enfrdeitptrues

NHS 70 MK small

Full privacy notice

Who we are?

Milton Keynes University Hospital NHS Foundation Trust (MKUH) is an acute hospital and has approximately 400 inpatient beds and provides a broad range of general medical and surgical services.  The Trust is responsible for providing top quality health care serving Milton Keynes and surrounding areas.  We need to use information about you to enable us to do this effectively, efficiently and safely.

To contact us about any of the points in this notice see the contact details at the end of this notice.

What is this page about?

This Privacy Notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It covers information we collect directly from you or receive from other individuals or organisations.  The law strictly controls the sharing of some types of personal information and the Trust ensures full compliance with the Data Protection Act 2018 when processing its data.  However within the law, the information about you may be passed onto others for your continuing healthcare and treatment.

This notice is not exhaustive.  However, we are happy to provide any additional information or an explanation if needed. Any requests for this should be sent to the following email address:  DataProtectionOfficer@mkuh.nhs.uk , or by post to:

Dawn Budd

Data Protection Officer

Milton Keynes University Hospital NHS Foundation Trust

Standing Way

Eaglestone

Milton Keynes

MK6 5LD

Telephone: 01908 995041/995045 

Our Commitment to your Data Privacy and Confidentiality

Privacy and Confidentiality

 We are committed to protecting your privacy and will only process personal confidential data lawfully and in accordance with the Data Protection Act 2018 incorporating the General Data Protection Regulations (GDPR), The Privacy and Electronic Communications Regulations (PECR)  the Common Law Duty of Confidentiality and the Human Rights Act 1998.

MKUH is a Data Controller under the terms of the Data Protection Act. We are legally responsible for ensuring that all personal information that we hold and use is done so in compliance with the law.

All data controllers must ensure they are compliant with the Data Protection Act 2018, further details can be found on the Information Commissioner’s website www.ico.org.uk

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee, the NHS Constitution, the Health and Social Care Information Centre Guide to Confidentiality, and the NHS Confidentiality Code of Practice provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.  This is an important part of our processing as it ensures that the NHS keeps improving its standards and treatments.

We will not share information that identifies you unless we have a fair and lawful basis on which to do so:

  • For Primary health care purposes to ensure your safe care and treatment
  • To protect children and vulnerable adults;
  • When a formal court order has been served on us;
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State for Health or the Health Research Authority (HRA) on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

 

Personal Data we hold about you

Your information is held by the Trust so we can ensure we give you the correct care and treatment. 

There are many definitions of personal data please see below which may be of use to you.

Personal Data Means, any information relating to an identified or identifiable natural person (Data subject). 

  1. Directly or indirectly, in particular, by reference to an identifier such as a name
  2. An identification number
  3. Location data
  4. An online identifier e.g. including IP address and internet cookies
  5. One or more factors specific to the physical, physiological, genetic e.g.DNA, mental, economic, cultural or social identity of that natural person

Special Categories of personal data is defined in the Data Protection Act as information about an identifiable individual’s:

  1. Racial and ethnic Origin,
  2. b) political opinions,
  3. c) Religious or philolosopical beliefs
  4. d) Trade Union Membership,
  5. e) The processing of genetic data,
  6. f) Biometric data for uniquely identifying an individual,
  7. g) Data concerning health,
  8. h) Data concerning an individual’s sex life or sexual orientation,

Processing in relation to personal data, means any operation or set of operations which are undertaken on personal data, whether by automated means or not:-

  1. collection, recording, organisation, structuring, storage
  2. b) retrieval, consultation, use
  3. c) adaptation or alteration
  4. d) disclosure by transmission, dissemination or making available
  5. e) alignment or combination
  6. f) restriction, erasure or destruction

Personal Confidential Data is personal information about identified or identifiable individuals which is also confidential. ‘Personal’ includes the Data Protection Act definition of personal data, but it also includes deceased as well as the living. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ (e.g. health records) and is adapted to include ‘special categories’ data as defined in the Data Protection Act.

