As an NHS organisation we use personal and confidential information for a number of purposes. Please read the separate information under Website Privacy and Cookies for a summary of how we use information about you that we collect during your visit to this website.
Privacy Notice for private patients treated on NHS premises
Hull University Teaching Hospitals NHS Trust collects stores and uses large amounts of personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.
The Trust offers some services privately to patients. As a private patient, the Trust also collects additional data about you, such as financial records. This privacy notice tells you what information we collect and how it is used.
This makes Hull University Teaching Hospitals NHS Trust the Data Controller
Our registered address is Castle Hill Hospital, Cottingham. HU16 5JQ
We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
At Trust Board level, we have a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.
We have a Data Protection Officer who ensures the Trust is accountable and compliant with all Data Protection Legislation and Guidance including the GDPR and Data Protection Act 2018.
The Data Protection Officer:
Dr Alastair Pickering
Hull Royal Infirmary
Hull HU3 2JZ
Call Dr Pickering and the Information Governance Team on 01482 461776
What information do we collect about you?
The doctors, nurses and team of healthcare professionals caring for you keep records about your health and any care and treatment you receive to ensure that you receive the best possible care. The Trust will also keep financial records relating to payment of your treatment or consultation. The information in the records may come from you, the people who referred you or your insurance policy provider and may include:
- Basic details about you such as name, address, date of birth, next of kin, etc.
- Contacts we have had with you such as appointments or clinic visits.
- Relevant information from people who care for you and know you well such as health professionals and relatives.
- Visual images, personal appearance and behavior, for example if CCTV images are used as part of building security
We may also process special categories of information that may include:
- nationality, racial and/or ethnic origin
- religious or philosophical beliefs
- health information: e.g. results of x-rays, scans and laboratory tests
- notes and reports about your health, treatment and care
- sex life or sexual orientation
It is essential that your personal details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.
How your personal information is used
Your records are used to direct and deliver the care you receive to:
- Ensure the doctors, nurses and other healthcare professionals involved in your care have accurate and up to date information to assess and decide on the most appropriate care for you
- Ensure healthcare professionals (including partner organisations) delivering your care have the information they need to be able to assess and improve the quality and type of care you receive
- Ensure your account is accurate and up-to-date
Our lawful basis for processing your information under Data Protection legislation is:
- Contract: the processing is necessary for a contract, or you have asked us to take specific steps before entering into a contract. Article 6 (b) GDPR/DPA18)
- Public task: the processing is necessary to perform a task in the public interest, or our official functions, which have a clear basis in law. Article 6 (e) (GDPR /DPA18)
- The processing is necessary for the purpose of preventative or occupational medicine, the assessment of the working capacity of employees, medical diagnosis, the provision of health or social care or treatment or management of health or social care system. Article 9 (2) (h) (GDPR/DPA18)
- The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law. Article 9 (2) (b) (GDPR/DPA18)
- The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or high quality and safety of health care and medicinal products or devices. Article 9 (2)(i) (GDPR/(DPA18)
- The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1). Article 9 (2)(j) (GDPR) Part 1, Schedule 1 (DPA18)
Your information will also be used to help us manage the and protect the health of the public by being used to:
- Review the care we provide to ensure it is of the highest standard and quality
- Protect the health of the general public
- Manage the health service
- Ensure our services can meet patient needs in the future
- Investigate patient queries, complaints and legal claims
- Ensure the hospital receives payment for the care you receive
- Prepare statistics on NHS performance
- Audit accounts and services
- Undertaking heath research and development (see below)
- Helping to train and educate healthcare professionals
Information may only be used for purposes beyond your care when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified.
National Fraud Initiative
The Trust participates in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. This is necessary to comply with a legal obligation (GDPR Article 6(1)(c)) and does not require consent under the data protection legislation. For further information, please see the National Fraud Initiative Privacy Notice.
National Data Opt Out
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters
Who do we share personal information with?
Everyone working within the Trust has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.
We will share information with the following main partner organisations:
- Other NHS trusts, NHS community services and hospitals that are involved in your care
- Clinical commissioning groups and other NHS bodies (see below)
- General practitioners (GPs)
- Ambulance services
You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it or we have your permission. Therefore, we may also share your information, subject to strict agreement about how it will be used, with:
- Social care services.
- Education services.
- Local authorities.
- Voluntary and private sector providers working with the NHS.
- Your insurance provider
- Debt Recovery agencies
- The Private Healthcare Information Network (PHIN)
- Our regulators, e.g. the CQC
We will not disclose your information to any other third parties unless any of the following apply:
- We have your permission
- We have to share by law
- We have good reason to believe that failing to share the information will put you or someone else at risk of serious harm or abuse
- We hold information that is essential to prevent, detect, investigate or punish a serious crime
- It is part of a contract to deliver a support service to you so that you can best access our services. i.e. to provide you with an interpreter or translation support during an appointment or in the course of receiving care or treatment in our services – our translation and interpretation services are provided through a third party contracted to the Trust
Please ask our staff if you have any concerns or would like further information. Alternatively you can contact the Data Protection Officer or the Information Governance Team, using the contact details at the bottom of this page.
