Medway Foundation Trust Privacy statement 2018
- What information we keep about you and how we use it
- The purposes for which we use your personal data
- Sharing your information
- Sharing information with other organisations
- Sending information abroad
- How we keep your information safe and secure
- Use of CCTV and lone-worker protection solutions
- How long do we keep your information for
- Visitors to our website
- Calling us via our switchboard
- People who email us
- People who make a complaint to us
- Job applicants
- Access to personal information
- Links to other websites
- Changes to this privacy notice
- How to contact us
When you are a patient of the Trust we collect and keep your health and personal information confidential. This may include:
- basic details about you e.g. your address, date of birth, next of kin and how you want us to contact you;
- your attendance at the Trust e.g. visits to clinics and appointments
- the record of the care and treatment you received at the Trust;
- results of investigations including X-rays or laboratory tests;
- any communication from you in writing will be kept .
We use your information to provide you with the best of care.
We may use your personal data to:
- Provide you with health or social care
- Help other organisations provide you with health or social care
- If you agree, to help other organisations provide you with other public services
- Communicate with you and, if appropriate your next of kin, about your care
- Carry out internal audits and monitor the care we provide to ensure it is of the highest standard
- Monitor equality and diversity
- We may use anonymised data to help train and educate our staff. Should we use identifiable personal data we would always obtain your consent.
- Respond to complaints
- Respond to queries from regulators like NHS Digital, the Care Quality Commission, the General Medical Council, the Audit Commission, the Nursing & Midwifery Council and the Health Service Ombudsman
- Conduct legal claims or seek legal advice
- Provide information to national registries that systematically collect data about particular conditions to help research.
As part of providing you with care we may need to share your information.
This includes sharing information with:
- Your GP, and out of hours providers
- NHS hospitals including but not limited to Maidstone and Tunbridge Wells, Kings College Hospital and Guys & St Thomas’s
- NHS Organisations that deliver Community services including but not limited to Medway Community Healthcare and Kent and Medway NHS and Social Care Partnership Trust, our mental health provider
- Private sector organisations that deliver NHS care such as private hospitals, dentists, opticians, pharmacists and other providers such as Virgin care services who provide community care in Swale and Sheppey community hospitals
- Voluntary sector organisations that deliver NHS care e.g. charities such as Wisdom Hospice and Demelza
- Local authorities when social workers are part of the Care Team, or education services, children’s services, housing or benefit offices
- Organisations that provide diagnostic tests
- Organisations that provide ambulance services e.g. NHS Ambulance Trusts
In the main, we will not share your personal data without consent unless we have a duty to ensure your personal health and well-being.
There are some circumstances where we may share information, for example:
- Where there is a risk of serious harm to you or other people
- Where a serious crime, e.g.an assault is being investigated or if in certain circumstances it could be prevented
- To control serious infectious diseases e.g. meningitis, tuberculosis (TB), measles
- Notification of a birth or death
- Where the courts have made a formal court order
- Where there is a legal requirement e.g. a road traffic offence has been committed
- with local authorities and particularly Medway Council under the Child Protection-Information Sharing (CPIS) scheme to protect the safety and well-being of vulnerable and looked-after children;
- under section 251 of the NHS Act 2006 to support essential medical research where it is not possible to use anonymised information and where obtaining consent is not practical. We may only share information under section 251 with bodies that are approved to receive such information. For more details please visit the Health Research Authority website;
- to produce anonymised statistics
The Trust sends very little information overseas. Where we do, we check to ensure that the companies that we use have excellent information security standards and practice. We will tell you if your personal data is to be stored overseas.
The Trust has recently endorsed the use of forward App as a means of facilitating clinicians’ discussion about patient care. All information stored on this App is stored on a secure server in the USA. The Trust had avoided transmitting data to the USA since the dissolution of the Safe Harbour agreement in 2015. However the new 2016 EU-US Privacy Shield arrangements now covers this data flow.
The Trust takes the protection of your personal information seriously.
All our staff are trained annually using the NHS Digital training platform. This includes information on the steps needed to keep patient information safe and secure. Staff are only able to access patient information on a ‘need to know’ basis.
The Trust ensures that patient information is stored and accessed securely, this means that our staff use passwords and other security measures to ensure that the ‘need to know’ philosophy is maintained.