Pseudonymised Information means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that information is kept separately.

Anonymised Information is data that has been changed into a form which does not identify individuals and where there is little or no risk of identification.

Aggregated information is anonymised data that is grouped together so that it does not identify any individuals.

Retention Schedules

The Trust ensures that Information is not kept for any longer than is necessary in line with the Data Protection Act 2018 – incorporating GDPR.  The Trust abides by the NHS Retention Schedules which can be found at Records Management for Health and Social Care 2016

Purposes for using your information

Direct Care

Processing for Direct care purposes:                                                                                     

Unless you object, we will normally share information about you with other health and social care professionals directly involved in your care so that you may receive the best quality care. For example every time you attend the hospital as a patient, we will send your GP a summary of any diagnoses, test results or treatment given.

You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit. We will only do this when they have a genuine need for it or we have your per-mission. Examples of who we may share your information, subject to strict agreement about how it will be used, are:

Social Care Services

Education Services

Local Authorities

Voluntary and private sector providers working with the NHS

We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as when either your or somebody else’s health and safety is at risk; or the law requires us to pass on information.   

Benefits

Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided.

Legal Basis

The processing is necessary for health and social care purposes:-

  1. Preventative and occupational medicine
  2. The assessment of the working capacity of an employee
  3. c) medical diagnosis
  4. d) the provision of healthcare and treatment
  5. e) the provision of social care, or
  6. f) the management of healthcare systems or services or social care systems or services

Indirect Care (To review current practice)

Processing for Indirect Care purposes                                                                                                      

We also use information we hold about you to:

  • Review the care we provide to ensure it is of the highest standard and quality
  • Ensure our services can meet patient needs in the future
  • Investigate patient queries, complaints and legal claims
  • Ensure the hospital receives payment for the care you receive
  • Prepare statistics on NHS performance
  • Audit NHS accounts and services
  • Undertake heath research and development (with your consent – you may choose whether or not to be involved)
  • Help train and educate healthcare professionals

Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and Health and Social Care Information Centre’s websites:

If you would like to “opt out” The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”.  There may be occasions when it is not possible to exercise your right to “Opt Out”, such as when we have an obligation by law or for the purposes of safeguarding adults and children.

It is also important to note that by opting out there could be consequences, which will be discussed with you if you are considering using an opt-out.  If you wish to opt out please complete the following form <Link to Patient OPT OUT procedure> and return to: 

Email: dataprotectionofficer@mkuh.nhs.uk

Post: Milton Keynes University Hospital, Information governance Department, Standing Way, Eaglestone, MK6 5LD

 

Safeguarding

Processing for Safeguarding

We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.  The identity could include name, address, date of birth and NHS number, but only if they are necessary for the safeguarding process.

Legal Basis

The processing is necessary for health and social care purposes:-

  1. Preventative and occupational medicine
  2. The assessment of the working capacity of an employee
  3. c) medical diagnosis
  4. d) the provision of healthcare and treatment
  5. e) the provision of social care, or
  6. f) the management of healthcare systems or services or social care systems or services

Complaints

Why we collect and process information for complaints?

We will collect and process your information if it relates to a complaint where you or your representative has asked for our help or involvement.

Complaint Processing Activities

Upon receipt of a complaint from a person the Trust open up a file on the Trust’s complaints database and keep a minimal paper file containing the original letter of complaint or management plan in relation to a complaint. This will normally contains the identity of the patient and the complainant and any other individuals involved in the complaint. The identity could include name, address, date of birth, hospital number and NHS number, only if these details are necessary for the appropriate handling of the complaint in line with the Trust’s complaint process.

  • We will only use the personal information we collect to process the complaint and ensure an appropriate investigation is undertaken in line with the severity of the complaint.
  • We usually have to disclose the patient’s identity to whomever the complaint is about to ensure that a full investigation can be undertaken since reference may need to be made to the patient’s medical record.

