Privacy Notice for Patients

This page describes how Great Western Hospitals NHS Foundation Trust uses and manages the information it holds about its patients, including how the information may be shared with other NHS organisations and with non-NHS organisations, and how the confidentiality of patient information is maintained.

The Trust collects and holds personal data about its patients for the purposes of providing them with appropriate care and treatment.

The Trust keeps records about the health care and treatment it provides to its patients.

This helps to ensure that there is a sound basis for all health decisions made by a healthcare professional, that the care provided is safe and effective and that the Trust can work effectively with others providing patients with care.

We may use your information to:

  • Assess the quality of care the Trust provides
  • Protect the health of the general public, for example by reporting infectious diseases
  • Monitor NHS spending, including accounts and auditing and to secure funding for clinical services
  • Manage health services
  • Help investigate any concerns or complaints a patient or their family may have about their healthcare
  • Report fraudulent claims for NHS treatment.

The Trust is registered with the Information Commissioner's Office as a Data Controller: reference Z4953683.

Patients have the right to access personal information about them held by the Trust, either to view the information in person, or to be provided with a copy (see below).

What kind of information the Trust holds about patients

  • Identity details: name, date of birth, NHS Number and contact details such as address, telephone, email address
  • 'Next of kin': the contact details of a close relative or friend
  • Details of any contact we have had with a patient, such as A&E visits, in-patient spells or clinic appointments
  • Results of any scans, X-rays and pathology tests
  • Details of any diagnosis and treatment given
  • Notes and reports about a patient's health and treatment received, including clinic and operational visits and medicines administered
  • Information about any allergies and health conditions.

By providing the Trust with their contact details, patients are agreeing to the Trust using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by e mail (e mail address).

How patient records are kept confidential

The Trust has a duty to:

  • Maintain a full accurate record of the care given to a patient
  • Keep records confidential, secure, accurate and accessible
  • Dispose of your information confidentially when it is no longer needed
  • Provide copies of healthcare information in an easy to understand format

Everyone working for the NHS is subject to the Common Law Duty of Confidence the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Patient information is shared with the clinicians involved in the direct care of patients and also for necessary administration to support that care such as appointment booking and payment.

This sharing is based on a hospital performing its intended function in the public interest.

Any sharing of information for purposes beyond enabling direct patient care will only occur where advised and consented to by the patient, except in circumstances where the law requires or allows the Trust to act otherwise.

Under the Confidentiality Code of Conduct, all Trust staff are required to protect patient information, to keep patients informed of how their information will be used, and to allow patients to decide about how their information can be shared.

This will be noted in patients' records.

How patient records are shared

The Trust shares patient information with a range of organisations or individuals for a variety of lawful purposes, and may disclose information to:

  • GPs and other NHS staff for the purposes of providing direct care and treatment to the patient, including administration
  • Social workers or to other non-NHS staff involved in providing healthcare
  • Specialist organisations for the purposes of clinical auditing
  • Those with parental responsibility for patients, including guardians
  • Carers without parental responsibility (subject to explicit consent)
  • Medical researchers for research purposes (subject to explicit consent, unless the data is anonymous);
  • NHS managers and the Department of Health for the purposes of planning, commissioning, managing and auditing healthcare services
  • Bodies with statutory investigative powers - e.g. the Care Quality Commission, the GMC, the Audit Commission, the Health Service Ombudsman
  • National generic registries - e.g. the UK Association of Cancer Registries
  • Organisations processing data on our behalf for the purposes of your care and managing your appointments

Also, where necessary and appropriate, to:

  • Non-statutory investigators - e.g. Members of Parliament
  • Government departments other than the Department of Health
  • Solicitors, the police, the Courts (including a Coroner's Court), and tribunals and enquiries
  • The media (normally the minimum necessary disclosure subject to explicit consent)

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

  • When there is a Court Order
  • When there is a statutory power to share patient data
  • When the patient has given his/her explicit consent to the sharing
  • When the sharing of patient data without consent has been authorised by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006

Patient information may be shared, for the purposes of providing direct patient care, with other NHS 'provider' organisations, such as NHS Acute Trusts (hospitals), NHS Community Health (primary care), NHS general practitioners (GPs), NHS ambulance services etc.

In such cases, the shared data must always identify the patient for safety reasons.

For the purposes of commissioning and managing healthcare, patient information may also be shared with other types of NHS organisations, such as the local Clinical Commissioning Group (CCG), and the Health & Social Care Information Centre (part of NHS England).

In such cases, the shared data is made anonymous, wherever possible, by removing all patient-identifying details, unless the law requires the patient's identity to be included.

In August 2019 the Trust will make a patient level cost submission (PLICS).

This will include patient identifiable data for inpatients and outpatients on 2018/19 financial year's data.

NHS Improvement have powers under sections 255 and 256(2)(a) of the Health and Social Care Act 2012 to obtain information, which they have enforced.

The Trust is under a legal requirement to provide this data.

