This policy sets out how University College London Hospitals NHS Foundation Trust (UCLH) processes and stores personal confidential information relating to our patients, service users, and users of our websites in our day-to-day activities.

To enable UCLH to fulfil our obligations to deliver diagnosis, treatment, research, education, and our community services we collect and process personal and special category information. In so doing, UCLH adheres to the requirements of all applicable legislation including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and applies those requirements to any personal information we hold that relates to you.

The UK GDPR makes all organisations accountable for the personal and special category information they process about you by ensuring the data processed is in line with the lawful bases detailed in articles 6 and 9. The main lawful basis used is Public Task as a public organisation and in this case your consent is not required, but the common law duty of confidentiality must be adhered to when using this lawful basis. There may be other circumstances where UCLH will rely on a different purpose for processing, please see examples below:

 

  • Consent
    • To comply with your right of access where you or someone acting on your behalf requests copies of your data
    • Contacting you to set your preferences on fundraising and marketing initiatives
  • Contract
    • For the purposes of employment
  • Legal obligation
    • To comply with a court order
  • Vital interest
    • Sharing your data to save your life
  • Legitimate interest
    • To contact you about fundraising and marketing initiatives of a similar nature to communications that you have consented to receiving in the past. An opt out will always be provided and communications will stop immediately if you unsubscribe.

We aim to be clear about when and how we collect your information and will not  do anything with it you would not reasonably expect or which we have not made you aware of. Please read this policy carefully to understand how we collect, use, share and store your information.

Contacting us

UCLH is a data controller in respect of your personal information. If you have any questions about this policy or the ways in which we may process your personal information, please contact the Data Protection Officer at:

UCLH.IGQueries@nhs.net or

Data Protection Officer
1st Floor
Maple House
Tottenham Court Road
London
W1T 7NF

Health and social care professionals working with you – such as doctors, nurses, support workers, psychologists, occupational therapists, social workers and other staff involved in your care – keep records about you, your health and any care and treatment you are offered or receive. This may include: 

  • Name, address, date of birth, phone number, and email address (where you have provided it to enable us to communicate with you)
  • Your next of kin’s contact details
  • Notes and reports about your physical or mental health and any treatment, care or support you need and receive
  • Results of your tests and diagnosis, including medical imaging
  • Relevant information from other professionals, relatives or those who care for you or know you well
  • Any contacts you have with us such as home visits or outpatient appointments
  • Information on medicines, side effects and allergies
  • Patient experience feedback and treatment outcome information you provide.

Most of your records are electronic and are held on a computer system and secure IT network. New models of service delivery are being implemented, with closer working with GPs and other healthcare and social care providers. To assist this, other electronic patient record systems to share your information will be used. At the relevant point you will be given the opportunity to say no and to opt-out of having your information held on these systems. Should you choose to opt-in, please note that at any point afterwards you can change your mind and opt-out by informing your GP and / or relevant health professional involved in your care.

When you visit our website, you may provide us with personal information such as:

  • Your name
  • Your contact details
  • Your date of birth
  • Your gender
  • Your credit/debit card details
  • Your job title
  • Your employment history
  • Information on your usage of our website

Here are some examples of when you can provide us with personal information on this website:

  • When contacting us with an enquiry either via webform or email link
  • When signing up to a newsletter
  • When purchasing an event ticket
  • When giving feedback
  • When filling out a form, e.g., referral forms, membership applications
  • When you apply for a job with us. Our human resources department will update you on progress of your application. Please note that UCLH retains evidence of a staff member’s right to work, security documentation and a successful candidate’s application form for six years after the staff member leaves or on their 75th birthday, whichever is sooner. However there is no legislation which prescribes how long to retain information relating to unsuccessful candidates. The UCLH approach is therefore to retain this information for 400 days after the interview date for unsuccessful candidates. 

Data protection law recognises the difference between personal data and that of a more sensitive nature such as racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences. 

The UK GDPR adds a special data category of genetic data and biometric data that is processed to uniquely identify an individual. 

As a healthcare organisation, UCLH will therefore collect sensitive data as defined above. For example:

  • When submitting or receiving a referral request
  • During appointments and consultations with your care team
  • During treatment and diagnostic tests
  • When submitting your story to be considered as a case study 

However, we do not solely collect healthcare information. Other information will include ethnicity, religious information, for example to make us aware of dietary requirements or limits to treatment, or philosophical beliefs, for example for patients who are vegan and therefore have requirements regarding particular medicines. 