If a patient/complainant does not want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint in line with Trust process on an anonymous basis.

We will keep personal information contained in complaint files in line with the NHS retention guidance. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Legal Basis: You have given explicit consent to the processing.

Invoice Validation

The validation of invoices ensures that after we provide you with care and treatment we can be paid the correct amount.

NHS Shared Business Services process invoices on behalf of Milton Keynes University Hospital NHS FT.  SBS do not require and should not receive any patient confidential data to provide their services.  However before payment can be received by the Trust, the respective Clinical Commissioning Group (CCG) needs to validate the invoice – i.e. ensure that the treatment and amount is correct.  In order to do this, personal confidential data is submitted by the Trust to an approved and controlled secure environment within the CCG.  Only certain data can be submitted, and only when it is necessary for the validation process.  The identifier used for invoice validation is NHS number or the local provider ID if the NHS number is not known to the provider, e.g. hospital number.  The CCG uses this information to check that the relevant invoice is correct and ready to be paid by the CCG.

The CCG has a duty to detect report and investigate any incidents where a breach of confidentiality has been made.

In addition where the Trust is making payments to other NHS bodies in respect of care and treatment. NHS Shared Business Services process invoices on behalf of Milton Keynes University Hospital NHS FT.  SBS do not require and should not receive any patient confidential data to provide their services.  However before payment can be made by the Trust, the Trust needs to validate the invoice – i.e. ensure that the treatment and amount is correct.  In order to do this, personal confidential data is submitted to the Trust to an approved and controlled secure environment within the Trust.  Only certain data can be submitted, and only when it is necessary for the validation process.  The identifier used for invoice validation is NHS number or the local provider ID if the NHS number is not known to the provider, e.g. hospital number.  The Trust uses this information to check that the relevant invoice is correct and ready to be paid by the Trust.

The Trust has a duty to detect report and investigate any incidents where a breach of confidentiality has been made.

For other organisations to provide support services for us

We will use the services of additional data processors, which will provide additional expertise to support the work of the Trust.

Where processing is to be carried out on behalf of The Trust, we will only use processors that provide us with sufficient guarantees that they understand their responsibilities under the DPA act 2018 and will implement the appropriate technical and organisational measures that meet the requirements.  

We will determine the purposes for which and the manner in which personal data is processed. This means that the Trust exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.

Legal Basis

The processing is necessary for health and social care purposes:-

  1. Preventative and occupational medicine
  2. The assessment of the working capacity of an employee
  3. c) medical diagnosis
  4. d) the provision of healthcare and treatment
  5. e) the provision of social care, or
  6. f) the management of healthcare systems or services or social care systems or services

 

Clinical Research

Research is an essential part of making healthcare better. It can lead to new treatment or provide evidence of the best available treatments for a clinical condition.

Without research there would be no new ways to treat you, it is just as important to your healthcare as your doctor and your hospital.

Benefits

Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.  Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Process

Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice knows. They will add a code to your records that will stop your information from being used for research.

Legal Basis

The data subject has given explicit consent to the processing for one or more specific purposes.

Sometimes research can be undertaken using anonymized or aggregated information that does not identify you. The law does not require us to obtain your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.

For further information on Clinical Research please click: here

NHS Patient Survey Programme (NPSP) & National Registries

NHS Patient Survey Programme (NPSP)

 The NHS uses your information for the NHS Patient Survey Programme.  We do not ask for patients consent for this as the NHS has obtained from the Health Research Authority (HRA) under Section 251 of the NHS Act 2006  which provides an alternative to gaining your consent under the common law duty of confidentiality.  If you are using the services of Milton Keynes University NHS Foundation Trust then your contact information may be used for the purpose of the NPSP.  This is a task carried out under the public interest and you may opt-out of this by contacting us on the number below.  Your data is used to produce anonymised reports by the survey which help us to make service improvements.

