Privacy Policy and Data Protection

We may share your personal information with the following parties:

• Healthcare professionals and providers involved in your care.
• Public health agencies and authorities.
• Research organisations (with your consent).
• Our suppliers and service providers (e.g., IT support, payment processors).
• Regulatory bodies, auditors, and legal advisors.
• Law enforcement agencies and courts (where required by law).

Please note: When you've shared your contact details with the hospital or provided someone else's telephone or mobile number for your records, that specific number will be used to send you notifications and important information about your care via SMS text messages.

In certain circumstances, we may transfer your personal information to countries outside the European Economic Area (EEA). If such transfers occur, we will ensure appropriate safeguards are in place to protect your personal information.

When you provide your phone number and/or email address, we will use this information to send you appointment notifications and important information related to your hospital visit.

You will have the opportunity to confirm your email and telephone number through the NHS, during your hospital visit or through your GP practice. Visit managing your NHS App for support on how to update your details and how to set up notifications on the NHS App.

If you have push notifications enabled on the NHS App, you will initially receive your notifications directly from the NHS App. If this notification is not viewed within eight hours of receiving it, or before 9pm, depending on which is first, and depending on your communication preferences, we will send an SMS from the number +44 7860 039 092 or an email from DrDoctor.
Patients can update their communication preferences directly by visiting nhs.my/nbt

Please note appointment reminders, confirmations and invitations to online questionnaires and video consulting appointments will be sent from DrDoctor. This is a service we use to manage patient communication.

DrDoctor adheres to strict privacy and security standards to protect your information and your data is only accessible to authorised healthcare professionals involved in your care.

Under UK law, you have the right to object to how your personal data is used for specific purposes. This means you can request your data not be used for certain reasons or activities.  

Please note you cannot object solely to the means or methods used to process your data, such as our preferred communication platform called DrDoctor and we are using the data to support your care.

If you choose to opt out of any of the reminders and notifications from DrDoctor, you will not receive any reminders from any service using DrDoctor. When your next appointment is arranged, you will automatically be opted in again as we are using this data to support your care. 

If you have previously used someone else's number on your healthcare record, they will receive communications regarding your care.

For more information on receiving text messages and emails about your hospital appointment, visit “Texts and emails about your hospital appointments” pages.

We will retain your personal information in accordance with applicable laws and regulations and in accordance with the NHS Records Management Code of Practice. We will securely dispose of personal information when it is no longer required for the purposes stated in this Privacy Notice.

You have certain rights regarding your personal information, including the right to:

Access and obtain a copy of your personal information.

You have the right to see your personal information and learn how it's being used. This is called a Subject Access Request (SAR). To make a request, click ‘Make a Subject Access Request.’

However, this right isn't unlimited. The Trust can refuse your request if it could harm someone else's rights or if the request is unreasonable or too much. Also, certain information, like details about legal cases or national security, may be exempt from being shared. 

Rectify inaccurate or incomplete personal information

You have the right to ask us to correct any personal information we hold about you if it’s wrong or incomplete. The Trust must do this as soon as possible. 

However, this right has some limits. We may refuse your request if the information is already accurate, if changing it would conflict with other legal obligations, or if we need to keep it as it is for legal or valid reasons. 

Erase your personal information in certain circumstances

You have the right to ask certain organisations to delete your personal data, for example, when it’s no longer needed or if you withdraw your consent. 

However, this right isn’t absolute and has some exceptions. The Trust may refuse to erase your data if it’s needed for:

• Protecting freedom of expression and information
• Fulfilling legal obligations
• Public health reasons
• Archiving, research, or statistical purposes
• Establishing, exercising, or defending legal claims"

Restrict the processing of your personal information

You have the right to ask the Trust to limit how your personal data is used in certain situations. This means you can request the Trust to temporarily stop using your data. 

However, this right isn’t absolute—the Trust may still need to use your data for things like legal claims or to protect someone else’s rights.

Object to the processing of your personal information

You have the right to object to how your data is used for things like the Trust’s business interests, public services, marketing, or research. 

However, this right isn’t absolute. The Trust may still be able to use your data if they can show strong reasons that outweigh your rights, or if it’s needed for legal reasons.

Withdraw consent, where applicable

You can change your mind and take back your consent whenever it applies. If you've given permission for us to use your personal data, you have the right to withdraw that consent at any time.

To exercise your rights or if you have any privacy-related concerns or questions, please contact our Caldicott Guardian by email CaldicottGuardian@nbt.nhs.uk

We implement appropriate technical and organisational measures to safeguard your personal information from unauthorised access, disclosure, alteration, or destruction. We regularly review and update our security practices to ensure the ongoing protection of your personal information.

If you believe that we have violated your privacy rights or mishandled your personal information, please contact our Data Protection Officer, or make a formal Complaint using the details provided below. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or the relevant supervisory authority in your country of residence.

If you have any questions or concerns about our privacy practices or this Privacy Notice, please contact our:

Data Protection Officer

Helen Williamson
Head of Information Governance
Email: Helen.williamson2@nbt.nhs.uk

Caldicott Guardian(s)

Tim Whittlestone
Chief Medical Officer
Email: Caldicott.guardian@nbt.nhs.uk

Sanjoy Shah
Deputy Chief Medical Officer
Email: Caldicott.guardian@nbt.nhs.uk

Concerns

Patient Advice and Liaison Service (PALS)
Email: pals@nbt.nhs.uk
Telephone: 0117 414 4569

Complaints

The Complaints Team
Email: complaints@nbt.nhs.uk
Telephone: 0117 414 4567 or 0117 414 3669

Consent means offering individuals genuine choice and control. Under the General Data Protection Regulation, consent requires a positive opt-in.