Every day we are working to ensure that our staff provide inclusive services to all patients, which meet their needs and are delivered with kindness, dignity, and respect, irrespective of any equality characteristic such as gender, race, religion, or disability status. We also want to ensure that all our staff are treated similarly with kindness, dignity, and respect. Staff and patient surveys are a key mechanism in helping us achieve this as we carefully consider their experiences and feedback to help shape our policies and culture. An equality monitoring form is also sent with all complaint acknowledgements to advise the Trust on this important area. As such, we gather, analyse, report and monitor our workforce and patients equality data by protected characteristics.

UCLH is a member of the OneLondon programme that joins together local health and care systems across London – working together to improve how health and care services are delivered and experienced. Joining up your health and care information will improve the local services you receive as health and care professionals involved in your care will be able to see your information and make quicker and safer decisions about your care.

Two systems that are part of the programme:

  • London Care Record (Formerly Health Information Exchange (HIE))

  • HealtheIntent (HEI) system

London Care Record (Formerly Health Information Exchange (HIE)

UCLH currently works with GP practices, other hospitals and social services across North Central London to make your information available to them. It has now been expanded across London. A record of care is held on each partner’s secure clinical system (a local record). London Care Record integrates data from each partner’s electronic health and care systems to provide a real-time and read-only summary of that data to a care professional when required for the purpose of your direct care. 

The care professional can see relevant parts of your clinical record; this excludes certain sensitive data items as detailed below. 

The categories of personal information we share 

Personal information (or Personal Data) means any information about an individual from which that person can be identified. It does not include information where the identity has been removed (anonymous data). The Personal Data that is shared includes: 

  • Identifying Data: forename, surname, address, date of birth, gender, age, postal address, postcode, telephone number, NHS number and hospital ID 
  • Special categories of Personal Data: physical/mental health or condition. For example, blood test results, allergies, information about scans such as MRI, CT and X-ray results, and appointments etc. 

However, not every element of your information is part of the joint record. Examples of the sensitive information that will be left out include fertility treatment, termination pregnancy, gender change and female genital mutilation records. 

How can I “opt-out” of data sharing via London Care Record? 

We ask you to think carefully before making this decision as sharing your health and social care information will make it easier for services to provide the best treatment and care for you

If you chose to opt-out, we may still need to share data for your care, but it will be using less immediate methods. For example, your GP may refer you to a hospital consultant by email. During your hospital appointment, the consultant will be able to see some of the information your GP holds about you by referring to the London Care Record. If you opt-out the consultant may only see the information the GP put in the email or may need to phone or fax your GP in advance of your appointment. 

If you would like to speak to someone about your choice, you can call the enquiry line on 020 3688 1900

You can opt-out of having your Personal Data shared via London Care Record by completing the form on our website.  

If you choose to opt-out: 

  • You may have to answer questions repeatedly because your full history may not be available to the care professional assessing you. 
  • Decisions about your care may take longer, even in emergency situations, as history needs to be confirmed. 
  • Some medical tests may get repeated unnecessarily, e.g. if you had a blood test with your hospital consultant, your GP may not be able to see this. 

For further information on the London Care Record, please visit the North Central London website.

HealtheIntent (HEI) system

UCLH currently works with GP practices, other hospitals, and social services across North Central London to provide a platform, HealtheIntent, which allows health and care professionals to be more proactive in the care of patients and communities.

The system links elements of heath and care information from different sources and enables clinicians to manage and plan care for individuals and groups of residents in relation to health or social care. Health care professionals directly involved in a patient’s care can view a patient’s joined-up record, showing information collected by different providers over time. The joined-up record helps to spot trends, concerns or gaps in care. This information contained in this record is used to create ‘registries’ and ‘analytics’.

For further information on HealtheIntent, please visit the North Central London website.

We will process your personal information fairly and lawfully by only using it if we have a lawful reason to do so. Making you aware of your rights and how your information is used is important to us and therefore we have summarised this below. 