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek consent from each individual data subject

Legal Basis

Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.

Fundraising

Milton Keynes Hospital Charity (MKHC) is committed to ensuring that your privacy is protected.

This notice sets out how and why MKUHC collects and uses your personal information, and how we protect it. If we ask you to provide certain information by which you can be identified, it will only be used in accordance with this privacy statement and with the Data Protection Act 2018.  MKHC may change this notice from time to time by updating this page. You should check this page occasionally to ensure that you are happy with the changes. This statement is effective from January 2018. For more information, please visit the Information Commissioner’s Office, with whom we are registered.

What we collect

We may collect the following information:

  • Full name and title
  • Gender
  • Contact information including address and post code. This can also include place of work.
  • Phone numbers and email addresses
  • Bank account details (if donating by debit or credit card/setting up a direct debit for regular donations)
  • Date of birth
  • We may collect information relating to your health (for example if you are taking part in an event or volunteering for us)
  • Emergency next of kin details (if you are volunteering for us)

If you sponsor a person using an online giving platform such as Just Giving or Virgin Money Giving and you indicate that you would like to hear from us, then they may pass on your contact details to us so that we can tell you more about our Charity. You should check the Privacy Statements of sites such as Just Giving, before you give them your information.

What we do with the information we collect

We require this information for the following reasons:

  • Internal record keeping.
  • To thank you for your donations, volunteering, or other support
  • To respond to you if you have made an enquiry
  • We may use the information to keep you up to date with what is happening at Milton Keynes Hospital Charity via newsletters, but we will always let you know how you can opt out of receiving this
  • We may periodically send letters or emails about fundraising events which we think may interest you using the contact details you have provided.
  • We may share your name and details of your donation with Milton Keynes University Hospital NHS Foundation Trust in order to ensure your donations are used according to your wishes. This will be limited to senior members of staff only. You can let us know if you would prefer for your details to remain anonymous and we will always respect your wishes.
  • We may use this information to improve our products and services.

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that external website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

You have a right to restrict our collection or use of your personal information. When you are asked to fill in a form on our website, there will always be a box that you can tick if you do not want the information to be used for marketing purposes. You can also control the means by which we contact you, e.g. telephone, post, email. You can change your contact preferences at any time.

If you have previously given us your permission to contact you and have now changed your mind, you can let us know by emailing fundraising@mkuh.nhs.uk or calling 01908 997316, or writing to Milton Keynes Hospital Charity, Standing Way, Eaglestone, Milton Keynes MK6 5LD. 

If you request that we do not contact you again for marketing purposes, we will respect your wishes. It may take up to 28 days for us to update our records and for you to stop receiving communications from us. After this time, we may still send you administrative communications, for example in relation to payments you have made or events you have signed up to take part in.

  • We do not have any access to your medical records.
  • We will not sell or lease your personal information to third parties.
  • We will not share your information with a third party for their own purposes unless required by law to do so.

You may request details of personal information which we hold about you under the Data Protection Act 2018. If you would like a copy of the information held on you please request this in writing to the address above. If you believe that any of the information we are holding on you is incorrect or incomplete, please contact us as soon as possible, so that we can correct the information.

We appreciate your support and aim to ensure that your privacy is treated with respect at all times, in compliance with the Data Protection Act 2018.

Legal Basis

Your explicit consent will be obtained by the organisation to process your data.  

Patient experience and Engagement

We will process your personal information if it relates to you being a member of the Patient Experience & Engagement Group. This could include being invited to events, being kept up to date on related activity and to take part in experience and engagement tasks. We will only undertake this if you have indicated interest in being invited to the group.

Group membership information processing activities

If you have asked us to invite you to be a member of the Patient Experience & Engagement Group we will record your personal details. This will be stored electronically in a database. Only members of the Patient Experience Team will have access to this information as it will be stored on a ‘shared network drive’.

