Enquiries: 01305 251150

Updated 22 April 2021

Purposes of processing

Dorset County Hospital NHS Foundation Trust processes patient data for the following primary purposes:

  • Providing direct health care
  • Providing other healthcare providers with information regarding your health care e.g. your GP, or discharge destination if your care is being transferred
  • Supporting social care with safeguarding vulnerable patients and supporting safe discharge

DCHFT keeps records in order to:

  • Have accurate and up to date information available to provide the right care and treatment options
  • Have information available to clinicians that you may see or be referred to, within the Trust or at another NHS organisation or organisation providing NHS services

DCHFT also processes data for the following secondary uses:

DCHFT values the principle of data minimisation and will use anonymised or pseudonymised information as much as possible. We rely on Article 6(1)(e) and Article 9(2)(h) for lawfully processing personal and special categories of data.

This helps the NHS to:

  • Prepare and analyse statistics on NHS performance
  • Audit NHS services, locally and nationally
  • Monitor how we spend public money
  • Plan and manage health services for the population of Dorset
  • Conduct health research and development of treatments

The Dorset County Hospital Charity has their own Privacy Notice. The Charity do not obtain any personal information from our health care services. They rely on Article 6(1)(f) and Article 9(2)(d) if they require special category data.

Our Research team also has their own Privacy Notice available here. They rely on the lawful basis in Article 6(1)(e) and Article 9(2)(j) to screen patients for involvement in research and trials, then involve you on an informed consent basis.

DCHFT process staff data for the following primary purposes:

  • Provision of employment
  • Provision of supporting services such as Occupational Health
  • Processing car parking permits
  • Payroll

DCHFT may also process data for secondary purposes:

  • Data analysis
  • Audit

This helps the NHS to:

  • Prepare and analyse statists on NHS performance
  • Audit NHS services, locally and nationally
  • Monitor how we spend public money
  • Plan and manage health services for the population of Dorset

Other ways in which patient and staff information may be used

Incident management
If you are involved in an incident, for example you slip and fall whilst in the hospital, your information may be included in the incident report and used as part of the investigation process.

Complaints and queries
If you raise a complaint or query with the hospital's Patient Experience Team, they will hold information about you within their secure database in order to ensure that your complaint or query is answered appropriately by the relevant person or department. Details of complaints or queries will not be stored within your medical records.

DCHFT uses CCTV in order to protect its staff and patients, as well as to protect its sites and NHS property. CCTV is used in public areas and indicated with CCTV signage. CCTV footage will be used for the prevention and detection of crime.

Public members
DCHFT have a public membership, which can be joined by anyone. Your personal and demographic information is held on our database for the purposes of providing you with The DCH Way newsletter and information about public events.

Data Controller and processors
DCHFT is the Data Controller of the personal and special categories of data which we gather, hold, and create about you. Our medical records are about you but are owned by the Trust, and we take responsibility for the ownership, management, storage and retention of your data.

The Trust engages with data processors who may process your personal or special categories of data. All data processors are held to strict contractual obligations, which specify the limitations, any access arrangements, storage and retention of data on our behalf as well as strict confidentiality and information handling clauses. All data processors are also held to high information security standards and must provide evidence of how they meet Data Protection legislation. These processors may be software suppliers or specialist and support services.

Transfers to third countries or international organisations
The Trust does not routinely transfer data outside of the European Economic Area and will assess any ad hoc transfers against adequacy (GDPR Article 45) and appropriateness of safeguards and data protection (GDPR Article 46) of the country of transfer. Since the Withdrawal Agreement with the EU it is anticipated that an adequacy arrangement will be quickly reached to allow the UK continuance of secure data sharing with EU countries.

Retention periods

The Trust works to the Records Management Code of Practice for Health and Social Care 2016 Retention Schedules.

Standard retention periods

  • Health Records are retained for eight years or more, depending on the specific conditions or treatments received by individuals, from the point of discharge or when the patient was last seen
  • Paediatric records, including obstetrics and midwifery records, are retained for 25 years, or until the patients 26th birthday if the patient was 17 at the conclusion of treatment
  • Deceased records are retained for eight years
  • Staff records are kept in full for six years, then condensed to a summary file which is retained until the individual’s 75th birthday, or six years longer if they work beyond 75
  • Our electronic records are managed with the same retention periods

Non-standard retention periods

  • Cancer and Oncology records are retained for 30 years, or eight years after the patient has died
  • Contraception, Sexual Health and Genito-Urinary Medicine (GUM) records are retained for eight years, or 10 years if an implant or device is inserted
  • Records of long term illnesses or an illness that may reoccur are retained for 30 years, or eight years after the patient has died

Other non-standard retention periods are available here.

All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required. You cannot exercise your right to erasure with regards to records which the Trust is legally bound to retain.

Data subject rights

You have the right to:

  • Be informed about what happens to your data
  • Access your information
  • Ensure that incorrect information is corrected
  • Right to erasure, in most situations
  • Restrict or object to the use of your information in certain circumstances
  • Data portability
  • Raise a complaint with the UK data protection regulator, the Information Commissioner's Office (ICO)
  • Appropriate decision making

Accessing your information
You have the right to obtain a copy of the personal data undergoing processing: a Subject Access Request. Subject Access Requests should have a response within one month of receipt of the request, free of charge, in an intelligible format.

The period of response can be extended by two further months if necessary where, for example, complicated post-processing of information is required to make it intelligible or additional processes are needed to identify the data subject.

If the Trust deems the request to be unfounded or excessive, we have the right to refuse an information request or to charge a reasonable fee to cover the resulting administrative costs. You will be informed, within the one month period, of the reason for not taking action or charging a fee.

Subject Access Requests can be made by the individual themselves, by a legal representative; a lawyer acting on their behalf, carer, parent, guardian or appointment representative, with appropriate consent. A personal representative also has the right of access to deceased records.

Disclosure is restricted where granting access would disclose information likely to cause serious harm to the physical or mental health of the patient or another individual, where the data subject does not already know the information, or where granting access would disclose information relating to or provided by a third party who could be identified from the information and who has not provided consent for the release of the information.

To make a request of access to patient information, contact our Medical Records Department using the form available here and emailing it to health.recordsadministrator@dchft.nhs.uk 

Alternatively, you can contact:

Health Records Administrator
Health Records
Dorset County Hospital NHS Foundation Trust
Williams Avenue

01305 255442

To make a request of access to staff information, contact our Human Resources Department using the form available here and emailing it to humanresources@dchft.nhs.uk 

Alternatively you can contact:

Human Resources Department
Trust HQ
Dorset County Hospital NHS Foundation Trust
Williams Avenue

Right to restrict or object to the use of your information
The right to restrict processing of healthcare data can only be exercised in the following circumstances:

  • The accuracy of the data is contested
  • The processing is unlawful

Patients do have the choice to restrict processing of identifiable data for secondary purposes, through the National Data Opt Out, more information is available here.

Right to have incorrect information corrected
If you feel that information held about you is incorrect, you have the right to ask for it to be corrected. This applies to matters of fact, not opinion. Incorrect demographic information will be corrected immediately. If the information is of a clinical nature, this will need to be reviewed and investigated by the Trust, which will produce one of the following outcomes:

  • The Trust deems the information to be correct at the time of recording and will not amend the data. A statement from the data subject may be placed within the record to demonstrate that they disagree with the information held. The data subject has the right to appeal to the Information Commissioner.
  • The Trust agrees that the information is incorrect, however it is not legal to modify or remove information within the record as it represents 'historical information' which may have influences subsequent events of decisions made therefore a note will be made in the record which alerts the reader of the inaccuracy and of the correct facts. The Trust will agree the content of the note with the data subject.

Right to data portability
This right only applies where the original processing is based on the data subjects consent or fulfilment of a contract that they are party to, and if the processing is automated however, in the spirit of the Regulations, Subject Access Requests should be provided in a 'useful electronic format' and where possible in a commonly used, machine-readable format. This may require you to 'unzip' your files or for the Trust to encrypt your information for you.

Right to appropriate decision making
The right to appropriate decision making applies to automated processing, including profiling, which produces legal effects or that similarly significantly affects you. The Trust has not identified any system using automated processing which are solely automated and without human interaction regarding the effects of processing.

Right to erasure
You cannot exercise your right to erasure with regards to records which the Trust is legally bound to retain. The Trust has an obligation, not only to retain information for a specified time period, but also not to retain information for longer than is necessary and will dispose of information in accordance with our Records Management and Lifecycle Policy.

Please see section above on retention.

Right to lodge a complaint
If you are dissatisfied with the handling of your personal information, you have the right to make a complaint. In the first instance, formal complaints should be addressed to:

Patient Experience Team
Dorset County Hospital NHS Foundation Trust
Williams Avenue


0800 7838058

You also have the right to make a complaint to the Information Commissioner's Office – the Independent regulator of data protection:

Information Commissioner's Office
Wycliffe House
Water Lane

Or by using their online submission form.

Internet usage and mobile devices

We would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but some parts of the site will not work. 

Mobile phones, tablets and other devices that connect to the internet
We recognise that mobile phones and other devices are essential to maintain communication with friends, family and loved ones. However, in a hospital they can sometimes be a nuisance to other patients, visitors and our staff and pose a risk to privacy and dignity, especially where information, images and recordings can be posted quickly on social media.

We have in place policies to protect the confidentiality and privacy of people on our site and guidance for staff, patients and visitors on how to make appropriate decisions about their use of social media in the hospital or its grounds. Mobile phones, tablets and other devices that connect to the Internet can be used across the hospital unless we specifically advise you that their use has been restricted in certain areas or circumstances.

Mobile devices
We ask that you please switch your phone to 'silent' while in clinical areas whenever possible, and hold any mobile phone conversations away from sleeping or treatment areas. Where patients or visitors are using devices to watch or listen to recordings or conversations, please use earphones at all times to avoid being a nuisance to others.

Please note that the ward or department lead has the interests of all patients, visitors and staff to consider and has the discretion to limit the use of mobile devices in certain areas if appropriate.

Please remember that patients and visitors are responsible and personally liable for their actions and we ask that care and consideration for the privacy and dignity of other patients, visitors and staff should be given at all times. Where photographs or recordings are made on the hospital site, please do not capture other patients, visitors or staff unless you have the explicit consent of all those involved. Images or recordings made whilst a patient, or whilst visiting the Trust must not be posted onto any internet site or shared with another individual unless you have the explicit consent of all those involved.

Please do not reveal information that could potentially identify a patient such as a patient's name, address, postcode, ID number, photograph, voice or video recording, rare condition, celebrity status. These must not be posted onto any internet site or shared with another person without their explicit consent.

Action we may take
If a member of staff has reason to believe that images or recordings have been made without the explicit consent of all those involved, we may ask to check and request that the material is deleted, including any related social media posts.  Where the images are considered to potentially be of an illegal nature, we may need to take further action.

Please remember that any comments or internet posts which are of a discriminatory, racist or defamatory nature will be reported to the police for investigation.

Patients who use the Trust Wi-Fi systems must conform to the terms and conditions of use.

These measures are designed to help protect people's confidentiality within hospital, including yours, and we thank you for your understanding.