We will not use pre-ticked boxes or any other method of consent by default.

As explicit consent requires a very clear and specific statement of consent, we will ensure that this is done.

• We will keep consents separate from other terms and conditions.
• Be specific and granular, clear and concise.
• We will name any third-party controllers who will rely on consent as required.
• Make it easy for people to withdraw consent.

We will:

• keep evidence of consent - who, when, how and what individuals were told.
• keep consent under review and refresh if and when anything changes.
• avoid making consent a precondition of a service.

Prior to the launch of the national data opt-out individuals could set two types of general opt-outs, via their GP practice:

• A type 1 opt-out prevents information that identifies individuals being shared outside of their GP practice, for secondary uses.
• A type 2 opt-out prevented confidential patient information from being shared outside of NHS Digital for purposes beyond individual care.

Type 1 opt-outs continue to be honoured until September 2020 at the earliest when the Department of Health and Social Care (DHSC) will consult with the National Data Guardians before confirming their removal.

Type 2 opt-outs have been replaced by the national data opt-out and are no longer valid. All type 2 opt-outs recorded in GP practices up to and including 11 October 2018 have been migrated to become national data opt-outs.

NHS Digital would have written to inform people who previously registered a type 2 opt-out of this change.

More information on the conversion of type 2 opt-outs can be found on the NHS Digital website.

Other national and local opt-outs for specific purposes (for example summary care record opt-out) remain in place and should continue to be applied, when appropriate, alongside the national data opt-out.

Who can opt out?

Any person registered on PDS (and consequently with an NHS number allocated to them) is able to set a national data opt-out.

This covers most patients who have received health or care services in England and, therefore, have data about them in the health and care system in England.

Channels to set a national data opt-out

Several different channels are available for the public to set a national data opt-out. These are:

• A digital (online) channel accessed via the national data opt-out service.
• for those who need support to set their national data opt-out preference online a digitally assisted channel is provided that enables members of the public to set a national data opt-out with assistance from NHS Digital staff via the national helpline.
• A non-digital (paper based) channel accessed by the national helpline or through forms which can be printed from the webpages, and via the NHS App.

There are some points that apply to specific groups with respect to setting a national data opt-out:

• Individuals aged 13 or over are able to set a national data opt-out via the digital, digitally assisted and non-digital channels.
• Those with parental responsibility (parents & legal guardians) are able to set a national data opt-out on behalf of a child under the age of 13 via the non-digital channel only.

There is a specific form that allows a choice to be set for up to 6 children at once. Any national data opt-out that has been set by a person with parental responsibility for a child under the age of 13 will remain in place unless and until it is proactively changed.

• Those who have a formal proxy relationship to make decisions on behalf of another adult (either a lasting power of attorney or a court appointed deputy) are able to set a national data opt-out on behalf of that person via the non-digital channel only.
• Individuals in the secure and detained estate (e.g., prisons) are able to set a national data opt-out through the healthcare professionals working in these settings.
• Individuals who have agreed with their GP for their records to be marked as sensitive will be offered the choice to set a national data opt-out through the established processes to set (or remove) a sensitive flag.
• A national data opt-out cannot be set for a deceased patient unless they have explicitly stated this in a last will or testament. This can only be done via the non-digital channel.

A national data opt-out is stored against a person’s individual record on the NHS Digital Spine against their NHS number.

In some circumstances individuals may be allocated a new NHS number. The rules of how any existing national data opt-outs are applied to the new NHS number and in relation to other changes of circumstances are outlined in brief below.

In instances where individuals are allocated a new NHS number any existing national data opt-out will not automatically be transferred to the new record.

This will include the following:

• Adoptions.
• Gender reassignment.
• Identity protection.

Instead, such individuals will receive a letter informing them of the national data opt-out to ensure that they understand their options either via NHS Digital or the individual who is handling their case.

Connecting Care is a local electronic patient record that allows health and social care professionals directly involved in your care, to share a summary of your medical record.

Your Connecting Care record will help those caring for you to manage your care better and allow information to be shared quickly and safely. Only authorised staff providing health services across Bristol, South Gloucestershire and North Somerset can access your record.

For more information about Connecting Care, visit the Connecting Care website at www.connectingcarebnssg.co.uk which includes information on:

• What Connecting Care is.
• Why share information.
• How information is protected.
• How to Opt-Out/In.
• Changes to our policy.

If our privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

North Bristol NHS Trust (NBT) is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

NBT is a mandatory participant of the Cabinet Office’s National Fraud Initiative (NFI) which is a data matching exercise undertaken by the Cabinet Office to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for each exercise.

Data matching involves comparing sets of data, such as payroll of a body against other records held by the same or another body to see how far they match. This is usually personal information and Trust creditors’ data. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.

Data matching by the Cabinet Office is subject to a Code of Practice. Should you wish to know more information on this Fair Processing Notice please see the more detailed full text. View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. 

For further information on data matching at NBT, contact Sarah Smith, Local Counter Fraud Specialist on sarah.smith10@uhbw.nhs.uk or call 07467 685609.