If you are actively involved in our Patient Experience & Engagement Group and its related activities, we will collect and process personal confidential data which you share with us. This means we will ask you your name, address, contact email and phone number and store them in our electronic database.

Where you submit your details to us for the appropriate involvement activities, we will only use your information for this purpose. The activities could include being invited to and attending events where we will ask for feedback, taking part in patient experience visits such as the ’15 Steps Challenge ’ or it may mean taking part in surveys or commenting on leaflets and documents which will be sent to you by email or by post.

We may contact members from a specific demographic for a focused service improvement. I.e. we may wish to identify women who have or may use the hospital maternity services and therefore we would need to identify women of child bearing age and only contact this specific age range group. In this instance the data collected and stored would include your gender and broad age range group.

You can opt out at any time by contacting us on patientexperience@mkuh.nhs.uk

Volunteers 

Applying and joining the Trust as a Volunteer for Milton Keynes University Hospital NHS Foundation Trust

We follow the NHS Employers Guidelines for recruitment of our volunteers.

We collect and store the following:

Initial Enquiry Information, which includes – Full Name, Email Address, Telephone numbers, Enquiry Source and volunteer role preferences.
Recruitment documents as per NHS Employers Recruitment Guidelines, photographic consent form, banking details for payment s of expenses, next of kin details (in case of an emergency) volunteers photographs, volunteering role and training records. This information is stored in either or both, hard copy and electronic.
All recruitment information is stored in lockable offices which are only accessible by the Voluntary Services Department.

This information is used for:

Communication and information with volunteers is by telephone, email and letter. We use personal details to share information with our volunteers regarding their role, Trust news, invitations to events, to thank volunteers for their support and Training. 
We also use the information to manage our volunteer vacancies, and to help identify improvements to our services.

We may share your information with:

Other departments within the Trust, should it be required to enable you to carry out your volunteering role. 
Other Third Party Volunteer Organisations that are on site, should you express an interest in joining them as a Volunteer.

Record Retentions:

All recruitment information is destroyed and deleted after 7 years. A record of destroyed information is kept indefinitely.

Membership

Milton Keynes University NHS Foundation Trust Membership

 

Keeping in touch!

We very much value your involvement

The General Data Protection Regulation a European regulation that introduces new data protection requirements throughout the EU, is to become law from 25th May 2018 and will replace the current Data Protection Act 1998.

From that date on we will need your consent to be able to hold your personal information.

Personal data is information that can be used to identify you, and other details about you. This may include your name, date of birth, address, email address, telephone number etc, which is collected for the purposes of your membership of Milton Keynes University Hospital NHS Foundation Trust .

We may ask you for optional sensitive personal data such as your gender, ethnicity or disability so we can make sure that we are reaching people who represent the whole Milton Keynes community. Such information may help us when we are looking at service re-deign and improvements. Milton Keynes University Hospital NHS Foundation Trust will hold your data for the purpose only of sending you information such as the member’s newsletter and letting you know more about our services, our plans for the future and ways you can get involved.  You have no obligations as a member, but there are lots of ways to be involved

We won’t share your data with anyone else, we have a secure electronic database in which we store information about you. The database can only be accessed by Milton Keynes staff. After recording your information in our database, we will keep any paper copies for 12 months and you can opt out at any time by replying unsubscribe to any post or email communication or by telephoning the office on 01908 996235. 

Overseas Transfers

Your information will not be sent outside of the United Kingdom unless there is a clinical need to do so and the data is anonymised where possible.  We will ensure that your privacy will be protected in the same way as it would be in the UK. We will never sell any information about you.

The processing of staff information 

During the course of its employment activities, Milton Keynes University Hospital collects, stores and processes personal information about prospective, current and former staff.

The scope of this staff privacy notice includes applicants, employees (and former employees), workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience, clinical placements, observerships and honorary contract holders.

We recognise the need to treat staff personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met.

What types of staff personal data do we handle?

