Privacy and Accessibility
The Dudley Group NHS Foundation Trust has responsibility for ensuring your personal data is processed in accordance with the principles of the Data Protection Act 1998. The purpose of this privacy statement is to:
- Inform you why we collect information about you
- Inform you how we use your personal information
- Explain who we share your personal information with
- Explain how you can restrict the disclosure of information
- Inform you about our text messaging service
- Explain how your personal information is used to improve the NHS as a whole
- Explain how you can access your medical records
The General Data Protection Regulations (GDPR)
Despite the result of the Brexit vote the Government announced, on 24th October 2016, that the UK’s implementation of the General Data Protection Regulation (GDPR) will go ahead. GDPR will be the biggest change in data protection law for 20 years.
The GDPR is part of a package, also including the Directive on data protection and law enforcement, which is intended to bring about a harmonious data protection regime across the European Union (EU).
What information does the GDPR apply to?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified.
Personal data can include a name, identification number, location data or online identifier (reflecting changes in technology and the way organisations collect information about people).
The GDPR applies to both automated personal data and to structured manual filing systems containing personal data; it can also include personal data that has been pseudonymised – e.g. where identifiers have been hidden and accessed via a ‘key’.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
The General Data Protection Registration (GDPR) requires each Member State to appoint at least one independent national supervisory authority.
It has been proposed that the role of the UK supervisory authority should be fulfilled by the Information Commissioner.
The purpose of the NHS is to provide you with the highest quality of health care. To help us achieve this we must keep records about your health, treatment and the care we have provided or plan to provide.
These records are called your health records and may be stored in paper format or electronically. Health records may include information such as:
- Personal information including your name, address, date of birth, NHS number, next of kin, ethnicity and contact details
- Contacts we have had with you such as hospital admissions or outpatient appointments
- Records and reports about your health
- Results of investigations, such as X-rays and laboratory tests
- Relevant information from other health professionals, relatives or carers
If you think that any of the information we hold about you is incorrect, please let us know as soon as possible. Please check that the details we have about you are correct with either the receptionist if you are attending an outpatient’s appointment or the ward clerk if you are an inpatient. If you feel we hold incorrect medical information please inform your doctor.
- NHS Trusts (where your care and rehabilitation is to be continued elsewhere)
- General Practitioners (GPs)
- Ambulance Services
- Other healthcare providers with which the Trust has a sharing agreement in place
- Clinical Commissioning Groups (CCGs)
All information we hold about you is confidential. We will not release any information about you without your consent, except to other professionals involved in your care or in exceptional circumstances for instance when the health and safety of others is at risk or where the law requires information to be passed on..
Subject to strict agreements describing how it will be used, your information may also be shared with:
- Social Services
- Education services
- Local Authorities
- Private Sector Providers
- Crime Reduction Initiatives
- Safeguarding Teams
- Dudley MBC Community and Housing Services
- Voluntary services
- The Police
We will ask you for your explicit consent to share your personal information unless we are mandated by law or the health and safety of others is at risk.
This will only be done, either:
- With your consent
- When it is required by law to be passed on to improve public health, or
- When appropriate approval is in place from a Research Ethics Committee to screen health records for the purpose of identifying individuals who could subsequently be approached about participation in the study. At all times you retain the right to opt out of such screening. You can do this by calling the following Trust number 01384 456111 Ext 3719 to speak to a member of staff in the Research Department.
You may be receiving care from several organisations including the NHS, Social Services and voluntary organisations.
- We may need to share your information so we can all work together for your benefit
- We will only ever use or pass on information about you if professionals involved in your care have a genuine need for it.
We will not disclose your information to third parties without your permission, giving you the chance to opt out of the sharing, unless there are exceptional circumstances, such as when the health or safety of vulnerable patients are at risk, the health and safety of others is at risk or where the law requires information to be passed on.
The law requires us to report certain information to the appropriate authorities:
- Notifications of new births
- Where we encounter diseases which may endanger the safety of others, such as meningitis or measles etc.
- Where a formal court order has been issued
The Trust IT Services are certified with ISO27001 Information Security Management standard accredited by BSI. This is an international standard and recognised within the commercial and public sector. There are very few NHS Trusts that are certified to ISO27001.
The Trust IT Services are Cyber Essentials certified. Cyber Essentials covers the ’10 Steps to Cyber Security’ published by the National Cyber Security Centre (NCSC). This is a scheme welcomed by the Information Commissioner, Christopher Graham.
The Dudley Group NHS Foundation Trust operates a text messaging reminder facility for certain services. You can opt in to this service by confirming your contact details, including your mobile telephone number. Text messages will then be sent to the mobile telephone number you have provided us with.
Please note that if the mobile telephone number you provide us with is not your own, we cannot be held responsible if someone else reads your text message.
For the services that provide this facility you do not have to provide us with your mobile telephone number if you do not wish to receive this service.
The Dudley Group NHS Foundation Trust may from time to time ask for your views on the services we provide to enable us to improve. This request may be sent by text message. To OPT out, simply reply STOP free of charge or call free phone 0800 073 0510
When collecting or transferring sensitive information such as health and personal details we use a variety of security technologies and procedures to help protect your personal information from unauthorised access, use or disclosure.
