Privacy Notice Patients
By issuing this privacy notice, we demonstrate our commitment to openness and accountability.
Why have we issued this privacy notice for our patients and service users?
- Data Protection Act 2018
- Human Rights Act 1998
- Access to Health Records Act 1990
- Freedom of Information Act 2000
- Health and Social Care Act 2012, 2015
- Public Records Act 1958
- Copyright Design and Patents Act 1988
- Re-Use of Public Sector Information Regs 2004
- Computer Misuse Act 1990
- Common Law Duty of Confidentiality
- NHS Care Records Guarantee for England
- Social Care Records Guarantee for England
- International information Security Standards
- Information Security Code of Practice
- Records Management Code of Practice for Health & Social Care 2016
- Accessible Information Standards
- General Data Protection Regulations 2018
How do we collect your information?
There may also be times when information is collected from your relatives or next of kin – for example, if you are taken to one of our departments but you are unconscious or unable communicate.
What information do we collect?
Name, address, telephone, email, date of birth and next of kin
Any contact we have had with you through appointments, attendances and home visits
Details and records of treatment and care, notes and reports about your health, including any allergies or health conditions
Results of x-rays, scans, blood tests, etc
Other relevant information from people who care for you and know you well, such as health professionals, relatives and carers.
We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate).
Why do we collect your information?
How do we keep your information safe and maintain confidentiality?
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
Every NHS organisation has a senior person that is responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian, and within our trust this role sits with our Medical Director. You can find more details online:
How do we use your information and why is this important?
The right decisions are made about your care
Your treatment is safe and effective; and
We can work well with other organisations that may be involved in your care
This is important because having accurate and up-to-date information will assist us in providing you with the best possible care. It also ensures that all information is readily available if you see another health professional or specialist within our trust or another part of the NHS.
There is also the potential for your information to help improve health care and other services across our trust and the wider NHS. Therefore, your information may also be used to help with:
- Ensuring that our services can be planned to meet the future needs of patients
- Reviewing the care provided to ensure it is of the highest standard possible, improving individual diagnosis and care
- Evaluating and improving patient safety
- Training other healthcare professionals
- Conducting clinical research and audits, and understanding more about health risks and causes to develop new treatments
- Preparing statistics on NHS performance and monitoring how we spend public money
- Supporting the health of the general public
- Evaluating Government and NHS policies
Do we share your information with anyone else?
Sharing with other organisations
Where the sharing involves a non-NHS organisation, a specific information sharing agreement is put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.
Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.
We are currently working with an external provider, Newton Europe Limited (Newton), on a diagnostic review of the interaction of Older People’s acute, community and social care services across Cornwall. The aim of the review is to examine the effectiveness of current processes and to identify improvement opportunities to benefit the people of Cornwall and assist in the management of the Cornwall health and social care system. The review will involve Newton analysing certain data held by us and other Cornwall health and social care providers (listed below).
As a result, a Data Processing Agreement has been entered into between Newton and the following organisations: Cornwall Council, NHS Kernow Clinical Commissioning Group, Royal Cornwall Hospitals NHS Trust, Cornwall Partnership NHS Foundation Trust and University Hospitals Plymouth NHS Trust. The Data Processing Agreement includes safeguards to ensure that personal data is used appropriately during the review. In particular, any use of personal data as part of the review will be restricted to pseudonymised data only. Under GDPR, the legal basis for this use of this data is it is a public task (see Article 6e) and it relates to the management and provision of health and care treatment (see Article 9h).
Mandatory information sharing
We are also required to send statutory information to the Department of Health, which is then held centrally and strictly controlled by the NHS Information Authority. This organisation takes advice from an independent board called the Security and Confidentiality Advisory Group, which reports to the government Chief Medical Officer.
There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure we are legally compliant.
Clinical training, research and audit
We also undertake clinical research and audits within the trust, and your permission may be required for some of this work. If you agree to be involved, a full explanation will be given and your consent will be obtained before proceeding. Your consent may not be required if the information being used has been anonymised. This means that it cannot be used to identify an individual person.
Do you have the right to withhold or withdraw your consent for information sharing?
You also have the right to ‘opt out’ of having your information used in any mandatory audits which the trust is subjected to. If this is the case, you should write to our Information Governance team with your name, address, date of birth and hospital number or NHS number.
How can you get access to the information that we hold about you?
To support you through the process, we have a policy on the Trust website, available at: Subject Access Request Policy and Procedure
You can also request further information or an application form, by one of the following means:
Post: The Subject Access Request Team, Cornwall Partnership NHS Foundation Trust, Large Meeting Room, Camborne Redruth Community Hospital, Barncoose Terrace, Redruth, Cornwall, TR15 3ER
Tel: 01209 204008, 01209 204009 or 01209 244010
How can you contact us with queries or concerns about this privacy notice?
Post: Information Governance Department, Cornwall Partnership NHS Foundation Trust, Suite 6, Carew House, Beacon Technology Park, Dunmere Road, Bodmin, Cornwall, PL31 2QN
Tel: 01208 834495
How long do we retain your records?
All records are appropriately reviewed once their retention period has been met, and the Trust will decide whether the record still requires retention or should be confidentially destroyed. All decisions and destructions will be documented.
How can you make a complaint?
It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS) before (or without the need to start) a more formal process:
Address: Patient Experience Team, Room 11, Banham House, Bodmin Hospital ,PL31 2QT
Tel: 01208 834620
If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113
Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.
CQC and accessing data
Under data protection laws, providers are required to be clear with people about how and why any data they hold on them might be accessed and used. This is often done through privacy notices on websites. We would encourage providers to ensure that notices of this type include reference to CQC and a link to our privacy notice, as we may access care records and other personal data as part of our regulatory activity.
Changes to this Privacy Notice?