In order to carry out our activities and obligations as an employer we handle data in relation to:

  • Personal demographics (including age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, sex, sexual orientation, religion or belief)
  • Contact details such as names, addresses, telephone numbers and Emergency contact(s)
  • Employment records (including professional membership, references and proof of eligibility to work in the UK and security checks)
  • Bank details
  • Pension details
  • Medical information including physical health or mental condition (occupational health information)
  • Information relating to health and safety
  • Trade union membership
  • Offences, criminal proceedings, outcomes and sentences
  • Employee relations files (grievance, disciplinary, performance, sickness absence/ill-health cases)
  • Employment Tribunal applications, complaints, accidents, and incident details

Our staff are trained to handle your information correctly and protect your confidentiality and privacy. 

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing.  Your information is never collected or sold for direct marketing purposes.

Your information will not be processed overseas unless we inform you otherwise.

 What is the purpose of processing staff data?

  • Staff administration, management (including payroll and performance) and engagement
  • Payroll and pensions administration
  • Business management and planning
  • Accounting and Auditing, including to HMRC
  • Accounts and records
  • Crime prevention and prosecution of offenders
  • Education, learning and development
  • Health administration and services
  • Information and local and national databases and data warehouse administration
  • Sharing and matching of personal information for national fraud initiative

We have a legal basis to process this as part of your contract of employment (either permanent or temporary) or as part of our recruitment processes (see scope above) following data protection and employment legislation. 

Sharing your information

There are a number of reasons why we share information. This can be due to:

  • Our obligations to comply with legislation
  • Our duty to comply any Court Orders which may be imposed

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Use of Third Party Companies

To enable effective staff administration Milton Keynes University Hospital NHS Foundation Trust may share your information with external companies to process your data on our behalf In order to comply with our obligations as an employer.

Employee Records; Contracts Administration (NHS Business Services Authority)

The information which you provide during the course of your employment (including the recruitment process) will be shared with the NHS Business Services Authority for maintaining your employment records, held on the national NHS Electronic Staff Record (ESR) system.

Prevention and Detection of Crime and Fraud

We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

Government agencies

In order to comply with statutory requirements, we may be required to supply information about you and/or your employment/relationship with the trust to central government agencies, departments or agents acting on their behalf (e.g. HMRC, DH, Home Office, DWP).

 Payroll and pensions administration

 Information will be shared with University Hospitals Birmingham NHS Foundation Trust (UHB) in pursuit of administering your pay and any associated pensions, under or overpayments.

NHS Streamlining

Details may be transferred from this Trust to other NHS Trusts to support the safe, efficient and effective transfer of staff information when a member of the workforce transfers from one NHS Organisation to another NHS Organisation  The personal data that is shared includes: name, address, date of birth, national insurance number, completed training & registration details.

We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.

Retention periods 

The Trust is required to retain your employment record in order to carry out activities and obligations as an employer and therefore cannot delete the record until it reaches the required DH retention period.

We will retain your information in line with the Department of Health Retention Schedule. At the time of writing, this is known as the Records Management Code of Practice for Health and Social Care 2016’.

Your Rights

Right to Privacy

You have a right to privacy and to expect the NHS to keep your information Confidential and secure.  Under the Data Protection Act 2018 it becomes a legal right to ensure that your data is processed on a fair and lawful basis and in a transparent manner.

Right to be informed

The information we supply about the processing of personal data must be:

  • Concise
  • Transparent
  • Intelligible and easily accessible
  • Written in clear and plain language, particularly if addressed to a child
  • Free of charge.

 

Right of access

Subject Access Requests

You can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you we will:

  • Give you a description of it
  • Tell you why we are holding it
  • Tell you who it could be disclosed to; and
  • Let you have a copy of the information in an intelligible format

Fees

We will not charge a fee for providing your information, However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

The trust will endeavor to deal with your request within a 21 day time limit (NHS best practice). However, by law we have 30 days to respond, if this is likely to take longer the applicant will be warned and an explanation of the delay provided.

