Privacy Policy & Data Protection

Privacy Notice: 22 May 2023

This Privacy Notice explains how North Bristol NHS Trust ("we," "us," or "our") collects, uses, discloses, and protects personal information as a Data Controller in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting your privacy and handling your personal information responsibly.

Purpose of Processing Personal Information

We collect and process personal information for the following purposes:

• Providing healthcare services and treatment
• Managing and administering your healthcare records
• Facilitating communication between healthcare professionals
• Conducting research, audits, and clinical trials
• Ensuring the safety and quality of our services
• Planning and managing the healthcare system
• Complying with legal and regulatory obligations

Types of Personal Information Collected

We may collect the following types of personal information:

• Basic details (e.g., name, address, date of birth)
• Contact information (e.g., phone number, email address)
• Health and medical information
• Relevant social and personal circumstances
• Financial information (where necessary for payment purposes)
• Information related to your care and treatment
• Identifiers (e.g., NHS number, patient identifier)
• Research data (where applicable and with consent)
• Any other information necessary for providing healthcare services

What information do we collect online?

You may choose to submit personal information about yourself (e.g., name, email, address) through the webforms we provide. By entering and submitting your details in the fields requested, you are consenting to North Bristol NHS Trust and our service providers to process your data and provide you with the services you select. Any information you provide to the North Bristol NHS Trust will only be used by us, our agents and service providers and will not be disclosed unless we are obliged or permitted to by law to do so.

Legal Basis for Processing Personal Information

We rely on the following legal bases for processing personal information:

• Performance of a contract: To provide healthcare services and treatment.
• Compliance with legal obligations: To fulfil our legal and regulatory requirements.
• Vital interests: To protect your vital interests or those of others.
• Consent: When explicit consent is required, we will obtain it before processing your personal information.
• Legitimate interests: Where processing is necessary for our legitimate interests or those of a third party, provided it does not override your rights and freedoms.

Sharing Personal Information

We may share your personal information with the following parties:

• Healthcare professionals and providers involved in your care
• NHS organisations and other healthcare bodies
• Public health agencies and authorities
• Research organisations (with your consent)
• Our suppliers and service providers (e.g., IT support, payment processors)
• Regulatory bodies, auditors, and legal advisors
• Law enforcement agencies and courts (where required by law)

International Data Transfers

In certain circumstances, we may transfer your personal information to countries outside the European Economic Area (EEA). If such transfers occur, we will ensure appropriate safeguards are in place to protect your personal information.

Data Retention

We will retain your personal information in accordance with applicable laws and regulations and in accordance with the NHS Records Management Code of Practice. We will securely dispose of personal information when it is no longer required for the purposes stated in this Privacy Notice.

Your Rights

You have certain rights regarding your personal information, including the right to:

• Access and obtain a copy of your personal information
• Rectify inaccurate or incomplete personal information
• Erase your personal information in certain circumstances
• Restrict or object to the processing of your personal information
• Data portability, where applicable
• Withdraw consent, where applicable
• To exercise your rights or if you have any privacy-related concerns or questions, please contact our Data Protection Officer or Caldicott Guardian using the details provided below.

Security Measures

We implement appropriate technical and organisational measures to safeguard your personal information from unauthorised access, disclosure, alteration, or destruction. We regularly review and update our security practices to ensure the ongoing protection of your personal information.

Complaints

If you believe that we have violated your privacy rights or mishandled your personal information, please contact our Data Protection Officer, or make a formal Complaint using the details provided below. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or the relevant supervisory authority in your country of residence.

Contact Information

If you have any questions or concerns about our privacy practices or this Privacy Notice, please contact our:

Data Protection Officer

Helen Williamson
Head of Information Governance
Email: Helen.williamson2@nbt.nhs.uk

Caldicott Guardian(s)

Tim Whittlestone
Chief Medical Officer
Email: Caldicott.guardian@nbt.nhs.uk

Sanjoy Shah
Deputy Chief Medical Officer
Email: Caldicott.guardian@nbt.nhs.uk

Concerns

Patient Advice and Liaison Service (PALS)
Email: pals@nbt.nhs.uk
Telephone: 0117 414 4569

Complaints

The Complaints Team
Email: complaints@nbt.nhs.uk
Telephone: 0117 414 4567 or 0117 414 3669

Managing preferences and withdrawing consent

Consent means offering individuals genuine choice and control. Under the General Data Protection Regulation, consent requires a positive opt-in.

We will not use pre-ticked boxes or any other method of consent by default.

As explicit consent requires a very clear and specific statement of consent, we will ensure that this is done.

