Privacy and cookies
General Data Protection Regulation 2016 (GDPR)
The General Data Protection Regulation 2016 (GDPR) came into force on 25 May 2018 and it applies to Walsall Healthcare NHS Trust as Data Controller. The legislation will replace current data protection law, giving more rights to individuals and more obligations to organisations processing personal data.
As Data Controller, we determine the purpose and manner of processing personal data for both employees and patients. Where we are responsible for processing personal data on behalf of another data controller we act as a Data Processor.
The Trust has robust processes and systems to support compliance with the new laws, which includes keeping you informed about how your data is used.
The Trust’s policy on the implementation of the GDPR can be found here.
Read more about the legal basis for processing personal and special category date under GDPR here.
Collecting your information
Why do we collect information about you?
The purpose of the NHS is to provide you with the highest quality of health care, and to help us achieve this we must keep records about your health, treatment and care we have provided or plan to provide.
These records are called your healthcare records and may be stored in paper format or electronically. They include:
- personal details about you, such as name, date of birth, address, NHS number, next of kin, ethnicity, and next of kin
- Details of your hospital appointments/visits
- Notes and reports about your health, treatment and care
- Results of x-rays, scans and tests
- Relevant information from people who care for you such as healthcare professionals
- information based on the professional opinion of the staff caring for you
It is extremely important that your personal details are accurate and we will often check with you at appointments or visits that these details are correct.
We collect this information to ensure we are providing you with the right care and, should you see another health professional or be referred to another part of the organisation, accurate and up to date information is shared to enable a continuation in the quality of care you receive.
If you are employed by Walsall Healthcare NHS Trust we will have your education, training and employment details, and your financial details.
Who do we collect information from?
Walsall Healthcare NHS Trust will collect data about you in a variety of ways. The main source of collection is directly from you and this is likely to be done either face to face, during a telephone call, or via email.
We may receive information from other organisations that are also required by law to share information about you with us. An example of this could be the Trust receiving a referral for you from your GP, another Trust or any health or social care provider.
Our Trust and our staff may have access to specific clinical systems from other organisations such as the Summary Care Record, in order to access information about you that is relevant to your care. All systems are auditable and access is on a strictly need to know basis.
How long do we keep your information?
We keep your information in accordance with the National Guidance. All our records are destroyed in line with the NHS Retention Schedule, which sets out the appropriate length of time each NHS record is retained.
Records are destroyed confidentially once they reach their retention. We do not keep your records for longer than is necessary.
For further information please see Record Management Code for Practice for Health and Social Care 2016, retention schedules.
Using your information
How do we use your personal information?
The Trust processes personal information about:
- next of kin;
- employees (including students, apprentices, potential employees and volunteers);
- complainants, enquirers;
- survey respondents;
- professional experts and consultants;
Health professionals caring for you manage information about your health and the care you receive from the NHS. This information is recorded in a healthcare record which is held either manually or electronically. It is important as it helps to ensure that you receive the best possible care from us. Your information is used in the following ways to guide and administer the care you receive:
- To ensure that your health professional has accurate and up to date information to provide a good basis for any treatment or advisory services we provide to you.
- To ensure that full and correct information is available to other healthcare providers from whom you may be receiving treatment.
- To ensure your treatment is safe and effective, and the advice we provide is appropriate and relevant to you.
- To ensure that there is a good basis for referring to and checking on the type and quality of treatment you have received in the past.
- To ensure that your concerns can be properly investigated should you wish to raise a complaint.
Your rights in relation to my personal information
You have a number of rights in relation to your personal information. These are described in detail below:
The right of access
You have a right to request a copy of any of your information held by the Trust. Alternatively, you can request to view the information that relates to you, free of charge.
The Trust does have the right to charge an administration fee in situations where requests are repetitive or if it is deemed to be excessive. You are required to prove your identity at the time of making your request and provide specific details in relation to the information you require access to.
Subject Access Request under GDPR will be processed within 30 days. However, this can be extended by up to a further two months; in particular if there are significant personal data to review. If this is the case, you will be contacted within 30 days.
A Subject Access Request (SAR) can be submitted in relation to your healthcare record.
If you would like further information about accessing your healthcare record please contact the Health Records Manager below:
Tel: 01922 721172 ext. 7458
Walsall Healthcare NHS Trust
Walsall Manor Hospital
The right to object
The right to object means that data should stop being processed if requested. This only applies where data is obtained with your consent. Generally, we rely on our legal basis to process your data and not consent and therefore for healthcare purposes, this right may not apply. However, if your data is used for any other reason this right may apply to you.
The right to rectification
If you believe your personal information may be inaccurate or incomplete, you can make a request to have your information reviewed.
The right to erasure
The right to erasure is also known as the ‘right to be forgotten’. This allows you the right to have your personal data erased. Generally, this right is not available within healthcare data due to the information we process often being essential to us in continuing to provide you with services. You will be notified where the right is available for specific processing activities.
The right to restrict processing
This right enables you to request a restriction or limit to the processing of your personal data. The right is closely linked with the right to rectify and the right to object and will only apply if:
- You believe your personal data is inaccurate and it is verified by the Trust;
- The data has been unlawfully processed;
- The personal data is no longer needed but we need to keep it in order to establish, exercise or defend a legal claim.
The right to object
The right to data portability enables you to obtain and reuse your personal data across different services. The process should allow for moving, copying or transfer of personal data from one IT environment to another in a safe and secure way, without hindrance or usability. The right to data portability is not an absolute right and generally will not apply to your healthcare records unless the processing is based on your consent, or processing is carried out by automated means.
Making a complaint
If you have any questions or complaints about your care, please speak to your health professional in the first instance. If this is not resolved to your satisfaction you can contact Patient Relations.
The Data Protection Officer (DPO) is a point of contact for advice and guidance in relation to your rights. The DPO is responsible for monitoring the Trusts compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2016 as well as any policies the Trust has in relation to the protection of personal data.
The DPO shall perform their duties in an independent manner with due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
The Data Protection Officer is:
Walsall Healthcare NHS Trust
Walsall Manor Hospital
Tel: 01922 721172 ext. 5806
You also have the right to complain directly to the Information Commissioner’s Office if you feel the Trust has not responded effectively. The Commissioner can be contacted at:
Information Commissioners Office