One of the legal requirements on the Trust is to check eligibility to receive NHS services, as well as a legal obligation to charge for NHS treatment where applicable. These requirements are detailed in the National Health Service (Charges to Overseas Visitors) Regulations 2015 (Statutory Instrument 2015 No. 238), as amended (most recently by the National Health Service (Charges to Overseas Visitors) (Amendment) Regulations 2017).
In order to meet these legal obligations, the Trust will need to process and share your information with external agencies in order to:
- Establish your identity and your entitlement to free NHS treatment
- Record NHS debtors to the Department of Health and Social Care
- Determine your immigration status using Home Office Services
- Prevent, detect and prosecute fraud and other crime
Clinical commissioning groups (CCGs)
CCGs are responsible for planning the health needs of their patients, and for paying to keep their local hospitals running. Information in computerised form is sent to CCGs, with your name and address removed, but including NHS numbers and postcodes. Exactly the same information is sent to the Office of National Statistics which produces information about the performance of hospitals.
Other organisations such as specialist disease registries receive information about particular areas of healthcare. This is important to ensure that the NHS provides the best possible treatments both now and in the future.
Sometimes we undertake studies for which we may ask you for additional co-operation; these studies may involve you in extra tests or visits to the hospital. You always have a choice whether or not to be involved after being given detailed information. If you choose not to take part this will not affect your future treatment in any way. Please click here for further information about patient information and health and care research.
From time to time, staff caring for you may be accompanied by students for teaching purposes. You have the right to refuse the presence of a student. If you have any strong feelings about this or require any further information do not hesitate to let staff know.
We will ensure your rights are respected. You have;
- The right to be informed – we tell you what we do with your information. We do this through notices like this, service information leaflets, notices on our website and posters.
- The right to rectification – we will correct any personal information that is inaccurate or rectify any data that is incomplete.
- The right to object – you have the right to object to how we process your information. Your objection will be considered in relation to your particular situation, we will stop processing unless there is a legitimate reason for us to continue processing. e.g. we will not be able to stop processing your data to provide you with direct patient care, as we need to provide you with safe care.
If you would like to raise an objection about how we process your information, please speak to your health professional or alternatively write/email the Information Governance Team (see information governance enquiries section below).
- The right to restrict processing – we will temporarily restrict processing your data, whilst we check the information, if you query the accuracy of it
- We will also restrict processing (if you raise an objection to how we process your data) whilst we consider your objection
- The right of access – you can ask for copies of information we hold about you. This is called a subject access request.
How you can access your records
If you would like to request a copy of a medical record, please complete the application form
Please email the completed form to hyp-tr.SAR@nhs.net or post to:
Hull Royal Infirmary
HULL HU3 2JZ
For more information please call 01482 604407
SMS Text Messaging
Your contact details are important to us; ensuring that we can contact you in regard to appointment bookings, appointment cancellations and as a means of reminding you of your forthcoming appointments. The contact information we store will only be used by us in relation to hospital business, we will not pass on your information to any party other than the third party company used to deliver our free of charge appointment reminder service. They are also obliged to keep your information secure and used only for that purpose.
Sending Data to other Countries
Sometimes your data may be processed outside the UK, in most circumstances it will remain within the European Union (EU) and will have the same protection as if processed within this country. When this is outside the EU we will identify the data protections in place prior to transfer.
How long we keep your information
All personal information and health records of private patients seen on NHS premises will be kept in line with the retention periods in the Department of Health Records Management Code of Practice for Health and Social Care Records 2016.
Credit/debit cards information will be held for 6 months following payment.
The Data Protection Act 2018 requires organisations to notify with the Information Commissioner to describe the purpose for which they process personal information. These details are publicly available on the Information Commissioner’s Office (ICO) website.
If you have any concern about how we have handled your data you can contact our Complaints or Patient Advice & Liaison Service (PALS) or contact the Data Protection Officer.
Additionally, you have the right to raise a complaint about how we have handled your data you can contact Information Commissioner’s Office (ICO) Helpline: 0303 1231113 or online: Information Commissioner’s Office (ICO)
Freedom of information
The Freedom of Information Act 2000 provides any person with the right to obtain information held by Hull University Teaching Hospitals NHS Trust, subject to a number of exemptions. If you would like to request information from us,
or by post;
Hull University Teaching Hospitals NHS Trust
Freedom of Information Team
Hull Royal Infirmary
Information governance enquiries please contact:
Hull University Teaching Hospitals NHS Trust,
Castle Hill Hospital,
Call us on 01482 468087
Data Protection Officer,
Hull University Teaching Hospitals NHS Trust,
Hull Royal Infirmary,
Call me on 01482 674920
Email me at firstname.lastname@example.org
Or at email@example.com