For further information please contact the Information Governance Team: Tel: 01908 995045 Email: askig@mkuh.nhs.uk

Right to rectification (Correction)

When should personal data be rectified?

You are entitled to have personal data rectified if it is inaccurate or incomplete.

If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. If asked to, we must also inform you about these recipients. 

How long do we have to comply with a request for rectification?

We must respond within one month.

This can be extended by two months where the request for rectification is complex.

If we decide not to take action in response to a request for rectification, we will explain to you the reasons why and explain your right to complain to the supervisory authority.

Right to erasure (to be forgotten)*

The right to erasure does not provide an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When you withdraw consent.
  • When you object to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed (i.e. otherwise in breach of the DPA2018 & GDPR).
  • The personal data has to be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child.

 This right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  • to exercise the right of freedom of expression and information;
  • To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
  • for public health purposes in the public interest;
  • Archiving purposes in the public interest, scientific research historical research or statistical purposes; or the exercise or defence of legal claims.

 *Please note that the right to be forgotten does not apply to special category data.  i.e. Your medical record

Right to restrict processing

When does the right to restrict processing apply?

We will be required to restrict the processing of personal data in the following circumstances:

Where you contest the accuracy of the personal data, we should restrict the processing until verifying the accuracy of the personal data.

Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether we have legitimate grounds to override your rights.

When processing is unlawful and you oppose erasure and request restriction instead.

If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim.

We will continue to review procedures to ensure we are able to determine where we may be required to restrict the processing of personal data.

 

Right to data portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.

It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

When does the right to data portability apply?

The right to data portability only applies:

  • to personal data you have provided to The Trust
  • where the processing is based on your consent or for the performance of a contract; and
  • when processing is carried out by automated means.

 

Right to object

You have the right to object to the following:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • Processing for purposes of scientific/historical research and statistics.

You must have an objection on “grounds relating to your particular situation"

We will stop processing the personal data unless:

We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.

You’re right to object to the processing of personal data for direct marketing purposes

We will stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.

You’re right to object to processing personal data for research purposes

You must have “grounds relating to your particular situation” in order to exercise your right to object to processing for research purposes.

If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

Rights to know if we carry out automated decision making and profiling

We do not carry out profiling and/or automated decision-making and document this in our data protection policy.

 

Your Access

Accessing your health records

Providing copies of Patient Health Records

To make a request for any personal health information we may hold you will need to complete the following form:

Access to health records form

Return the completed form to us via email or post attaching your proof of identity documentation. 

Email: accesstohealthrecords@mkuh.nhs.uk

Post: Milton Keynes University Hospital, Information Governance Department, Standing Way, Eaglestone, MK6 5LD

Fees

We will not charge a fee for providing your patient health record, however, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

Viewing records

Free of charge

An appointment MUST be arranged with the Information Governance Department prior to viewing records electronically.  Please contact us on: 01908 995042

The trust will endeavour to deal with your request within a 21 day time limit (NHS best practice).  However, by law we have 30 days to respond, if this is likely to take longer the applicant will be warned and an explanation of the delay provided.

Accessing your child’s health record

Providing copies of your child’s Patient Health Records

To make a request for your child’s personal health information we may hold you will need to complete the following form:

Access to child's health records form

Return the completed form to us via email or post attaching yours and the child’s proof of identity and documentation. 

Email: accesstohealthrecords@mkuh.nhs.uk

Post: Milton Keynes University Hospital, Information Governance Department, Standing Way, Eaglestone, MK6 5LD

Please note that if the child is 13yrs of age or over we may ask to see proof of their consent.

Fees

We will not charge a fee for providing your child’s patient health record, however, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

Viewing records

An appointment MUST be arranged with the Information Governance Department prior to viewing records electronically.  Please contact us on: 01908 995042

The trust will endeavour to deal with your request within a 21 day time limit (NHS best practice).  However, by law we have 30 days to respond, if this is likely to take longer the applicant will be warned and an explanation of the delay provided.

