What is a ‘privacy notice’?
A ‘privacy notice’ is a statement issued by South West London Pathology (SWLP) to patients, service users, visitors, carers, the public and staff that describes how we collect, use, retain and share personal information which we hold. It is sometimes also referred to as a Privacy Statement, Fair Processing Statement or Privacy Policy.
This privacy notice is issued by SWLP as a healthcare provider, and covers the information we hold about our patients and other individuals that may use our services.
Why have we issued this privacy notice for our patients and service users?
To illustrate our commitment to openness and accountability, we recognise the importance of protecting personal and confidential information in all that we do, and take care to meet our legal and other duties, including compliance with the following:
- Data Protection Act 2018
- General Data Protection Regulations 2016
- Human Rights Act 1998
- Access to Health Records Act 1990
- Freedom of Information Act 2000
- Health and Social Care Act 2012, 2015
- Public Records Act 1958
- UK Policy Framework for Health and Social Care Research
- Copyright Design and Patents Act 1988
- Re-Use of Public Sector Information Regs 2004
- Computer Misuse Act 1990
- Common Law Duty of Confidentiality
- NHS Care Records Guarantee for England
- Social Care Records Guarantee for England
- International information Security Standards
- Information Security Code of Practice
- Records Management Code of Practice
- Accessible Information Standards.
Who we are and what do we do?
South West London Pathology is an award winning pathology partnership set up by St George’s University Hospitals NHS Foundation Trust, Kingston Hospital NHS Foundation Trust and Croydon Health Services NHS Trust to provide a single, integrated pathology service across South West London and beyond.
We are governed and monitored by a number of different organisations, including:
- Department of Health
- Information Commissioner’s Office
- Care Quality Commission
- NHS England
- United Kingdom Accreditation Service
- Medicines and Healthcare products Regulatory Agency.
What information do we collect?
The information that we collect about you may include the following:
- name, NHS number, address, telephone, email, date of birth and next of kin
- details and records of treatment and care, notes and reports about your health, including medications, allergies or health conditions
- results of x-rays, scans, blood tests, etc
- other relevant information from people who care for you and know you well, such as health professionals, relatives and carers.
- We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, Power of Attorney Status / Deputyship under the Mental Capacity Act (Health and Personal Welfare) and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).
What is our lawful basis for collecting and processing your personal data
The lawful basis for SWLP as a public authority for processing information for your individual care under the General Data Protection Regulation 2016 are as follows:
As a public authority, the collection and use of your personal data is necessary for the provision of quality care and is in the public interest and exercising our official authority as a healthcare provider. This is known as our “legal basis” for the collection and processing of personal data under current data protection regulations Article 6(1) (e) of the GPDR.
We may also need to provide health services necessary to protect a patient’s life or another natural person. The legal basis we rely on in this circumstance can be found under GDPR Article 6(1) (d).
Special category data such as health data is personal data which the GDPR deems more sensitive, and therefore requires additional privacy. In addition to the above, the following are the lawful basis relied upon in the processing of special category data.
For the processing of special category data for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, the legal basis we rely on in this circumstance can be found under GDPR Article 9(2) (h).
Where we collect personal data for the purpose of research, the legal basis relied upon is Article 9(2) (j)“the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes…”
In the protection of vulnerable people from harm, the lawful basis relied on can be found in Article 9(2)(b) ‘… is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of… social protection law in so far as it is authorised by Union or Member State law..’
There is also other legislation in place that determines our functions and which may allow us to process data outside of the provisions identified above.
Why do we collect your information?
We collect personal and confidential information about you to support with the delivery of appropriate healthcare and treatment. This includes researching new treatments and how we deliver better healthcare. In order to provide you with high quality care, we must keep records about you, your health and the care that we provide, or plan to provide to you. It is important for us to have a complete picture as this information enables us to provide the right care to meet your individual needs.
How do we collect information?
Information is collected in a number of ways, via your healthcare professional, referral details from your GP or directly given by you.
How do we use your information and why is this important?
We use your information to ensure that:
- the right decisions are made about your care
- your treatment is safe and effective
- we can work well with other organisations that may be involved in your care; this is important because having accurate and up-to-date information will assist us in providing you with the best possible care. It also ensures that all information is readily available if you see another health professional or specialist within our trust or another part of the NHS. There is also the potential for your information to help improve health care and other services across our trust and the wider NHS.
Therefore, your information may also be used to help with:
- ensuring that our services can be planned to meet the future needs of patients
- reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care
- evaluating and improving patient safety
- training other healthcare professionals
- conducting clinical research and audits, and understanding more about health risks and causes to develop new treatments and disease prevention
- preparing statistics on NHS performance and monitoring how we spend public money
- supporting the health of the general public
- evaluating Government and NHS policies.
Some of this information will also be held centrally by the NHS where it is used for statistical purposes in order to plan ahead. This is known as secondary use. Strict security measures are taken to ensure that individual patients cannot be identified.
Anonymous statistical information may also be passed to organisations with a legitimate interest in health care and its management, including universities, community safety units and research institutions.
