Your privacy as a patient

Name - West Hertfordshire Teaching Hospitals NHS Trust

Address - Trust Offices, Watford General Hospital, Vicarage Road, Watford, Hertfordshire, WD18 0HB

General inquiries email address - westherts.infogov@nhs.net

Website - https://www.westhertshospitals.nhs.uk/

ICO registration number

Z5205111.

Our hospitals

Watford General Hospital, Vicarage Road, Watford, Herts, WD18 0HB
Tel: 01923 244366

Hemel Hempstead Hospital, Hillfield Road, Hemel Hempstead, Herts, HP2 4AD
Tel: 01442 213141

St Albans City Hospital, Waverley Road, St Albans, Herts, AL3 5PN
Tel: 01727 866122

Data Controller

We are the Data Controller for your information. The Data Controller decides why and how to use and share information.

Data Protection Officer's contact details

Our Data Protection Officer is Nicola Bateman. She monitors our compliance with data protection laws. You can contact Nicola at westherts.infogov@nhs.net

We collect personal data from various sources for direct health care purposes. Here’s how we gather this information and the reasons for having it.

• Information you provide: When you seek care, the details you share with us are used to directly support your treatment, manage the services we provide, conduct clinical audits, address complaints, and act as evidence during investigations related to your care.
• Complaints: If you file a complaint, we collect and use your personal information as part of the investigation process.

We may also receive your personal information from other sources in the following situations:

• From Other health and care organisations: Information is shared with us from other organisations involved in your care to make sure we can provide you with the necessary services.
• From family members or carers: Your relatives or caregivers may share information with us to help support your care.

Your information is essential for providing you with direct health care services. In addition to direct care, your information is used for several other important purposes, including:

• Payment for services: Making sure the hospital is reimbursed for the care and services you receive.
• Complaints and legal investigations: Reviewing and investigating complaints, legal claims, or untoward incidents.
• Service Planning: Helping us plan and adjust our services to meet future patient needs.
• Standards of care: Reviewing the quality of care during and after your treatment against best practice guidelines.
• Training healthcare professionals: Supporting the education and training of healthcare staff.
• Legal reporting: Reporting certain incidents to the appropriate authorities when required by law.
• Risk assessment: Assessing your condition against risk criteria to ensure you receive the best possible care.
• Performance monitoring: Preparing statistics for the Department of Health and other regulatory bodies to assess our performance.
• Public health: Using statistical data to safeguard public health and plan services that meet population needs.
• Health research and development: Your information may be used for medical research and the development of new treatments, either with your explicit consent or, where necessary, under Article 9(2)(j) of the UK GDPR. This allows the processing of health data for scientific research purposes when it is in the public interest.
• Fundraising and charity awareness: We may use your contact details to inform you about fundraising initiatives and to raise awareness of our charity, West Herts Hospitals Charities. The lawful basis for this is Legitimate Interests under Article 6(1)(f) of the UK GDPR, as it supports the Trust's charitable purposes, benefitting patient care. You have the right to object to such use at any time.

There are strict national controls in place governing how your information is used for these purposes. These regulations determine whether your data must be anonymised and with whom identifiable information may be shared.

To provide you with care and to meet our operational needs, we collect the following types of personal information:

Personal data

• Basic details like your name, address, date of birth, next of kin, GP details, and NHS number.

Special category data (sensitive information)

Under the UK GDPR, certain data types receive extra protection due to their sensitive nature. We handle the following special categories of data with additional care:

• Information about your physical or mental health, including appointment details and diagnoses.
• Your religious or philosophical beliefs.
• Data revealing your racial or ethnic origin.
• Information concerning your sex life or sexual orientation.
• Records of your contacts with us, such as clinic visits.
• Notes and reports detailing your health status, treatment, and care needs.
• Results from investigations like X-rays and lab tests.
• Relevant information provided by other healthcare professionals, relatives, or carers who know you well.