Accessing a health record on behalf of a patient

Providing copies of Patient Health Records to a nominee

To make a request for any personal health information we may hold you will need to complete the following form:

Access to health records on behalf of patient

Return the completed form to us via email or post attaching yours and the patient’s proof of identity documentation.

Email: accesstohealthrecords@mkuh.nhs.uk

Post: Milton Keynes University Hospital, Information Governance Department, Standing Way, Eaglestone, MK6 5LD

Fees

We will not charge a fee for providing the patient health record, however, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

Viewing records

Free of charge

An appointment MUST be arranged with the Information Governance Department prior to viewing records electronically.  Please contact us on: 01908 995042

The trust will endeavour to deal with your request within a 21 day time limit (NHS best practice).  However, by law we have 30 days to respond, if this is likely to take longer the applicant will be warned and an explanation of the delay provided.

Accessing a deceased patient record

The Access to Health Records Act 1990 gives a deceased patient's personal representative, and anyone who may have a claim arising out of the patient's death, a right of access to the patient’s clinical records. This is not a general right and access may be limited to information of relevance to the possible claim.

Access can be limited or refused if:

  • There is evidence the patient would not have expected the information would be disclosed to the applicant.
  • If the disclosure is likely to cause serious harm to anyone else.
  • If it would also disclose information about a third party who does not consent.
  • The records contain a note, made at the patient’s request that they did not wish access to be given on an application under this legislation.

Providing copies of Deceased Patient Health Records

To make a request for any deceased patients health information we may hold you will need to complete the following form:

Deceased patient record form

Return the completed form to us via email or post attaching your proof of identity documentation. 

Email: accesstohealthrecords@mkuh.nhs.uk

Post: Milton Keynes University Hospital, Information Governance Department, Standing Way, Eaglestone, MK6 5LD

Fees

We will not charge a fee for providing your patient health record, however, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

Viewing records

Free of charge

An appointment MUST be arranged with the Information Governance Department prior to viewing records electronically.  Please contact us on: 01908 995042

The trust will endeavour to deal with your request within a 21 day time limit (NHS best practice).  However, by law we have 30 days to respond, if this is likely to take longer the applicant will be warned and an explanation of the delay provided.

Health Insurance Claim Forms

We officially stamp your health insurance claim forms. 
The Information Governance team are happy to stamp your claim forms between the hours of 07:30 - 16:30

we do NOT charge for this service.

If your insurance company requires a medical statement to be completed by a medical practitioner/consultant there is a nominal fee of £30 payable

Contact us:

Data Protection Officer

Tel: 01908 995041

Email: dataprotectionofficer@mkuh.nhs.uk

 

Information Governance Team:

Tel: 01908 995045

Email: askig@mkuh.nhs.uk

 

Access to Health Co-ordinator

Tel: 01908 995042

Email: accesstohealthrecords@mkuh.nhs.uk

 

Find us

Satisfaction Survey

 Further Information

Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found at the links below:

The NHS Care Record Guarantee:

This guarantee is a commitment that NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

 

The NHS Constitution:

The Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.

 

To share or not to share? Information Governance Review:

This was an independent review of information about service users shared across the health and care system led by Dame Fiona Caldicott and was published in 2013.

 

Review of data security, consent and opt-outs:

A further review by Dame Fiona Caldicott published in 2016.

 

NHS Digital:

NHS Digital are the trusted national provider of high-quality information, data and IT systems for health and social care and are responsible for collecting data from across the health and social care system.

 

Information Commissioner’s Office (ICO):

The ICO is the Regulator for the Data Protection Act 2018 and offers independent advice and guidance on the law and personal data, including your rights and how to access your personal information.

 

Health Research Authority

The HRA protects and promotes the interests of patients and the public in Health and social care research

www.hra.nhs.uk