This page was last updated: October 20th, 2022
Please see our Information Use Framework Policy
To achieve this, each organisation will be sharing more information about our patients than ever before to ensure we can identify the most vulnerable to provide joined up healthcare and to support each other to ensure there is no disruption of service if staff become unwell.
Our legal basis to do so is as follows:
The GDPR allows information to be shared for individual care, planning and research. Where health and care information (which would be classed as special category data) is shared for either individual care or to help tackle the disease through research and planning then the relevant Article 6 conditions (official authority, compliance with a legal obligation, public interest and on occasions vital interests) and Article 9 conditions (substantial public interest, the delivery of health and care, vital interests or for public health purposes and scientific research) should be relied on as applicable to the situation.
Individual healthcare organisations, arm’s length Bodies (except NHS Digital and NHS England and NHS Improvement which have been separately notified) and local authorities have been given legal notice under this regulation to support the processing and sharing of information to help the COVID-19 response.
Duty to share information
In Part 9 of the Health and Social Care Act 2012 (health and adult social care services: information).
The new Regulations is designed to harmonise data privacy laws across Europe, to protect and empower data subjects providing more choice about what is done with your data, and to make Organisations more accountable.
Under this new Regulation you have the following rights.
If you need more information about this refer to the Information Commissioners website or contact us and we will be glad to help. rch-tr.infogov@nhs.net
Our legal reasons for processing your heath information are set out within the Articles of the General Data Protection Regulation and are listed below.
6 (1)(a) ‘…the data subject has given consent to the processing of his or her personal data for one or more specific purposes
6(1)(b) ‘…processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
6(1)(.c) processing is necessary for compliance with a legal obligation to which the controller is subject;
6(1)(d) ‘…necessary in order to protect the vital interests of the data subject or of another natural person’
6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
6(1)(f) ‘…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
9(2)(a) ‘…the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment and social protection law (Safeguarding)
9(2)( c) ‘…processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent This condition is met if—
9(2)(d) ‘…processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
9(2)(e) ‘…processing relates to personal data which are manifestly made public by the data subject;
9 (2)(f) ‘…processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
9(2)(g )‘…processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
9(2)(i) ‘…processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
9(2)(j) ‘…scientific or historical research purposes or statistical purposes …’ This covers the provision of direct healthcare and administrative purposes such as:
There may also be times when information is collected from your relatives or next of kin – for example, if you are taken to one of our departments but you are unconscious or unable communicate.
We may also collect other information about you, such as your sexuality, race or ethnic origin, religious or other beliefs, and whether you have a disability or require any additional support with appointments (like an interpreter or advocate in line with your rights under the Accessible Information Standard).
We collect personal and confidential information about you to support with the delivery of appropriate healthcare and treatment. In order to provide you with high quality care, we must keep records about you, your health and the care that we provide, or plan to provide to you. It is important for us to have a complete picture as this information enables us to provide the right care to meet your individual needs.
We collect relevant information about staff members in order to fulfil our obligations as an employer and to assist in the administration of your employment. This will include a Personnel file containing such things as sickness records, performance reviews and contracts of employment. We will also collect information to ensure we are able to pay you, manage your pension contributions and other necessary tasks.
Under the Data Protection Act 2018, strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a legitimate right to access the information can get access. This might be through the use of technology or other environmental safeguards.
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
Every NHS organisation has a senior person that is responsible for protecting the confidentiality of your health information and enabling appropriate sharing. This person is known as the Caldicott Guardian, and within our Trust this role sits with an appropriately trained senior Consultant.
The Trust has a Senior Information Risk Officer (Director of Integrated Governance). They are the most senior person in the Trust with responsibility for managing risks to the information we process.
This is important because having accurate and up-to-date information will assist us in providing you with the best possible care. It also ensures that all information is readily available if you see another health professional or specialist within our trust or another part of the NHS.
There is also the potential for your information to help improve health care and other services across our trust and the wider NHS. Therefore, your information may also be used to help with:
To help provide you with the best possible care, sometimes we will need to share your information with others. However, any sharing of information will always be governed by specific rules and laws. We may share your information with a range of health and social care organisations (which include private healthcare providers) and regulatory bodies. You may be contacted by any one of these organisations for a specific reason, and they will have a duty of telling you why they have contacted you.
