when they apply. To make an application for any of the below rights please contact the Governance team on r
Right to rectification: If you believe your information is inaccurate or incomplete you can ask to have your information reviewed. If your clinician is concerned that by changing your information it could cause you or our staff harm we will not be able to change it but we will document your objection in your records if needed.
Right to erasure: The right to erasure is also known as the ‘right to be forgotten’ and gives you the right to have personal data erased although, generally, this right is not available for health care data.
Right to object: The right to object to processing means that data should cease to be processed. This right applies only where data is obtained with your consent, e.g. for research. In most cases, we process your data for care purposes under the legal basis of public task (not consent), therefore, this right may not apply. You can ask us not to share your health record, even with other clinicians involved in your care e.g. your GP. Where possible we will respect your wishes unless we feel that this would cause you harm.
Right to Restrict Processing: The right to restriction allows you to request the restriction or suppression of your personal data. This right is closely linked with the right to rectify and the right to object and will only apply if:
- you contest the accuracy of your personal data and the accuracy is being verified by the the Royal Orthopaedic Hospital;
- the data has been unlawfully processed and you oppose erasure and requests restriction instead;
- the personal data is no longer needed but we need to keep it in order to establish, exercise or defend a legal claim.
Right to Access: You have the right to request a copy of any information held by the Royal Orthopaedic Hospital, as well as any supplementary information. See Royal Orthopaedic Hospital - Requesting Medical Records for details on how to request your information.
Right to Data Portability
The right to data portability allows you to obtain and reuse your personal data across different services and should allow for moving, copying or transfer of personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability is not an absolute right and generally will not apply to your health care record unless:
- The processing is based on your consent or in the performance of a contract;
- When processing is carried out by automated means.
Right not to be Subject to Automated Decision Making/Profiling:
Profiling is automated processing of personal data to evaluate certain things about an individual. The Royal Orthopaedic Hospital may use profiling techniques for health care planning purposes. An example of this type of processing is the process of risk stratification of patients based on frequency of attendance.
How do we keep your records confidential?
Information you give to us in confidence will only be used for the reasons given above and to which you have agreed, unless there are other circumstances covered by the law. All our staff must protect your information, inform you how your information will be used and allow you to decide if and how your information can be shared. All manual and computerised records are stored in secure environments with access strictly controlled. If someone other than you (e.g. relative or friend) contacts us to find out about your care or treatment we will not be able to talk to them unless we have your permission (apart from parents/guardians of children who are recorded as next of kin) and we will ask for confirmation of identification.
How long do we retain your records?
All our records are destroyed in accordance with national Records Management Code of Practice 2023 and we will not keep your records for longer than necessary. Records are destroyed confidentially once their retention period has been met and the Royal Orthopaedic Hospital has made the decision that the records are no longer required.
Our Legal Basis for Processing your Information
Under the General Data Protection Regulations the ‘Lawful Basis’ that the Royal Orthopaedic Hospital generally uses to process and use your information is:
- Article 6(1)(e): “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
- Article 9(a)(h): “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”
The table below identifies other reasons that we may process personal data and the law that supports this:
|
Type of processing |
GDPR Article 6 Condition for personal data |
GDPR Article 9 Condition for special categories (sensitive data) |
Statutory basis or other relevant conditions |
|
Lawful basis for direct care and administrative purposes |
6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ |
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’ |
NHS Trusts National Health Service and Community Care Act 1990 |
|
Lawful basis for commissioning and planning purposes |
Where the collection or provision of data is a legal requirement, for example where NHS Digital is directed to collect specified data, and can require specified organisations to provide it, |
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’ |
Commissioners may receive personal data in support of commissioning where confidentiality is set aside by provisions under the Control of Patient Information Regulations 2002, commonly known as ‘section 251 support’. This support does not remove the need for GDPR compliance. |
|
Lawful basis for research |
6(1)(f)’…legitimate interests…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…’ |
9(2)(j) ‘…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or member State law which shall be proportionate…and provide for suitableand specific measures to safeguard the fundamental rights and interests of the data subject …’ |
A pre-condition of applying Article 9(2)(j) is that the processing has a basis in UK (or EU) law. This basiswill include compliance with the common law duty of confidence, the provisions of DPA18 that relate to research, statistical purposes etc. and other relevant legislation, for example section 251 support. |
|
Lawful basis for regulatory and public health functions |
6(1)(c) ‘…necessary for compliance with a legal obligation… |
9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring highstandards of quality and safety of health care and of medicinal products or medical devices… |
Health Protection (Notification) Regulations 2010Public Health (Control of Disease) Act 1984, as amended by the Health and Social Care Act 2008 |
|
Lawful basis for safeguarding |
6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’ |
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’ |
Children Acts 1989 and 2004, and the Care Act 2014 |
|
Lawful basis for employment purposes |
6(1)(b) ‘For the performance of a contract to which the ‘individual’ is a party’ |
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specificrights of the controller or of the data subject in the field of employment…social protection lawin so far as it is authorised by Union or Member State law..’ |
Safeguarding Vulnerable Groups Act 20069 as a basis for Disclosure and BarringService (DBS) checks and other processing of such data |
We have an additional requirement under the Common Law Duty of Confidentiality to keep your personal information confidential and to obtain your consent to use and share it. This includes implied consent i.e. when your GP sends us a referral it is implied that we can use and store that information. We will get your consent to use your information for purposes other than healthcare e.g. research.
Further information
The hospital is the Data Controller responsible for keeping your information confidential and is registered with the Information Commissioner - Ref. No. Z8937486
Key roles in the Royal Orthopaedic Hospital are:
- Data Protection Officer - Associate Director of Governance/Company Secretary: Ensuring the Royal Orthopaedic Hospital's compliance with data protection legislation
- Caldicott Guardian – Medical Director: Responsible for protecting patient confidentiality and ensuring we share patients’ information securely and legally
- Senior Information Risk Owner (SIRO) – Executive Director of Finance and Performance: Accountable for the management of all our information systems and the data they hold
- Information Governance Manager: Day to day role to ensure security and confidentiality of patient information
Complaints
If you have any questions or concerns regarding how your data is being processed, please contact the Data Protection Officer or Information Governance Manager:
Email:
Tel: 0121 685 4000
Address:
The Royal Orthopaedic Hospital,
Bristol Road South,
Northfield,
Birmingham,
B31 2AP
You also have a right to complain directly to the Information Commissioner’s Office if you feel the the Royal Orthopaedic Hospital has not responded effectively to any of the above.
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk
Other useful contacts
Subject Access Requests:
You have the right to request a copy of any information held by the Royal Orthopaedic Hospital as well as any supplementary information. See Royal Orthopaedic Hospital - Requesting Medical Records for details on how to request your information
Email:
Tel: 0121 685 4000
PALS:
Address for Subject Access Requests and PALS:
The Royal Orthopaedic Hospital,
Bristol Road South,
Northfield,
Birmingham,
B31 2AP