• We will keep consents separate from other terms and conditions
• Be specific and granular, clear and concise
• We will name any third-party controllers who will rely on consent as required
• Make it easy for people to withdraw consent.

We will:

• keep evidence of consent - who, when, how and what individuals were told
• keep consent under review and refresh if and when anything changes
• avoid making consent a precondition of a service.

Using personal information in the wider Health Service

Prior to the launch of the national data opt-out individuals could set two types of general opt-outs, via their GP practice:

• A type 1 opt-out prevents information that identifies individuals being shared outside of their GP practice, for secondary uses.
• A type 2 opt-out prevented confidential patient information from being shared outside of NHS Digital for purposes beyond individual care.

Type 1 opt-outs continue to be honoured until September 2020 at the earliest when the Department of Health and Social Care (DHSC) will consult with the National Data Guardians before confirming their removal.

Type 2 opt-outs have been replaced by the national data opt-out and are no longer valid. All type 2 opt-outs recorded in GP practices up to and including 11 October 2018 have been migrated to become national data opt-outs.

NHS Digital would have written to inform people who previously registered a type 2 opt-out of this change.

More information on the conversion of type 2 opt-outs can be found on the NHS Digital website.

Other national and local opt-outs for specific purposes (for example summary care record opt-out) remain in place and should continue to be applied, when appropriate, alongside the national data opt-out.

Who can opt out?

Any person registered on PDS (and consequently with an NHS number allocated to them) is able to set a national data opt-out.

This covers most patients who have received health or care services in England and, therefore, have data about them in the health and care system in England.

Channels to set a national data opt-out

Several different channels are available for the public to set a national data opt-out. These are:

• a digital (online) channel accessed via the national data opt-out service.
• for those who need support to set their national data opt-out preference online a digitally assisted channel is provided that enables members of the public to set a national data opt-out with assistance from NHS Digital staff via the national helpline.
• a non-digital (paper based) channel accessed by the national helpline or through forms which can be printed from the webpages, and via the NHS App.

There are some points that apply to specific groups with respect to setting a national data opt-out:

• Individuals aged 13 or over are able to set a national data opt-out via the digital, digitally assisted and non-digital channels.
• Those with parental responsibility (parents & legal guardians) are able to set a national data opt-out on behalf of a child under the age of 13 via the non-digital channel only.

There is a specific form that allows a choice to be set for up to 6 children at once. Any national data opt-out that has been set by a person with parental responsibility for a child under the age of 13 will remain in place unless and until it is proactively changed.

• Those who have a formal proxy relationship to make decisions on behalf of another adult (either a lasting power of attorney or a court appointed deputy) are able to set a national data opt-out on behalf of that person via the non-digital channel only.
• Individuals in the secure and detained estate (e.g., prisons) are able to set a national data opt-out through the healthcare professionals working in these settings.
• Individuals who have agreed with their GP for their records to be marked as sensitive will be offered the choice to set a national data opt-out through the established processes to set (or remove) a sensitive flag.
• A national data opt-out cannot be set for a deceased patient unless they have explicitly stated this in a last will or testament. This can only be done via the non-digital channel.

A national data opt-out is stored against a person’s individual record on the NHS Digital Spine against their NHS number.

In some circumstances individuals may be allocated a new NHS number. The rules of how any existing national data opt-outs are applied to the new NHS number and in relation to other changes of circumstances are outlined in brief below.

Assigning new NHS Numbers

In instances where individuals are allocated a new NHS number any existing national data opt-out will not automatically be transferred to the new record.

This will include the following:

• Adoptions
• Gender reassignment
• Identity protection

Instead, such individuals will receive a letter informing them of the national data opt-out to ensure that they understand their options either via NHS Digital or the individual who is handling their case.

Connecting Care Records

Connecting Care is a local electronic patient record that allows health and social care professionals directly involved in your care, to share a summary of your medical record.

Your Connecting Care record will help those caring for you to manage your care better and allow information to be shared quickly and safely. Only authorised staff providing health services across Bristol, South Gloucestershire and North Somerset can access your record.

For more information about Connecting Care, visit the Connecting Care website at www.connectingcarebnssg.co.uk which includes information on:

• What Connecting Care is
• Why share information
• How information is protected
• How to Opt-Out/In
• Changes to our policy

If our privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

Contact Information Governance

Email: Information.Governance@nbt.nhs.uk

Telephone: 0117 414 2019

We may update this Privacy Notice from time to time. The updated version will be made available on our website, and the effective date will be revised accordingly.