Where it is not possible to use anonymous information, personally identifiable information may be used for essential NHS purposes such as research and auditing. This will only be done with your consent, unless the law permits the information to be passed on to improve public health or the research has been approved by the Confidentiality Advisory Group (a national body made up of of ethicists, data protection experts as well as lay people).
How do we keep your information safe and maintain confidentiality?
Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
Under the Data Protection Act 2018, strict principles govern our use of information and our duty to ensure it is kept safe and secure.
Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
Do we share your information with anyone else?
We work with a number of other NHS organisations and, independent treatment centres and clinics in order to provide you with the best possible care. To support this, your information may be securely shared with other organisations.
For your benefit, we may also need to share some of your information with authorised non-NHS authorities and organisations involved in your care. This might include organisations such as:
- local councils
- social services
- education services
- the police
- voluntary and private sector providers
- private healthcare companies.
However, any sharing of information will always be governed by specific rules and laws.
In addition, information about you may be used for research purposes. In most instances the information will be made anonymous so that you cannot be identified. If this is not possible, we will ask your permission or request approval from the Health Research Authority’s Confidentiality Advisory Group. If you don’t want information about you to be used for research, please speak to the clinical team who are treating you.
We outsource a limited number of administration and IT support services to external organisations. These companies are based within the European Economic Area and all services are provided under specific contractual terms, which are compliant with UK data protection legislation
Only organisations with a legitimate requirement will have access to your information and only under strict controls and rules. We will not sell your information for any purpose, and will not provide third parties with your information for the purpose of marketing or sales.
Mandatory information sharing
Sometimes we are required by law to disclose or report certain information which may include details which identify you. However, this is only done after formal authority by the Courts or by a qualified health professional.
This may include reporting a serious crime or identification of an infectious disease that may endanger the safety of others. Where this disclosure is necessary, only the minimum amount of information is released.
There may also be occasions when SWLP is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure we are legally compliant.
Clinical training, research and audit
Some health records are needed to teach student clinicians about rare cases and diseases. Without such materials, new doctors and nurses would not be properly prepared to treat you and others. It is also possible that individuals, such as student nurses, medical students and healthcare cadets, are receiving training in the service that is caring for you. If staff would like a student to be present, they will always ask for your permission and you have the right to refuse without this effecting the care or treatment that you are receiving.
We also undertake clinical research and audits within SWLP to benefit and advance healthcare and its management in the UK. Your permission may be required for some of this work. If you agree to be involved, a full explanation will be given and your consent will be obtained before proceeding. Your consent may not be required if the information being used has been anonymised. This means that it cannot be used to identify an individual person.
How long do we keep your information?
Health records must be retained in accordance with the periods stipulated in the Information Government Alliance: Records Management Code of Practice for Health and Social Care 2016. The retention of records is dependent on various factors such type of service, continuity of care, litigation, last hospital attendance etc and is set by NHS Digital.
Health records will be retained in line with SWLP’s retention policy and may be kept in perpetuity, if required. Decisions to retain records for longer than the periods stipulated must be approved SWLP senior management.
What are your rights?
- You have the right to know how we will use your personal information.
- You have the right to see your health record (your medical notes); this is known as a Right of Data Subject Access.
- You have the right to object to us making use of your information.
- You can ask us to change or restrict how we use your information and we will agree if possible.
- You have the right to ask for your information to be changed if it is incorrect, and erased, under certain conditions.
How can you get access to the information that we hold about you?
Under the terms of the Data Protection Act 2018, the General Data Protection Regulations 2016 and Access to Health Records Act 1990, you have the right to request access to the information that we hold about you.
Before any disclosure is made we will need to receive proof of your identity, this is to protect your confidentiality and, your completed application. The form, along with the instructions for completion is below.
Application for access to health records
Please send or email your completed application form and all relevant paperwork to the address or email below:
Medico Legal & Access Team
St George’s University NHS Foundation Trust
Blackshaw Road
London
SW17 0QT
Telephone: 020 8725 0508
Email: stgh-tr.mlat@nhs.net
How can you contact us with queries or concerns about this privacy notice?
If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, please contact our Information Governance team at
St George’s University Hospitals NHS Foundation Trust
Blackshaw Road
Tooting
London
SW17 0QT
Telephone: 020 8767 21255
Email: Data.Protection@stgeorges.nhs.uk
How can you make a complaint?
You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We would recommend contacting our Information Governance team initially to talk through any concerns that you have.
It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS) before (or without the need to start) a more formal process:
Complaints and Improvements Department
St Georges’s Healthcare NHS Trust
St George’s Hospital
Blackshaw Road
London
SW17 0QT
Telephone: 020 8725 2453
Email: pals@stgeorges.nhs.uk
Alternatively, you can contact the trust’s Head of Patient Experience who investigates complaints from patients and their relatives:
St Georges’s Healthcare NHS Trust
St George’s Hospital
Blackshaw Road
London
SW17 0QT
Telephone: 020 8672 1255
Email: complaints.compliments@stgeorges.nhs.uk
If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office (ICO).
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
You can also find details of our registration with the Information Commissioner online.
Our ICO registration number is Z6900098.
Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.