We may share your information with a range of partner organisations to ensure you receive the best possible care. The main organisations we share information with include:

• Health Authorities
• NHS Trusts
• General Practitioners (GPs) and Dentists
• Ambulance Services
• Voluntary Services
• Social Services
• Health Research and Development Organisations – with your explicit consent, and you have the option to decide whether to participate.
• Third-Party Data Processors – such as IT system providers who manage secure systems on our behalf.
• Planners of Health and Care Services – including Integrated Care Boards (ICBs) involved in coordinating healthcare services.
• Hospital and Community Navigation Service (HertsHelp) – If you are 65 years or older and discharged as an inpatient, you will be automatically referred to this service for health and social care support.
• Non-NHS Health Providers – such as private healthcare organisations providing you with direct care, acting as ‘data processors,’ with whom we have an established Information Sharing Agreement (ISA).

In certain circumstances, we are required by law to share information with the appropriate authorities without your permission. These instances include:

• Public interest: When there is a risk of death or serious harm to you or others.
• Public health management: When required to manage public health issues, based on legal grounds.
• Legal obligations: To protect children or vulnerable adults.
• Infectious diseases: If you have a condition, such as meningitis or measles, which could endanger others (excluding HIV/AIDS).
• Birth notifications: We are required to notify authorities of new births.
• Court orders: If a court legally mandates us to share your information.
• Police investigations: When there is a legitimate request from the police regarding a serious crime.
• West Hertfordshire Teaching Hospitals NHS Trust also participates in My Care Record. This connects health and care information to improve patient care. It means that health and care professionals from other services can see information from the records we hold about you when it's needed for your care.

For more information, please visit My Care Record.

Personal information

Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information are:

• Article 6(1)(a) We have your consent - this must be freely given, specific, informed, and unambiguous.
• Article 6(1)(c) We have a legal obligation - the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.
• Article 6(1)(e) We need it to perform a public task - a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.
• Article 6(1)(d) Vital Interests In rare circumstances, we may process your personal data if it is necessary to protect your life or someone else’s (vital interests). This typically applies in emergency situations when you are unable to provide consent.
• Article 6(1) (f) We have a legitimate interest - for example, we may use your contact details to inform you about fundraising initiatives and to raise awareness of our charity, West Herts Hospitals Charities. You have the right to object to such use at any time.

More sensitive data

Under UK GDPR, the lawful basis we rely on for using information that is more sensitive (special category):

Article 9(2)(a) In certain situations, we may ask for your explicit consent to process your personal data, especially for research or non-essential purposes. You have the right to withdraw your consent at any time, and this will not affect the care you receive.

• Article (9)(2)(f) We need to process your information for a legal claim, or the courts require it.
• Article 9(2)(g) There is a substantial public interest (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.
• Article 9(2)(h) To provide and manage health or social care (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.
• Article 9(2)(i) To manage public health (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.
• Article 9(2)(j) For Archiving, research, and statistics (with a basis in law). See this list for the most likely laws that apply when using and sharing information in health and care.

Common law duty of confidentiality

In our use of health and care information, we comply with the common law duty of confidentiality in the following ways:

• Consent: You have either provided explicit consent for specific purposes, or we have taken your consent as implied to provide you with direct care.
• Secretary of state for health and care approval: We have support from the Secretary of State for Health and Care through an application to the Confidentiality Advisory Group (CAG), which has determined that obtaining individual consent is not possible or practical.
• Legal requirement: We are legally obligated to collect, share, and use certain data.
• Public interest: In specific cases, we may determine that the public interest in sharing your data outweighs the public interest in maintaining confidentiality. This might include situations such as sharing information with the police to aid in the detection or prevention of serious crime. Each case is carefully assessed to ensure that sharing the information is appropriate and balanced against the need to protect confidentiality in health care.

We always take a measured approach to ensure your information is handled appropriately and in line with the common law duty of confidentiality.

Everyone working for the NHS has a legal duty to keep information about you confidential.  If you are receiving care from other people as well as the NHS (like Social Services), we may need to share some information about you so we can all work together for your benefit. 

