Tier Two - Purposes of processing, retention and your rights
Purposes of processing
Dorset County Hospital NHS Foundation Trust (DCHFT) processes data for the following primary purposes:
- Providing direct health care
- Providing other healthcare providers with information regarding your Health care e.g. your GP, or discharge destination if your care is being transferred
- Supporting social care with safeguarding vulnerable patients and supporting safe discharge
DCHFT keeps records in order to:
- Have accurate and up to date information available to provide the right care and treatment options
- Have information available to clinicians that you may see or be referred to, within the Trust or at another NHS organisation or organisation providing NHS services
DCHFT also processes data for the following Secondary Uses:
- National Archiving
DCHFT values the concept of data minimisation and will use anonymised or pseudonymised information as much as possible. We rely on Article 6(1)(e) and Article 9(2)(h) for lawfully processing personal and special categories of data.
This helps the NHS to:
- Prepare and analyse statists on NHS performance
- Audit NHS services, locally and nationally
- Monitor how we spend public money
- Plan and manage health services for the population of Dorset
- Conduct health research and development of treatments
The Dorset County Hospital Charity has their own Privacy Notice available here. The Charity do not obtain any personal information from our Health Care services. They rely on Article 6(1)(f) and Article 9(2)(d) where they require special categories of data.
Our Research team also has their own Privacy Notice available here. They rely on the lawful basis in Article 6(1)(e) and Article 9(2)(j) to screen patients for involvement in research and trials, then involve you on an informed consent basis.
Other ways in which your information may be used:
If you are involved in an incident, for example you slip and fall whilst in the hospital, your information may be included in the incident report and used as part of the investigation process.
Complaints and queries
If you raise a complaint or query with the hospital's PALS team, the team will hold information about you within their secure database in order to ensure that your complaint or query is answered appropriately by the relevant person or department. Details of complaints or queries will not be stored within your medical records.
DCHFT uses CCTV in order to protect its staff and patients, as well as to protect its sites and NHS property. CCTV is used in public areas and indicated with CCTV signage. CCTV footage will be used for the prevention and detection of crime.
DCHFT have a public membership, which can be joined by anyone. Your personal and demographic information is held on our database for the purposes of providing you with our Newsletter "The DCH Way" and information about public events.
Data Controller and Processors
DCHFT is the Data Controller of the Personal and Special Categories of data which we gather, hold and create about you. Our medical records are about you but owned by the Trust and we take responsibility for the ownership, management, storage and retention of your data.
The Trust engages with data processors who may process your personal or special categories of data. All Data Processors are held to strict contractual obligations, which specify the limitations, any access arrangements, storage and retention of data on our behalf as well as strict confidentiality and information handling clauses. All data processors are also held to high information security standards and asked to provide evidence of how they met Data Protection legislation. These processors may be software suppliers or specialist and support services.
Transfers to Third Countries or International Organisations
The Trust does not routinely transfer data outside of the European Economic Area and will assess any ad hoc transfers against adequacy (GDPR Article 45) and appropriateness of safeguards and data protection (GDPR Article 46) of the country of transfer.
The Trust works to the Records Management Code of Practice for Health and Social Care 2016 Retention Schedules.
Standard Retention Periods:
- Health Records are retained for 8 years or more, depending on the specific conditions or treatments received by individuals, from the point of discharge or when the patient was last seen
- Paediatric records, including obstetrics and midwifery records, are retained for 25 years, or until the patients 26th birthday if they were 17 at the conclusion of treatment
- Deceased records are retained for 8 years
- Our electronic records are managed with the same retention periods
Non-standard Retention Periods:
- Cancer and Oncology records are retained for 30 years, or 8 years after the patient has died
- Contraception, Sexual Health and Genito-Urinary Medicine (GUM) records are retained for 8 years, or 10 years if an implant or device is inserted
- Records of long term illnesses or an illness that may reoccur are retained for 30 years, or 8 years after the patient has died
Other Non-Standard Retention periods are available here.
All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required. You cannot exercise your right to erasure with regards to records which the Trust is legally bound to retain.
Data Subject Rights
You have the right to:
- Access your information
- Restrict or object to the use of your information in certain circumstances
- Ensure that incorrect information is corrected
- Data portability
- Appropriate decision making
- Right to erasure
- Raise a complaint with the UK data protection regulator, the Information Commissioner's Office (ICO)
Accessing your information:
You have the right to obtain a copy of the personal data undergoing processing: a Subject Access Request. Subject Access Requests should have a response within one month of receipt of the request, free of charge, in an intelligible format.
The period of response can be extended by two further months if necessary where, for example, complicated post-processing of information is required to make it intelligible or additional processes are needed to identify the data subject.
If the Trust deems the request to be unfounded or excessive, we have the right to refuse an information request or to charge a reasonable fee to cover the resulting administrative costs. You will be informed, within the one month period, of the reason for not taking action or charging a fee.
Subject Access Requests can be made by the individual themselves, by a legal representative; a lawyer acting on their behalf, carer, parent, guardian or appointment representative, with appropriate consent. A personal representative also has the right of access to deceased records.