However, any information we receive from you via Hotmail, AOL, Google mail or Yahoo or other web-based email systems and any response we might transmit via email in return, cannot be guaranteed to be completely protected from access by unauthorised persons. This is because the World Wide Web is beyond our control. It is also the case that we cannot guarantee who has access to an individual’s emails within any home, office or internet café setting.
If we receive an email from you via Hotmail, AOL, Google mail or Yahoo or other web-based email systems we will assume that you have provided your consent for us to respond to that email address and you have taken into account the issues raised above.
- Your child, if the healthcare professional decides it’s in the best interest of the child. In the case of older children you may see the records if the child agrees, or if the child is unable to understand, if the healthcare professional agrees that it is in the child’s best interests
- A patient who has died and you are acting as their personal representative or you have a claim resulting from their death
- Someone unable to give permission because of age or mental ability where you have a legitimate interest.
Please make your request in writing to: The Access to Health Records Team, Health Records Department, Russells Hall Hospital, Dudley, West Midlands, DY1 2HQ
Tel: (01384) 456111 (ext. 1390)
Please include the full name, address and details of the records that you wish to receive a copy of. If you are requesting information for someone other than yourself, you will be required to provide written consent from that person or proof of your legitimate rights to access that information.
However, you can be refused access to some or all of your records if:
- The person in charge of your care thinks that you or someone else can be harmed by disclosing the information
- The information relates to or was provided by someone else who can be identified and is not the patient or a healthcare professional
- You have applied on behalf of someone who has died or is no longer capable and they originally gave the information on the understanding it would not be shared
The Data Controller responsible for keeping your information confidential is:The Dudley Group NHS Foundation Trust
Russells Hall Hospital
- Action Heart
- Birmingham City Council
- Black Country Partnership NHS Foundation Trust
- Care, Grow, Live (CGL) Atlantic Recovery Centre
- Community Safety Partnership
- West Midlands Police
- West Midlands Fire
- Dudley and Walsall Health Partnership NHS Trust
- Dudley Community Partnership
- Dudley Council for Voluntary Service (Dudley CVS)
- Dudley MBC
- Genomic Health UK Ltd
- GP surgeries
- Ophthalmic Diagnostic Services
- Safeguarding Teams
- Solihull MBC
- The Black Country Alliance
- Walsall Healthcare NHS Trust
- Sandwell and West Birmingham Hospitals NHS Trust
- The Royal Wolverhampton Hospitals NHS Trust
- Walsall Council
The Data Protection Act 1998 requires organisations to register with the Information Commissioner’s Office to describe the purposes for which they process personal information. These details are available publicly from:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
The Trust’s Data Protection Registration reference number with the Information Commissioner’s Office is Z8909702
The Dudley Group NHS Foundation Trust website does not store or capture personal information other than that provided voluntarily by users of our feedback form. The site merely logs general visitor statistics which are collected and used to improve and maintain the website for the benefit of visitors.
Links to external web sites are not included.
All downloadable documents on the site are available in Portable Document Format (PDF). To view PDF files you will need Adobe Acrobat Reader installed on your computer. This can be freely downloaded from the Adobe site which can be accessed from the link below.Click here to download the latest version of Adobe ReaderAcrobat supports Microsoft Active Accessibility (MSAA), a standard that enables Windows based programs to easily deliver information to assistive technologies.Click here to find out more about Adobe Acrobat and accessibility.
This organisation is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.
Data matching by the Cabinet Office is subject to a Code of Practice.
View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. For further information on data matching at this organisation contact Chris Walker, Deputy Director of Finance, on 01384 321039; or Antony Upton, Local Counter Fraud Specialist, on 07484 040694.
The Trust will take all necessary steps to counter fraud, through compliance with the NHS Counter Fraud Authority Standards for Providers: Fraud, Bribery and Corruption. A zero-tolerance approach is taken to fraud and all allegations will be thoroughly investigated by the Trust’s Local Counter Fraud Specialist (LCFS). The Trust will ensure appropriate action is taken against wrong-doers, as well as undertaking steps to recover any assets lost, as a result of fraud.
Transparent, fair conduct helps to foster deeper relationships of trust between the Trust and our partners. The Trust does not tolerate any form of bribery, whether direct or indirect, by, or of, its staff, agents or consultants, or any persons or entities acting for it or on its behalf. The board and senior management are committed to implementing and enforcing effective systems throughout the Trust to prevent, monitor and eliminate bribery, in accordance with the Bribery Act 2010.
A bribe is a financial advantage or other reward that is offered to, given to, or received by an individual or company (whether directly or indirectly) to induce or influence that individual or company to perform public or corporate functions or duties improperly. Employees and others acting for or on behalf of the Trust are strictly prohibited from making, soliciting or receiving any bribes or unauthorised payments.
The success of the Trust’s anti-fraud and bribery measures depends on all employees, those acting for the organisation, and our patients, playing their part in helping to detect and eradicate these offences. Therefore, the Trust encourages anyone who suspects a fraud or bribery offence to report their concerns as soon as possible via the contacts detailed below. No individual will suffer any detrimental treatment when reporting reasonably held suspicions.
Local Counter Fraud Specialist: Sophie Coster
Mobile: 07436 268747
NHSCFA fraud and corruption reporting line
Tel: 0800 028 4060