Hounslow and Richmond Community Healthcare Trust takes your confidentiality and privacy rights very seriously. This notice explains how we collect, process, transfer and store your personal information and forms part of our accountability and transparency to you under the General Data Protection Regulation (GDPR) 2018 and any subsequent UK legislation
We have a duty to support and care for those most in need. To do this, we must hold records about you, your personal circumstance and the services/care you are receiving or may need to receive in the future.
This information will be held securely either on paper or on an electronic record.
The record may include:
basic details about you, such as address, date of birth, postcode, sex, first language, next of kin, NHS number, ethnic group; in some cases, this might also include genetic information; biometrics (where used for ID purposes); health;
sex life; or sexual orientation
current and past contacts we have had with you
notes and reports about your health and social care and any treatment, care or support you need
details and records about the services or care you receive and who is providing them
results of your tests and diagnosis
relevant information from other professionals, relatives or those who care for you or know you well
any contacts you have with us such as home visits or outpatient appointments
information on medicines, side effects and allergies
patient experience feedback and treatment outcome information, you have provided
photos or videos you have consented to be taken
Please note that this is not a full list of the types of information we hold or handle.
Most of your records are electronic and are held on a computer system or a secure IT network. New ways of providing joined up services are being implemented, with closer working with GPs and other healthcare and social care providers.
To assist this, the use of other electronic patient record systems to share your information will be implemented. You will be given the opportunity to say no and to opt-out of this sharing. To do this, please speak to your GP or the team providing your treatment.
The information that we keep is used to ensure that we can:
- contact you
- make informed decisions about your treatment and care
- plan your service and support
- refer on to another service if required
- investigate any concerns or complaints about your service
- review the care we provide to ensure it is effective
- work effectively with others who also provide you with care – i.e. your GP, other health providers, social care, or other providers of care
- monitor people receiving a service and the funding for that service
- carry out research in order to improve services and ensure they meet people’s needs
- produce statistics for central government and local planning (This information is used anonymously).
We will process your personal information fairly and lawfully by only using it if we have a lawful reason and when we do, we make sure you know how we intend to use it and tell you about your rights;
We do not rely on consent to use your information for a health care purpose as a ‘legal basis for processing’. We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller or the provision of health treatment.’
This means we can use your personal information to provide you with your health care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care.
We will not share your data for a purpose outside of your healthcare without your consent.
Although we will not rely on your consent to share information for your healthcare purpose, we will follow good practice laid down by common law duty of confidence with regards to informing you of what we do with your information, this is called implied consent.
Any use of personal information for non-direct care purposes without a lawful basis or consent will be considered as a breach of GDPR and subsequent data protection legislation and/or common law duty of confidence.
Your information will be safe and treated with the utmost respect. If we ask you for personal information we promise to:
make sure you know why we need it
ask only for what we need and not collect too much or irrelevant information in order for us to carry out the various tasks within the delivery of your care
have secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored to protect it and make sure it is only available to authorised members of staff
only collecting and using your information to provide you with your care and treatment and will not use it for anything else
if the data is to be used for another purpose (not health care) we will get your consent to share it with other organisations and give you the chance to refuse permission
not make your personal information available for commercial use
consider your request if you ask us to stop holding and processing data about you
notify you if your data is disclosed inappropriately
only hold your information for as long as is necessary for your care. This time period is set out and agreed following national guidance. Please ask us for more information
In return we ask you to:
give us accurate information
tell us as soon as possible if there are any changes to your personal circumstances such as your address
This helps us to keep your information reliable and up to date
It is good practice for those providing your care to:
- discuss and agree with you what they intend to record about you
- give you a copy of letters and other documents they write about you
- show you what they have recorded about you
- ask for your permission to share information with others and
- let you know what they have told others about you and who those others are
The only individuals who have access to your records regularly, are those involved in providing your service. The NHS and other agencies, including social services and private healthcare organisations work together so we may need to share information about you, with other professionals and services involved in your care. Everyone involved in your service has a legal duty to keep information about you confidential and secure.
When other agencies are involved in providing a service, they will have access to your records. However, in these circumstances only the relevant amount of information is shared.
We share your data with other professionals in order to provide the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved.
Examples of who we share personal information with:
- ambulance services
- external care providers
- social care
- hospitals and other health partners
- housing organisations
- voluntary organisations
The information from your patient record will only be used for purposes that benefit your care - we would never share it for marketing or insurance purposes.
Under the common law duty of confidence, you have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant care professional as this could have implications in how you receive further care, including delays in you receiving care.
However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent.
Examples of this are:
- If there is a concern that you are putting yourself at risk of serious harm
- If there is concern that you are putting another person at risk of serious harm
- If there is concern that you are putting a child at risk of harm
- If we have been instructed to do so by a Court
- If the information is essential for the investigation of a serious crime
- If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
- If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
Your information will not be disclosed to third parties such as partners, relatives, friends or carers without your consent unless the:
disclosure is required by law
health or safety of others is at risk
NHS Digital, on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services - we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations.
You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way.
We manage, maintain and protect all information according to legislation, our policies and best practices. We have security measures in place to maintain and safeguard the confidentiality, reliability and availability of our systems and data.
All information is stored, processed and communicated in a secure manner and made available only to authorised members of staff on a need to know basis. Only the minimum amount of information required will be shared.
The trust is registered with the information commissioner’s office, registration number: Z2593470
All the IT systems used by the trust are implemented with robust information security safeguards to protect your personal information.
The trust is accredited to Cyber Essentials standard and meets the requirements of the mandatory data security and protection toolkit
The Records Management Code of Practice for Health and Social Care 2016 sets out what people working with or in NHS organisations in England need to do to manage records correctly. It is based on current legal requirements and professional best practice and was published on 20 July 2016 by the Information Governance Alliance (IGA).
Appendix 3 of the Code contains the detailed retention schedules. It sets out how long records should be retained, either due to their ongoing administrative value or as a result of statutory requirement.
We make every effort to handle all information in a way that respects your rights and meet the requirements of the General Data Protection Regulations and subsequent UK legislation
The right to be informed:you have the right to know why and how your personal data is being processed. All the information you need to know can be found on this page and throughout this website
The right of access: Under current data protection law, you have the right to ask us for a copy of all the information we hold about you. This is called a subject access request. Please see below for more information. Once we have all the relevant information we will provide your records within one month. A copy of the requested information will be provided individual free of charge unless the request is what the law calls ‘manifestly unfounded or excessive’, in particular if it is repetitive. In some cases, information may be withheld but we will discuss this with you.
The right to rectification: You have the right to have your information corrected if you believe it is factually inaccurate – this is known as the right to rectification.
The right to erasure: The right to erasure is also known as ‘the right to be forgotten’. In certain circumstances, it allows you to instruct organisations to delete or remove personal data. When we receive a request for the deletion or removal of personal data, we will consider the grounds for the request and decide whether to comply or whether we can legally refuse in order for us to provide our healthcare service
The right to restriction of processing: In certain circumstances, you have a right to stop us processing your personal data. Where this right applies (e.g. if the individual contests the accuracy of the data or the processing is unlawful), we are still allowed to store the personal data but must not use it for any other purposes unless certain conditions apply. In most cases the restriction will not be in place forever, but for a limited time; for example while you consider the accuracy of the data or review whether you have legitimate grounds to override the objection.
The right to data portability: This is a new right that lets you get hold of and re-use their personal data for your own benefit across different services. It applies: to personal data you have given us, and when we are processing that data on the basis of consent or for the performance of a contract and when the data is being processed by automated means.
The right to object: you have the right to object to the processing of your personal data for several reasons.
Please contact the Information governance team at email@example.com more details or to make a request.
To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information, for example with the NHS Clinical Commissioning Groups. The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled.
In order to ensure that we have accurate and up-to-date patient records, we carry out a programme of clinical audits. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are shared internally with in our Trust.
The trust actively promotes research with a view to improving future care. Researchers can improve how physical and mental health can be treated and prevented. If we use your patient information for research, we remove your name and all other personal data which would identify you. If we need the information in a form that would personally identify you, we would ask for your permission first.
For further details about how we use your information for research, please refer to the Health Research Authority website.
Please see the Trust Research page for details about our current projects.
For more information about how we process your information for research please see our patient records page.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
The national data opt-out allows you to choose if you do not want your confidential patient information to be used for purposes beyond individual care and treatment.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
On this web page you will:
See what is meant by confidential patient information
Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
Find out more about the benefits of sharing data
Understand more about who uses the data
Find out how your data is protected
Be able to access the system to view, set or change your opt-out setting
Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
hra.nhs.uk/information-about-patients (health and care research)
understandingpatientdata.org.uk/what-you-need-know (why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
You have a right to see the information we hold about you, both on paper or electronic, except for information that:
Has been provided about you by someone else if they haven’t given permission for you to see it
Relates to criminal offences
Is being used to detect or prevent crime
Could cause physical or mental harm to you or someone else
Your request must be made in writing and we will request proof of identity before we can disclose personal information. You can find out more about accessing your information by referring to our website below:
Please complete this form and return it to the address provided. If you have any questions please contact the Information Governance team: firstname.lastname@example.org
Please note: You will need to provide adequate proof of identification
If you wish to access information about a deceased person who has been under the care of the Trust, please use the subject access process as above. Your application will be processed under the Access to health records 1990. GDPR and any subsequent data protection legislation only applies to living individuals.
To help us find and retrieve information for you, please state exactly what information you require, and provide the following details of the deceased:
Name, date of birth, date of death and last known address of deceased
This information is necessary to help us confirm if we hold records relating to the deceased and locate them for you.
Before we are able to release records about a deceased person, we will need:
- confirmation that the individual is in fact deceased, such as grant of probate or death certificate.
- proof of entitlement – one of the following:
- grant of probate and certified copy of the last will & testament or
- letters of administration – if the deceased died intestate
We need to identify that you are the personal representative of the deceased person or that you have a claim arising out of the patient’s death, to ensure that you are entitled to information about them. Please note that the rights of access to information passes to the personal representative on death.
Please also supply us with one form of identification for yourself, showing your name and current address. Acceptable examples of identification are drivers licence or passport.
If your request is through a solicitor who is acting for you, then we require a signed authority from them.
You should let us know if you disagree with something written on your file. You may not always be able to change or remove the information. However, we will correct factual inaccuracies and may include your comments in the records.
Coordinate My Care (CM) is an innovative NHS service that builds medical care around the wishes of each patient. CMC helps you record your views and wishes with an electronic personalised urgent care plan.
This care plan can be seen by doctors, nurses, people providing you with social care, and emergency services - including the ambulance service, the NHS 111 service and out of hours GP.
You can give consent and join the CMC service at any time. Plans can be made for individuals of all ages. For more information and to join up, please visit www.coordinatemycare.co.uk
The Department of Health & Social Care mandates all NHS Trusts to undertake clinical audits on care delivered to patients. The audits can be undertaken by clinical staff employed by us or by external audit companies.
This could involve individuals who have not been involved with your direct care accessing your medical records.
We have an annual clinical audit programme which requires clinical staff to participate. Clinical staff consider patient medical records to review the care provided, and to identify ways in which the care could be improved in the future
When you use our website or interact with our social media presence (e.g. Twitter and Facebook) your data (e.g. comments, likes, reviews) may be visible to providers of social networking services and their users.
We suggest that you review the privacy and security settings of your social media accounts to ensure you understand how your data may be shared and used.
We do not carry out automated decision making but will work with partner organisations to endeavour to identify people who may benefit from additional services (profiling) for example those who attend our urgent treatment centres frequently. Appropriate staff, for example clinicians, would make the actual decisions based on the available information.
HRCH works with local health and social care providers such as clinical commissioning groups, local social services and hospital trusts to process data for ‘ secondary use’.
This is when we use data outside of the normal direct health care provision. For more information on this use, please see below:
Activate your Heart
HRCH is providing access to a new web-based cardiac rehabilitation programme to support patient recovery. The programme is called Activate your Heart and is provided by University Hospitals of Leicester NHS Trust.
ChatHealth: for use with School Nursing service
ChatHealth is a safe and secure messaging platform which helps healthcare service users get confidential help and advice from healthcare professionals.
HRCH uses ChatHealth messaging to offer the opportunity for you to ask for help and advice anonymously, without giving your name. Your conversation is also confidential.
Except in some exceptional circumstances, HRCH will not normally inform anyone that you have been in touch or tell them what you have been speaking about.
School-age vaccination programme
The Secretary of State for Health & Social Care is required to take steps to protect the public from disease. This includes providing vaccination services. This specific responsibility is fulfilled by NHS England, which works with NHS trusts and local authorities to vaccinate children in schools.
Hounslow Multi-Agency Safeguarding Hub (MASH)
The MASH is made up of many different partners, HRCH is one of them. The purpose of MASH is to improve the quality of information sharing between professionals to make timely and informed decision about risk on accurate and up to date information.
Building Blocks programme
This programme provides families with products, resources and information that support the home learning environment and children’s development.
HRCH will share key personal information with Save the Children to be able to provide this service but only with your explicit consent.
National Counter Fraud
National Counter Fraud Initiative is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. The following link will take you to the Privacy Notice of the National Counter Fraud Initiative which details the information which we may share and the legal basis for this.
NHS mail privacy notice
HRCH uses the NHSmail Live Service to create, store and send data through NHSmail.
This processing could be through:
Email (Exchange / Outlook)
Instant Messaging, Voice, Video or Screen Sharing (Skype for Business).
Office 365 services (SharePoint, OneDrive, Team, etc.)
Exchange and Skype for Business data is stored by Accenture within the UK.
Office 365 data is stored by Microsoft, depending on the specific service this may either be within the UK, EU or outside the EU. For further information see Microsoft’s privacy information.
The NHSmail Live Service deploys highly sophisticated SPAM and Malware filtering technologies to block SPAM, Viruses and Malware.
HRCH processes data with NHSmail under:
Article 9 (2) (h) – processing is necessary for the purposes of preventive or occupational medicine.
Lawful processing by Controller (Article 6 b and e);
(b) as part of their employment contract it is necessary for their job
(e) as the mail system is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Public Task)
Child development multi-disciplinary team meetings
Staff at HRCH work with partner organisation, Achieving for Children, to provide a multi-disciplinary team meeting within a child development setting.
The NHS app is a simple and secure way to access a range of NHS services on your smartphone or tablet.
Use the NHS app to:
check your symptoms
find out what to do when you need help urgently
book and manage appointments at your GP surgery
order repeat prescriptions
securely view your GP medical record
register to be an organ donor
choose how the NHS uses your data
The NHS app is being gradually rolled out across England now. You can check if your GP surgery is connected when you open the app for the first time. If it isn’t, you can register your email address and NHS Digital will notify you when they go live.
Alternatively, you can check the list of surgeries that are already connected using the link below. If your surgery isn’t connected you can still download the app and use it to check your symptoms and find out what to do when you need help urgently.
Our Caldicott Guardian (a senior manager who ensures patient information is processed appropriately) is Dr John Omany.
Our Senior Information Risk Owner (SIRO) is David Hawkins.
Our Data Protection Officer is Madeleine Escott.
To contact any staff mentioned above or the information governance team, please use the information below.
Telephone: 020 8973 3110
Heart of Hounslow Centre for Health
92 Bath Road
Patient Advice and Liaison Service:
Free phone: 0800 953 0363
Post: If you have any queries about local health services, or you would like to make a complaint, you can write to us at:
Patient Experience Team
Hounslow and Richmond Community Healthcare NHS Trust
Information Commissioners Office:
To get further advice or report a concern directly to the UK’s independent authority you can do this by making contacting with:
Information Commissioner's Office
Telephone: 0303 123 1113
Covid-19 has led to the trust changing the way we run our services in the short term. We are looking at ways to keep in touch with you, while our staff are working from home. Part of this change will involve how we share personal data, either with you or with your carer.