We will only ever use or pass on information about you if others involved in your care have a genuine need.

We will not disclose your information to third parties without your permission, unless there are exceptional circumstances, such as when the health or safety of others is at risk, or where the law requires information to be passed on. Anyone who received information from us is also under a legal duty to keep it confidential.

We retain your health records in accordance with the NHS Records Management Code of Practice.

Typically, your records are kept for a minimum of eight years after your last treatment, discharge, or death, unless longer retention is needed. Specific records are kept for longer periods:

• Maternity Records - Retained for 25 years after the birth of the last child.
• Cancer Records - Retained for 30 years from the date of diagnosis, or eight years after the patient's death, whichever is longer.

After the appropriate retention period, we ensure your records are securely and confidentially destroyed in line with data protection and NHS guidelines. This includes shredding paper records, or wiping hard drives to legal standards of destruction once their retention period has been met, and we have made the decision that the records are no longer required.

We are committed to ensuring that your personal information is kept safe and secure. We use a range of measures to protect your data, including:

• Encryption: All electronic records are encrypted to prevent unauthorised access.
• Access Controls: Only authorised staff with a legitimate need to access your information are granted access, and this is regularly reviewed.
• Training: Our staff receive regular data protection training to ensure they understand their responsibilities when handling your personal information.
• Physical Security: Paper records are stored securely, and access to these is restricted.
• Monitoring and Auditing: We continuously monitor and audit our systems to detect and prevent unauthorised access or misuse of your data.
• Secure Transfer: When sharing your information with other organisations, we use secure methods to ensure it remains protected.

These measures are designed to safeguard your information in compliance with data protection laws, including the UK GDPR and the Data Protection Act 2018.

What are your data protection rights?

You have several rights regarding your personal information, which may vary depending on the reasons we are processing your data. Your rights include:

• Right of access: You have the right to ask us for copies of your personal information (known as a subject access request). You can request copies of your personal health information by emailing westherts.accesstohealthrecords@nhs.net
• Right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
• Right to restrict processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Right to object to processing: You have the right to object to the processing of your personal information in certain circumstances.
• Right to data portability: You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

If you wish to exercise any of these rights, please contact our data protection officer westherts.infogov@nhs.net

As part of our ongoing efforts to improve efficiency and accuracy in patient care, we use automated processes for certain administrative tasks. These automations assist with repetitive tasks, such as vetting MRI requests, but do not make clinical decisions without human oversight. A healthcare professional will always review any critical decisions about your care.

We do not make decisions about your care based solely on automated processing, including profiling, which produces legal effects or similarly significant impacts on you. If in the future we use automated decision-making in a way that significantly affects you, we will ensure that you have the right to obtain human intervention, express your point of view, and challenge the decision.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

The national data opt-out was introduced on 25 May 2018, allowing patients to choose whether their confidential patient information is used for research or planning purposes.

We apply the national data opt-out because we use confidential patient information for these purposes. You have the right to decide if your information can be used in this way. If you are happy with this use, you don’t need to take any action. If you choose to opt out, your confidential information will still be used to support your individual care.

You can view or change your national data opt-out choice at any time by visiting NHS your NHS data matters website, or by using the NHS App under "Your Health" and selecting "Choose if data from your health records is shared for research and planning." You can change your decision at any time.

The information collected about you when you use health and care services may also be used for purposes beyond your individual care, such as:

• Improving the quality and standards of care provided
• Research into the development of new treatments.
• Preventing illness and diseases
• Monitoring patient safety
• Planning health and care services

Whenever possible, data used for research and planning is anonymised so you cannot be identified, and your confidential information is not accessed.

If you choose to opt out, your decision will not affect the care you receive. To learn more or to manage your national data opt-out choice, visit the NHS Your NHS data matters website. You can update your preference at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint by contacting our Information Governance team by emailing them on: westherts.infogov@nhs.net

If you remain dissatisfied with the Trust’s decision following your complaint, you may wish to contact:

Their website is www.ico.gov.uk