However, please note that we do not rely on consent as a legal basis for processing information that concerns your direct care. This is because we are obliged by law to make use of your personal information and record the care and treatment we provide to you. This is also necessary to allow us to provide you with safe and effective care. It would not be correct to say that you have a choice as to whether or not we will use your personal information if we are going to provide you with care and treatment. For this reason, instead of consent, we rely on specific provisions under the law, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’ 

This means we use your personal information to provide you with your direct care without seeking your consent. However, you do have the right to object to our use of your information. We will consider your objection but if we comply with your wishes we will explain how this could have an impact on our ability to provide you with care.

While most of the information we process will be for direct healthcare purposes, please note that there are other important reasons that we may need to process your personal information. For example:

  • For private care patients we will need to process your data for the administration and obtaining payment for services provided
  • To conduct clinical research (although any published data is anonymised)

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and / or within our legitimate interests. 

We will only use enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care.

We will keep your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate as soon as we can. We also ask that you update us on any changes to your information to help us ensure accuracy.

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. 

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. In addition, all records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care 2021 (the Code). The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

Details of retention periods for different aspects of your personal information are available in our retention policy which you can request from us by contacting us.

In some circumstances we may anonymise and de-identify your personal information (so that it can no longer be associated with you) for research or statistical purposes. In these circumstances we may use this information indefinitely without further notice to you.

Closed Circuit Television (CCTV)

The Trust makes use of CCTV systems including body worn cameras for crime prevention in line with the Information Commissioners CCTV code of practice.

The recordings are kept between 28 to 30 days (1 month).

As a healthcare organisation UCLH will need to share your personal information in the following circumstances to meet our duty of care to you as our patients/service users.

 

  1. With your care team to provide your care and treatment.
  2. With other NHS organisations and private healthcare organisations e.g., for direct care purposes.
  3. With other agencies, including social services, , and,  other professionals, and services involved in your care. We will only share your information in this way if it is considered necessary.

You have the right to object or withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional involved in your care who can seek advice from our Information Governance department. If you want to withdraw your consent to us sharing your information and this is likely to change the way you receive further care we will explain this to you so that you can make a fully informed choice.

 A person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent and rely on other lawful grounds to process the data for example, our legitimate interests for the purposes of improving our services and website in order to run our organisation effectively and efficiently. We may also process data where it is necessary for the performance of a contract, for example for private patients we need to process billing information. 

Other examples of this are:

  • If there is a concern that you are putting yourself at risk of serious harm
  • If there is concern that you are putting another person at risk of serious harm
  • If there is concern that you are putting a child at risk of harm
  • If we have been instructed to do so by a court
  • Immigration authorities / relevant third parties requiring information to obtain payment for services provided to overseas visitors
  • If the information is essential for the investigation of a serious crime
  • If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases
  • If regulators use their legal powers to require us to provide them with patient information as part of any investigations they are undertaking. 

UCLH Hosted Organisations

Children and Young People’s Gender Service UCLH is working in partnership with Great Ormond Street Hospital Children NHS Foundation Trust, Guys and St Thomas’ NHS Foundation Trust, and South London and Maudsley NHS Foundation Trust to provide the Children and Young People’s Gender Service. This is hosted by Great Ormond Street Hospital for Children NHS Foundation Trust and further information on privacy can be obtained by visiting their privacy policy:

SFR Medical

This is a service used by UK police forces to gather evidence from UK NHS Trusts to obtain evidence when criminal offences have been committed.

You can choose to withhold your consent if you are contacted by SFR when they are investigating a crime you have fallen victim to and this will be handled by your local police force.

NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services. We may share your contact information with an NHS approved contractor to be used for the purpose of the NPSP. Please note that no information about your care and treatment is provided to the organisation that does this survey.

NHS England, assesses the effectiveness of the care provided by publicly-funded services. We have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires, on a regular basis to meet our NHS contract obligations.

You have the right to object to us sharing your information to NHS England– this will not affect your care in any way. For information about how you can opt-out of sharing your data with NHS Digital please click on this link.

National Examinations Board for Dental Nurses: https://www.nebdn.org/privacy-centre/

 

HCA

Section 251

What is confidential patient information and why is it used?