The information gathered from this collection will be used to enable NHS Improvement to perform its pricing and licensing functions under the Act more effectively, including informing new methods of pricing NHS services, contribute to NHS Improvement's strategic objective of a 'single national cost collection by 2020' and also help trusts to maximise use of their resources and improve efficiencies.

The data will be uploaded securely to NHS Digital, who will collate the data and provide it to NHS Improvement.

From June 2019 the Trust will be sending routine letters and information electronically where possible.

Many people rely on electronic devices to manage their daily lives and to reflect this and to make our services more efficient, information will be sent via email or text message which would normally have been sent by post.

The first time we need to contact you, we will ask if you agree to receive communications in this way and you can choose to continue receiving information in the post.

For more information, please see the DrDoctor website: We care about your privacy (https://my.drdoctor.co.uk/privacy).

Brighter Futures - the Trust's charity

The Trust's registered charity (reference 1050892) is called Brighter Futures.

It supports the staff, patients and families of Great Western Hospital and community health services across Wiltshire.

No patient information or contact information is shared with the charity.

Anyone wishing to donate or register must do this directly with the charity by visiting the Brighter Futures charity website (www.brighterfuturesgwh.nhs.uk).

Information sharing with non-NHS organisations

For the benefit of the patient, the Trust may also need to share patient health information with non-NHS organisations which are also providing care to the patient.

These may include social services or private healthcare organisations.

However, the Trust will not disclose confidential health information, other than for direct care, to third parties without the patient's explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires disclosure.

Where patient information is shared with other non-NHS organisations, or for reasons other than direct patient care, it is good practice for an information sharing agreement to be drawn up to ensure that information is shared in a way that complies with all relevant legislation.

Refusing or withdrawing consent for using patient information

The possible consequences of refusing consent will be fully explained to the patient at the time, and could include delays in receiving care.

In those instances where the legal basis for sharing of confidential personal information relies on the patient's explicit or implied consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.

In instances where the legal basis for sharing information without consent relies on HRA CAG authorisation under Section 251 of the NHS Act 2006, then the patient has the right to register their objection to the disclosure, and the Trust is obliged to respect that objection.

In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.

The National Data Opt-out

NHS Digital is developing a new system to support the national data opt-out which will give patients more control over how their identifiable health and care information is used.

The system will offer patients and the public the opportunity to make an informed choice about whether they wish their identifiable data to be used just for their individual care and treatment or also used for research and planning purposes.

Please see:

How long health records are retained

All patient records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained.

The Trust does not keep patient records for longer than necessary.

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Patient rights

If the Trust holds information about a patient, they have the right to:

  • Restrict or object to the use of their data in certain circumstances
  • Request a copy of their medical records held in paper and/or electronic format (see below)
  • Ensure that accurate information is held by the Trust
  • Be advised of how long their information will be stored before destruction
  • Seek advice from or make a complaint to the Information Commissioner's Office (ICO) who is the UK data protection regulator

Accessing information

If you would like to view or receive a copy of your medical records, please see Your health record.

Security

CCTV (closed circuit television) is utilised to protect the safety of our patients, staff and members of the public.

The Trust's security services, including the use of CCTV, are managed by Serco.

The Tust remains the data controller of this data and any disclosures to third parties such as the police, will only be done with the permission of the Trust.

For safety and security reasons, the Serco security personnel will also be using body-worn video cameras while on duty; this follows a three-month trial period.

Recordings will not be continuous and security staff will make an announcement if they need to turn the cameras on.

To maintain privacy and dignity, recordings will not be permitted in areas of the hospital where examinations or procedures are being undertaken or if there is likely to be nudity.

Anyone present may object to the recording but will need to show the need for privacy outweighs the need to protect the general public.

National Fraud Initiative (NFI)

The National Fraud Initiative (NFI) is an exercise that matches electronic data within and between public and private sector bodies to prevent and detect fraud.

From 2017/18, NHS bodies were added to the mandatory list of responders.

The full core datasets required are:

  • Trade Creditors History (https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/733464/Trade-Creditors-History-Data-Spec-18-19.pdf)
  • Trade creditors standing data
    (https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/723589/Final-Trade-Creditors-Standing-Data-Spec-18-19.pdf) 

Raising a concern

Patients who have a concern about any aspect of their care or treatment at this Trust, or about the way their records have been managed, should contact:

The Patient Advice & Liaison Service (PALS)
PALS Office
Great Western Hospital
Marlborough Road
Swindon
SN3 6BB

Tel: 01793 604031
Email: gwh.pals@nhs.net

If you wish to report a concern or inaccuracy within your record or would like to restrict who your medical data is shared with, please speak to your clinician or contact:

Information Governance
Great Western Hospital
Marlborough Road
Swindon
SN3 6BB

Tel: 01793 605675
Email: gwh.info.gov@nhs.net 

Additionally, patients have the right to complain to the Information Commissioner if they should ever be dissatisfied with the way the Trust has handled or shared their personal information:

The Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 or 01625 545745

Or please see the Information Commissioner's Office website (www.ico.org.uk). 

Report a problem with this web page

Please contact us at gwh.webmaster@nhs.net and we'll put it right.

Translate this page: