Privacy Policy and Data Protection

Privacy Notice: 12 September 2024

This Privacy Notice explains how North Bristol NHS Trust ("we," "us," or "our") collects, uses, discloses, and protects personal information as a Data Controller in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting your privacy and handling your personal information responsibly.

Purpose of Processing Personal Information

We collect and process personal information for the following purposes:

  • Providing healthcare services and treatment.
  • Managing and administering your healthcare records.
  • Facilitating communication between healthcare professionals.
  • Conducting research, audits, and clinical trials.
  • Ensuring the safety and quality of our services.
  • Planning and managing the healthcare system.
  • Complying with legal and regulatory obligations.

Types of Personal Information Collected

We may collect the following types of personal information:

  • Basic details (e.g., name, address, date of birth).
  • Contact information (e.g., phone number, email address).
  • Health and medical information.
  • Relevant social and personal circumstances.
  • Financial information (where necessary for payment purposes).
  • Information related to your care and treatment.
  • Identifiers (e.g., NHS number, patient identifier).
  • Research data (where applicable and with consent).
  • Any other information necessary for providing healthcare services.

What information do we collect online?

You may choose to submit personal information about yourself (e.g., name, email, address) through the webforms we provide. By entering and submitting your details in the fields requested, you are consenting to North Bristol NHS Trust and our service providers to process your data and provide you with the services you select. Any information you provide to the North Bristol NHS Trust will only be used by us, our agents and service providers and will not be disclosed unless we are obliged or permitted to by law to do so.

At North Bristol NHS Trust (NBT) we value your privacy and want to ensure you understand how your data is used and protected. This notice is to inform you about your rights regarding the use of your personal data.

Under UK data protection legislation you have the right to make choices and have certain rights when it comes to your personal data.  However, there are specific situations where these rights may not apply. There is an important exception when it comes to your healthcare.

In the UK, patient generally cannot opt out of their healthcare. The National Health Service (NHS) has a legal obligation to provide healthcare to all residents, and individuals are generally not permitted to refuse necessary medical treatment.

NHS organisations, like NBT have legal grounds to process confidential and sensitive information under various laws and obligations. 

Legal Basis for Processing Personal Information

We rely on the following legal bases for processing personal information:

Legal Obligation: We have a legal obligation to process person identifiable data to provide healthcare services. This obligation is enshrined in various laws and regulations, including the National Health Service Act 2006 and the Health & Social Care Act 2012.

Public Task: Processing person identifiable data is often necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the NHS. This includes providing healthcare services, public health initiatives and medical research.

Consent: While consent is an important aspect of data processing, in the context of healthcare, NHS organisations can rely on alternative legal bases such as legal obligations, or public tasks, rather than explicit consent. However, consent will always be sought whenever appropriate.

Vital Interests: Processing person identifiable data may be necessary to protect the vital interests of the patient or other individuals, particularly in emergency situations where obtaining consent may not be feasible.

Statutory and Regulatory Obligations: NBT must comply with various statutory and regulatory obligations related to individuals’ data protection, including the UK General Data Protection Regulations (GDPR) and the Data Protection Act (DPA) 2018.

Sharing Personal Information

We may share your personal information with the following parties:

  • Healthcare professionals and providers involved in your care.
  • Public health agencies and authorities.
  • Research organisations (with your consent).
  • Our suppliers and service providers (e.g., IT support, payment processors).
  • Regulatory bodies, auditors, and legal advisors.
  • Law enforcement agencies and courts (where required by law).

Please note: When you've shared your contact details with the hospital or provided someone else's telephone or mobile number for your records, that specific number will be used to send you notifications and important information about your care via SMS text messages.

International Data Transfers

In certain circumstances, we may transfer your personal information to countries outside the European Economic Area (EEA). If such transfers occur, we will ensure appropriate safeguards are in place to protect your personal information.

When you provide your phone number and/or email address, we will use this information to send you appointment notifications and important information related to your hospital visit.

You will have the opportunity to confirm your email and telephone number through the NHS, during your hospital visit or through your GP practice. Visit managing your NHS App for support on how to update your details and how to set up notifications on the NHS App.

If you have push notifications enabled on the NHS App, you will initially receive your notifications directly from the NHS App. If this notification is not viewed within eight hours of receiving it, or before 9pm, depending on which is first, and depending on your communication preferences, we will send an SMS from the number +44 7860 039 092 or an email from DrDoctor.
Patients can update their communication preferences directly by visiting nhs.my/nbt

Please note appointment reminders, confirmations and invitations to online questionnaires and video consulting appointments will be sent from DrDoctor. This is a service we use to manage patient communication.

DrDoctor adheres to strict privacy and security standards to protect your information and your data is only accessible to authorised healthcare professionals involved in your care.

Under UK law, you have the right to object to how your personal data is used for specific purposes. This means you can request your data not be used for certain reasons or activities.  