We use technical security measures (such as data encryption) in combination with strong passwords and physical measures (such as Smartcards - these are special cards similar to an “Oystercard” that are held by staff and identify who the member of staff is and what systems they can access) to prevent unauthorised access to patient information. Passwords are changed regularly and this is enforced by the systems.
In addition, the Trust employs other tools to guard our network and the devices on the network. Anti-Malware software is used by the Trust and the Network is monitored and managed to ensure that only devices belonging to the Trust can access the network and information. The Trust also has the benefit of two data centres such that patient information is fully protected in the event of failure of a single data centre.
The Trust has CCTV deployed around the site in order to manage and investigate the following circumstances:
- alleged security incidents, theft, assault or baby abduction on Trust premises
- staff, visitor and patient safety
- investigation of traffic incidents or congestion on the Trust site
- supporting the management of a fire or major incident alert
- the security of Trust premises
- investigation of persons acting suspiciously on Trust premises
CCTV images are retained for 28 days only.
Images are only viewed by Trust personnel, but images may be shared with the police where necessary to aid the investigation or prosecution of criminal activities within Trust grounds and premises.
Traffic enforcement officers and security personnel wear body-worn cameras that record both sound and images. Before cameras are activated, staff will formally advise the Trust that they are going to do so. Images and sound will be used in the prevention and de-escalation of security incidents; patient, visitor and staff safety; traffic and parking enforcement; and the investigation of persons acting suspiciously on the Trust’s premises.
Images and sound recording from body-worn cameras are retained for 28 days only.
Lone-worker protection solutions
The Trust values the safety and security of its staff, especially where staff may visit patients by themselves at a patient’s home. For their safety and security the Trust uses Reliance Protect lone worker solution which when triggered, will relay live conversation and the GPS location of our staff to the Reliance Customer Support Team in order to ensure their safety as quickly as possible.
The time we keep information for can vary depending on treatment and the type of record. The general rule is we keep adult patient records for 8 years after a patient is discharged, but this time can be extended for up to 30 years e.g. for a cancer diagnosis, in which case we will keep the record for 30 years from the date of diagnosis in accordance with national standards.
The Trust follows the guidelines issued by the Information Governance Alliance Records Management Code of Practice 2016 on how long to keep records for. The Trust also has bespoke Record Management procedures for Corporate and Clinical Information which are available upon request.
When someone visits www.medway.nhs.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to various parts of our site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identity of those visiting our website. If we do want to collect personal data through our website, we will notify you about this before we do. We will make it clear when we collect personal information and will explain what we intend to do with it.
Any email sent to us including any attachments may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us complies with all relevant laws.
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check the level of service we provided. We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for ten years from closure. It will be retained in a secure environment and access to it will be restricted on a ‘need to know’ principle.
If you apply to work at the Trust, we will only use the information you supply to us to process your application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Scheme (DBS) we will not do so without informing you beforehand, unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed and deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once you join the Trust as an employee, we will compile a file relating to your employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to your employment. If you subsequently leave , we will retain the file in accordance with the requirements of our retention schedule and then delete it.
We try to be as open as possible in terms of giving people access to their personal information. You can find out what information we may hold about you by making a ‘subject access request’ under the General Data Protection Regulation. If we do hold information about you we will:
- give you a description of it
- tell you why we are holding it
- tell you who it could be disclosed to
- let you have a copy of the information in an intelligible form.
To make a request to the Trust for any personal information we may hold you need to put the request in writing to our Legal Services -SARs Team (by email to firstname.lastname@example.org), or write to the address provided.
If you disagree with the content of the disclosure, you may ask the Trust’s Data Protection Officer (DPO)to review the actions we’ve taken. The DPO can be contacted via email on email@example.com
If, after an internal review you are still dissatisfied, you may escalate your concerns to the Information Commissioner’s Officer. The Information Commissioner’s Officer is the regulatory body with responsibility for the General Data Protection Regulation and can be contacted:
Our privacy notice does not cover websites of other organisations, including those with links from the Trust website. We encourage you to read the privacy statements on the other websites you visit.
We keep our privacy notice under regular review. This privacy notice was last updated on 25 May 2018. For our full privacy notices for patients, carers, children and members please click on the links on the side of the screen.
To contact the Trust’s Data Protection Officer (DPO) please either email: firstname.lastname@example.org
Data protection Officer
C/O The Information Governance Team
Medway NHS Foundation Trust
Telephone: 07788 916897