Confidential patient information is a legal term defined in Section 251 of the NHS Act 2006. It applies to both living and deceased patients and meets the definition if all of the following apply:

  • the information is identifiable or likely to be identifiable - this is determined on a case-by-case basis but can include identifiers such as:
    • NHS number, name, address and date of birth, or
    • where the activity requires information on rare illnesses that could potentially identify a patient or
    • where the patient could be identified from other data likely to be held by the person or organisation receiving the data
  • the information was provided under circumstances where the individual is owed an obligation of confidence
  • conveys information about the physical or mental health or condition of an individual, a diagnosis of their condition, or information on their care or treatment

Under the common law duty of confidentiality, if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without patient consent.

However, there are certain circumstances when confidential patient information can be used for the benefit of research and other important activities without patient consent. An alternative legal basis is required which is commonly Section 251 support. You can find examples of activities relying on Section 251 support in our registers of approved applications.

What is Section 251?

This is a shorthand term and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002.

Section 251 was established as it was recognised that there were essential activities of the NHS, and important medical research, that required the use of confidential patient information where it was not possible to use anonymised information and obtaining consent was not practical.

Section 251 allows the common law duty of confidentiality to be lifted temporarily to enable disclosure of confidential patient information for medical purposes. Whilst it is commonly referred to as ‘Section 251’ support, support is actually given under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002. Therefore, they are same thing.

What does Section 251 support mean?

CAG reviews research and non-research applications and advises under the framework of the Health Service (Control of Patient Information) Regulations 2002. They will consider whether there is sufficient public interest to temporarily lift the common law duty of confidentiality and enable access to the requested confidential patient information. Using the CAG advice as a basis for their consideration, the following bodies act as the decision maker on whether Section 251 support can be provided:

  • the Health Research Authority (HRA) – for research applications
  • the Secretary of State for Health – for non-research applications such as registries and databases
  • NHS England – in relation to data dissemination.

Data dissemination

The Health and Social Care Act 2012 (as amended), states that NHS England must pay careful attention to CAG advice on data dissemination.

In turn, CAG considers advice requests from NHS England in relation to its dissemination framework, more information on which can be found on the NHS England website.

All of the advice CAG give to NHS England is available in their minutes.

You can obtain more information on section 251 approvals by visiting: https://www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/confidential-patient-information-and-regulations/

To view the current section 251 approvals for research and non-research applications please visit: CAG registers - Health Research Authority (hra.nhs.uk)

ResearchUCLH is famous for its world-class research. We typically have hundreds of studies recruiting at any one time, with some 20,000 of our patients taking part in clinical trials.

This means our patients have access to some of the most cutting-edge treatments and we are able to offer many patients the opportunity to take part in trials.

These studies are sponsored both internally by UCLH, and externally with partners such as Microsoft.

Some of this research use innovative techniques such as artificial intelligence and machine learning to build new models for improving patient care.

To find further information on research at UCLH, how your data is used, and which studies are currently active, please see links to the resources below:

https://www.uclh.nhs.uk/research

https://www.uclh.nhs.uk/research/research-and-data

Protecting patient data in research - security, storage and consent : University College London Hospitals NHS Foundation Trust (uclh.nhs.uk)

https://www.uclh.nhs.uk/research/biomedical-research-centre

https://findastudy.uclh.nhs.uk/

https://www.uclhospitals.brc.nihr.ac.uk/data-and-research/data-trust-committee

https://www.uclhospitals.brc.nihr.ac.uk/research-data-concierge-service/data-access-process-research-dap-r

The UK GDPR enforces individual rights to give you more control over your personal data These include the right to access a copy of your personal information, or have some elements of it transmitted to you or another health provider in a common electronic format. In certain circumstances you can have your personal information corrected or erased, or you can restrict our use of it. You also have the right to object to the way we use your personal information as described above. Please note in some cases we will be required to undertake a risk assessment when considering the rights that are not absolute.

We generally won’t charge you to exercise these rights. You have the following rights:

To be informed

You have a right to ask UCLH if we have your personal information. If we do, you have a right to know:

  • why we have it
  • what type of information we possess
  • how we use it
  • whether we have or will send it to others, especially outside the European Economic Area
  • how long we will keep it
  • where we got it from
  • details of any automated decision-making

 

Access and potability

You have the right to ask UCLH to provide you with a copy of your personal information held, and to request that this is shared with another person or organisation in a commonly accessible and readable format.