Where the sharing involves a non-NHS organisation, a specific information sharing agreement is put in place to ensure that only relevant information is shared and this is done securely in a way which complies with the law.
The Cornwall and the Isles of Scilly Health and Social Care Partners are working to maximise the benefits patients receive from the health and social care providers in Cornwall, to achieve this we may at time engage external private organisations to help us meet this challenge.
E.g. we have engaged Newton Europe to help us deliver the Embrace Care programme
The Embrace Care programme is focussed on delivering better health and care outcomes for over 65s at risk of hospital admission, or who have been admitted to hospital. It allows the system to deliver an integrated and local-focussed community offer while supporting better outcomes for the older people of Cornwall and the Isles of Scilly.
Unless there are exceptional circumstances (such as a likely risk to the health and safety of others) or a valid reason permitted by law, we will not disclose any information to third parties which can be used to identify you without your consent.
The appointed Data Protection Officer for the Royal Cornwall Hospitals Trust is:
Mr Mark Scallan. PC.dp. PC.foi
There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected patient information to ensure we are legally compliant.
There are other statutory bodies where we are required to provide your information, these include:
We also undertake clinical research and audits within the trust, and your permission may be required for some of this work. If you agree to be involved, a full explanation will be given and your consent will be obtained before proceeding. Your consent may not be required if the information being used has been anonymised. This means that it cannot be used to identify an individual person.
There are a number of national programmes where the Government has granted a Section 251 provision which means the Opt Out does not apply and the requirements of the Common Law Duty of Confidentiality are set aside without us being in breach of your rights. You can however request that we do not share your information.
The National Programmes where the Opt Out does not apply are:
You also have the right to ‘opt out’ of having your information used in any mandatory audits which the Trust is subjected to. If this is the case, you should write to our Information Governance team with your name, address, date of birth and hospital number or NHS number.
You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.
You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.
To find out more or to make your choice visit www.nhs.uk/your-nhs-data-matters or call 0300 303 5678.
Under the terms of the Data Protection Act 2018 and the General Data Protection Regulations 2018, you have the right to request access to the information that we hold about you.
Request for access to medical records forms
In most cases we will not charge a fee to comply with a subject access request.
However, where the request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request.
We may also charge a reasonable fee if an individual requests further copies of their data following a request. The fee will be based on the administrative costs of providing further copies.
We must act on the subject access request without undue delay which will usually be within one month of receipt. Where the request is considered complex or excessive we can apply an extension of a further 60 days, if this is the case we will inform you of this.
The time will be calculated from the day after we receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, we have until the next working day to respond.
For practical purposes the Trust will aim to provide the information within 28-day days to ensure compliance is always within a calendar month.
Please be advised that the request will not be processed until the Royal Cornwall Hospitals NHS Trust (RCHT) is satisfied of the identity of the person making the request, and received the following:
The Trust Policy is that we must have at least two types of identity validation prior to providing access to, or disclosing of personal identifiable information.
If you are making a request on behalf of another person: we would require ID from both parties.
Therefore, could you please provide two of the following (one of which must be photographic identification)
Any documentation will be considered on an individual basis but may not be accepted.
Unfortunately we will not be able to process your request until we are in possession of this information.
If you want to see the health records of someone who has died, this is facilitated under the Access to Health Records Act (1990). The Access to Health Records Act 1990 and the Common Law protects the confidentiality of patients even after they have died. For this reason deceased patient’s records can only be disclosed in limited circumstances.
Request for Access to Health Records AHRA
You can request information or an application form, by one of the following means:
Post: The Disclosure Team, Kedhlow Building, Royal Cornwall Hospital, Truro, Cornwall, TR1 3LJ
Tel: 01872 254505
Email: rch-tr.Disclosure@nhs.net
Please refer to our Policy to Manage Information and records for further information:
It may also be possible to resolve your concerns through a discussion with our Patient and Family Experience Team before (or without the need to start) a more formal process:
Address: Patient Experience Team, Knowledge Spa, Royal Cornwall Hospital, Truro, TR1 3LJ.
Tel: 01872 252793
Email: rcht.patientexperience@nhs.net
If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Web: https://ico.org.uk/concerns/
Phone: 0303 123 1113
Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.