Please note you cannot object solely to the means or methods used to process your data, such as our preferred communication platform called DrDoctor and we are using the data to support your care.

If you choose to opt out of any of the reminders and notifications from DrDoctor, you will not receive any reminders from any service using DrDoctor. When your next appointment is arranged, you will automatically be opted in again as we are using this data to support your care. 

If you have previously used someone else's number on your healthcare record, they will receive communications regarding your care.

For more information on receiving text messages and emails about your hospital appointment, visit “Texts and emails about your hospital appointments” pages.

Data Retention

We will retain your personal information in accordance with applicable laws and regulations and in accordance with the NHS Records Management Code of Practice. We will securely dispose of personal information when it is no longer required for the purposes stated in this Privacy Notice.

Your Rights

You have certain rights regarding your personal information, including the right to:

Access and obtain a copy of your personal information.

You have the right to see your personal information and learn how it's being used. This is called a Subject Access Request (SAR). To make a request, click ‘Make a Subject Access Request.’

However, this right isn't unlimited. The Trust can refuse your request if it could harm someone else's rights or if the request is unreasonable or too much. Also, certain information, like details about legal cases or national security, may be exempt from being shared. 

Rectify inaccurate or incomplete personal information

You have the right to ask us to correct any personal information we hold about you if it’s wrong or incomplete. The Trust must do this as soon as possible. 

However, this right has some limits. We may refuse your request if the information is already accurate, if changing it would conflict with other legal obligations, or if we need to keep it as it is for legal or valid reasons. 

Erase your personal information in certain circumstances

You have the right to ask certain organisations to delete your personal data, for example, when it’s no longer needed or if you withdraw your consent. 

However, this right isn’t absolute and has some exceptions. The Trust may refuse to erase your data if it’s needed for:

  • Protecting freedom of expression and information
  • Fulfilling legal obligations
  • Public health reasons
  • Archiving, research, or statistical purposes
  • Establishing, exercising, or defending legal claims"

Restrict the processing of your personal information

You have the right to ask the Trust to limit how your personal data is used in certain situations. This means you can request the Trust to temporarily stop using your data. 

However, this right isn’t absolute—the Trust may still need to use your data for things like legal claims or to protect someone else’s rights.

Object to the processing of your personal information

You have the right to object to how your data is used for things like the Trust’s business interests, public services, marketing, or research. 

However, this right isn’t absolute. The Trust may still be able to use your data if they can show strong reasons that outweigh your rights, or if it’s needed for legal reasons.

Withdraw consent, where applicable

You can change your mind and take back your consent whenever it applies. If you've given permission for us to use your personal data, you have the right to withdraw that consent at any time.

To exercise your rights or if you have any privacy-related concerns or questions, please contact our Caldicott Guardian by email CaldicottGuardian@nbt.nhs.uk

Security Measures

We implement appropriate technical and organisational measures to safeguard your personal information from unauthorised access, disclosure, alteration, or destruction. We regularly review and update our security practices to ensure the ongoing protection of your personal information.

Complaints

If you believe that we have violated your privacy rights or mishandled your personal information, please contact our Data Protection Officer, or make a formal Complaint using the details provided below. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or the relevant supervisory authority in your country of residence.

Contact Information

If you have any questions or concerns about our privacy practices or this Privacy Notice, please contact our:

Data Protection Officer

Helen Williamson
Head of Information Governance
Email: Helen.williamson2@nbt.nhs.uk

Caldicott Guardian(s)

Tim Whittlestone
Chief Medical Officer
Email: Caldicott.guardian@nbt.nhs.uk

Sanjoy Shah
Deputy Chief Medical Officer
Email: Caldicott.guardian@nbt.nhs.uk

Concerns

Patient Advice and Liaison Service (PALS)
Email: pals@nbt.nhs.uk
Telephone: 0117 414 4569

Complaints

The Complaints Team
Email: complaints@nbt.nhs.uk
Telephone: 0117 414 4567 or 0117 414 3669

Managing preferences and withdrawing consent

Consent means offering individuals genuine choice and control. Under the General Data Protection Regulation, consent requires a positive opt-in.

We will not use pre-ticked boxes or any other method of consent by default.

As explicit consent requires a very clear and specific statement of consent, we will ensure that this is done.

  • We will keep consents separate from other terms and conditions.
  • Be specific and granular, clear and concise.
  • We will name any third-party controllers who will rely on consent as required.
  • Make it easy for people to withdraw consent.

We will:

  • keep evidence of consent - who, when, how and what individuals were told.
  • keep consent under review and refresh if and when anything changes.
  • avoid making consent a precondition of a service.

Using personal information in the wider health service

Prior to the launch of the national data opt-out individuals could set two types of general opt-outs, via their GP practice:

  • A type 1 opt-out prevents information that identifies individuals being shared outside of their GP practice, for secondary uses.
  • A type 2 opt-out prevented confidential patient information from being shared outside of NHS Digital for purposes beyond individual care.