Disclosure is restricted where granting access would disclose information likely to cause serious harm to the physical or mental health of the patient or another individual, where the data subject does not already know the information, or where granting access would disclose information relating to or provided by a third party who could be identified from the information and who has not provided consent for the release of the information.
To make a request of access, contact our Medical Records department using the proforma available here and emailing it to firstname.lastname@example.org or contacting the Health Records Administrator:
Health Records Administrator
Dorset County Hospital NHS Foundation Trust
Right to restrict or object to the use of your information
The right to restrict processing of healthcare data can only be exercised in the following circumstances:
- The accuracy of the data is contested
- The processing is unlawful
You have the choice to restrict processing of data for secondary purposes, through NHS Digital's National Data Opt-Out, more information is available here.
Right to have incorrect information corrected
If you feel that information held about you is incorrect, you have the right to ask for it to be corrected. This applies to matters of fact, not opinion. Incorrect demographic information will be corrected immediately. If the information is of a clinical nature, this will need to be reviewed and investigated by the Trust, which will yield one of the following outcomes:
- The Trust deems the information to be correct at the time of recording and will not amend the data. A statement from the data subject may be placed within the record to demonstrate that they disagree with the information held. The data subject has the right to appeal to the Information Commissioner.
- The Trust agrees that the information is incorrect, however it is not legal to modify or remove information within the record as it represents 'historical information' which may have influences subsequent events of decisions made therefore a note will be made in the record which alerts the reader of the inaccuracy and of the correct facts. The Trust will agree the content of the note with the data subject.
Right to Data Portability
This right only applies where the original processing is based on the data subjects consent or fulfilment of a contract that they are party to, and if the processing is automated however, in the spirit of the Regulations, Subject Access Requests should be provided in a 'useful electronic format' and where possible in a commonly used, machine-readable format. This may require you to 'unzip' your files or for the Trust to encrypt your information for you.
Right to appropriate decision making
The right to appropriate decision making applies to automated processing, including profiling, which produces legal effects or that similarly significantly affects you. The Trust has not identified any automated processing which are solely automated and without human interaction regarding the effects of processing.
Right to erasure
You cannot exercise your right to erasure with regards to records which the Trust is legally bound to retain. The Trust has an obligation, not only to retain information for a specified time period, but also not to retain information for longer than is necessary and will dispose of information in accordance with our Records Management and Lifecycle Policy.
Please see above section on Retention.
Right to lodge a complaint
If you are dissatisfied with the handling of your personal information, you have the right to make a complaint. In the first instance, formal complaints should be addressed to:
Patient Advice and Liaison
North Wing Level 1
Dorset County Hospital NHS Foundation Trust
You also have the right to make a complaint to the Information Commissioner's Office – the Independent regulator of data protection:
Information Commissioner's Office
Or using their online submission: https://ico.org.uk/global/contact-us/
Internet usage and mobile devices
Mobile phones, tablets and other devices that connect to the Internet
We recognise that mobile phones and other devices are essential to maintain communication with friends, family and loved ones. However, in a hospital they can sometimes be a nuisance to other patients, visitors and our staff and pose a risk to privacy and dignity, especially where information, images and recordings can be posted quickly on social media.
We have in place policies to protect the confidentiality and privacy of people on our site and guidance for staff, patients and visitors on how to make appropriate decisions about their use of social media in the hospital or its grounds. Mobile phones, tablets and other devices that connect to the Internet can be used across the hospital unless we specifically advise you that their use has been restricted in certain areas or circumstances.
We ask that you please switch your phone to 'silent' while in clinical areas whenever possible, and hold any mobile phone conversations away from sleeping or treatment areas. Where patients or visitors are using devices to watch or listen to recordings or conversations, please use earphones at all times to avoid being a nuisance to others.
Please note that the ward or department lead has the interests of all patients, visitors and staff to consider and has the discretion to limit the use of mobile devices in certain areas if appropriate.
Please remember that patients and visitors are responsible and personally liable for their actions and we ask that care and consideration for the privacy and dignity of other patients, visitors and staff should be given at all times. Where photographs or recordings are made on the hospital site, please do not capture other patients, visitors or staff unless you have the explicit consent of all those involved. Images or recordings made whilst a patient, or whilst visiting the Trust must not be posted onto any internet site or shared with another individual unless you have the explicit consent of all those involved. Please do not reveal information that could potentially identify a patient such as a patient's name, address, postcode, ID number, photograph, voice or video recording, rare condition, celebrity status. These must not be posted onto any internet site or shared with another person without their explicit consent.
What action may we take
If a member of staff has reason to believe that images or recordings have been made without the explicit consent of all those involved, we may ask to check and ask that this material, is deleted including any related social media posts. Where the images are considered to potentially be of an illegal nature, we may need to take further action.
Please remember that any comments or internet posts which are of a discriminatory, racist or defamatory nature will be reported to the Police for investigation.
Patients who use Hospedia or Trust run wi-fi systems must conform to the terms and conditions of use.
These measures are designed to help protect people's confidentiality within hospital and we thank you for your understanding.