Type 1 opt-outs continue to be honoured until September 2020 at the earliest when the Department of Health and Social Care (DHSC) will consult with the National Data Guardians before confirming their removal.

Type 2 opt-outs have been replaced by the national data opt-out and are no longer valid. All type 2 opt-outs recorded in GP practices up to and including 11 October 2018 have been migrated to become national data opt-outs.

NHS Digital would have written to inform people who previously registered a type 2 opt-out of this change.

More information on the conversion of type 2 opt-outs can be found on the NHS Digital website.

Other national and local opt-outs for specific purposes (for example summary care record opt-out) remain in place and should continue to be applied, when appropriate, alongside the national data opt-out.

Who can opt out?

Any person registered on PDS (and consequently with an NHS number allocated to them) is able to set a national data opt-out.

This covers most patients who have received health or care services in England and, therefore, have data about them in the health and care system in England.

Channels to set a national data opt-out

Several different channels are available for the public to set a national data opt-out. These are:

  • A digital (online) channel accessed via the national data opt-out service.
  • for those who need support to set their national data opt-out preference online a digitally assisted channel is provided that enables members of the public to set a national data opt-out with assistance from NHS Digital staff via the national helpline.
  • A non-digital (paper based) channel accessed by the national helpline or through forms which can be printed from the webpages, and via the NHS App.

There are some points that apply to specific groups with respect to setting a national data opt-out:

  • Individuals aged 13 or over are able to set a national data opt-out via the digital, digitally assisted and non-digital channels.
  • Those with parental responsibility (parents & legal guardians) are able to set a national data opt-out on behalf of a child under the age of 13 via the non-digital channel only.

There is a specific form that allows a choice to be set for up to 6 children at once. Any national data opt-out that has been set by a person with parental responsibility for a child under the age of 13 will remain in place unless and until it is proactively changed.

  • Those who have a formal proxy relationship to make decisions on behalf of another adult (either a lasting power of attorney or a court appointed deputy) are able to set a national data opt-out on behalf of that person via the non-digital channel only.
  • Individuals in the secure and detained estate (e.g., prisons) are able to set a national data opt-out through the healthcare professionals working in these settings.
  • Individuals who have agreed with their GP for their records to be marked as sensitive will be offered the choice to set a national data opt-out through the established processes to set (or remove) a sensitive flag.
  • A national data opt-out cannot be set for a deceased patient unless they have explicitly stated this in a last will or testament. This can only be done via the non-digital channel.

A national data opt-out is stored against a person’s individual record on the NHS Digital Spine against their NHS number.

In some circumstances individuals may be allocated a new NHS number. The rules of how any existing national data opt-outs are applied to the new NHS number and in relation to other changes of circumstances are outlined in brief below.

Assigning new NHS Numbers

In instances where individuals are allocated a new NHS number any existing national data opt-out will not automatically be transferred to the new record.

This will include the following:

  • Adoptions.
  • Gender reassignment.
  • Identity protection.

Instead, such individuals will receive a letter informing them of the national data opt-out to ensure that they understand their options either via NHS Digital or the individual who is handling their case.

Connecting Care Records

Connecting Care is a local electronic patient record that allows health and social care professionals directly involved in your care, to share a summary of your medical record.

Your Connecting Care record will help those caring for you to manage your care better and allow information to be shared quickly and safely. Only authorised staff providing health services across Bristol, South Gloucestershire and North Somerset can access your record.

For more information about Connecting Care, visit the Connecting Care website at www.connectingcarebnssg.co.uk which includes information on:

  • What Connecting Care is.
  • Why share information.
  • How information is protected.
  • How to Opt-Out/In.
  • Changes to our policy.

If our privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

Counter Fraud

North Bristol NHS Trust (NBT) is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

NBT is a mandatory participant of the Cabinet Office’s National Fraud Initiative (NFI) which is a data matching exercise undertaken by the Cabinet Office to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for each exercise.

Data matching involves comparing sets of data, such as payroll of a body against other records held by the same or another body to see how far they match. This is usually personal information and Trust creditors’ data. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.

Data matching by the Cabinet Office is subject to a Code of Practice. Should you wish to know more information on this Fair Processing Notice please see the more detailed full text. View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. 

For further information on data matching at NBT, contact Sarah Smith, Local Counter Fraud Specialist on sarah.smith10@uhbw.nhs.uk or call 07467 685609.

Contact Information Governance

If you have any queries regarding a Subject Access Request, please contact Information Governance.
Email: Information.Governance@nbt.nhs.uk
Telephone: 0117 414 2019 (option 1)

If you have any queries regarding Freedom of Information requests, please contact the FOI team.
Email FOIArequests@nbt.nhs.uk