Rectification

Where any of your information is incorrect, you have a right to tell us to correct it promptly. Please tell us as quickly as possible if you change your address or other contact details. If your information is incomplete, you can ask us to correct this too.

Where your rectification request is to make changes to factually correct information, e.g., medical diagnosis or clinical opinions of your care team you will be invited to provide a supplementary statement to be added to your record highlighting your concerns.

To object

Depending on the legal basis on which we are using your information, you may be entitled to object.

Erasure

You may have a right to have some or all of the information we hold about you deleted. Your medical records are legal records and are required to be kept in line with the retention periods as set out in the NHS Records Management Code of Practice 2021.If you have a chronic illness your records will be required to be kept for longer to ensure continuity of care and clinical safety.

 

Restriction

You might also be entitled to ask us to restrict our use of your information — for example, if you think the information we hold on you is incorrect or you would like to limit who it is shared with.

UCLH has a statutory obligation to respond to your individual rights within one calendar month of receipt of a fully request. A full request is identified as a written or verbal request received from you with a copy of your photo ID, proof of address and clarification of what information you are expecting to receive. Where the request is assessed as complex, UCLH can extend the response time by an additional two calendar months. Complex requests are assessed on:

    • Technical difficulties in retrieving the information.
    • Applying an exemption that involves large volumes of particularly sensitive information.
    • Any specialist work involved in obtaining the information or communicating it in an intelligible form.
    • Needing to obtain specialist legal advice.
    • Searching large volumes of unstructured manual records

 

Withdrawing consent

If you consent to us using your information and you change your mind, you have the right to withdraw that consent at any time.

You can do this by contacting the  appropriate team below:

 

All subject access requests should be sent to the Release of Information Team:

Email: UCLH.releaseofinformation@nhs.net

All other rights request should be sent to the information Governance Team:

Email: IGQueries@nhs.net

Postal request should be sent to:

UCLH Release of Information Team
ICT Directorate
1st  floor, Maple House
149 Tottenham Court Road
London
W1T 7NF

We aim to comply with your requests where possible and provide a full response tocomplaints, and question you have about your personal information. However, if you believe we have not adequately resolved a matter, you have the right, at any time, to complain to the Information Commissioner’s Officer (ICO).

As an independent UK authority, the ICO upholds information rights in the public interest, promotes openness by public bodies and data privacy for individuals. You can visit their website at https://ico.org.uk/ or ask for details from our Data Rights team.

We use a number of different cookies on our site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit http://ico.org.uk/for_the_public/topic_specific_guides/online/cookies for detailed guidance.

The list below describes the types of cookies we use on this site. Currently we operate an ‘implied consent’ policy which means that we assume you are happy with this usage. If you are not happy, then you should either not use this site, delete the cookies having visited the site, or you should browse the site using your browser’s anonymous usage setting (called “Incognito” in Chrome, “InPrivate” for Internet Explorer, “Private Browsing” in Firefox and Safari etc.)

Google Analytics

We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. This Analytics data is collected via a JavaScript tag in the pages of our site and is not tied to personally identifiable information. We therefore do not collect or store your personal information (e.g. your name or address) so this information cannot be used to identify who you are.

You can find out more about Google’s position on privacy as regards its analytics service at http://www.google.com/policies/privacy/ 

 

Third Party Cookies

These are cookies set on your machine by external websites whose services are used on this site. Cookies of this type are the sharing buttons across the site allow visitors to share content onto social networks. Cookies are currently set by LinkedIn, Twitter, Facebook, Instagram and YouTube. In order to implement these buttons, and connect them to the relevant social networks and external sites, there are scripts from domains outside of our website. You should be aware that these sites are likely to be collecting information about what you are doing all around the internet, including on this website.

You should check the respective policies of each of these sites to see how exactly they use your information and to find out how to opt out, or delete, such information.

Third party content and linking to other websites

This website contains links to other NHS and non-NHS websites. This privacy policy applies to UCLH only.

Following a link to another website

When you go to another website, please read the privacy policy on that website if you want to know what it does with your information. UCLH does not pass on any of your personal information to other organisations without your consent.

When you come to the UCLH site from another website, we may get personal information about you from the other website. You should read the privacy policy of websites you visit that link you to UCLH if you want to know about this.

These policies will explain how they collect and use your personal information, and whether they pass this on to websites they link you to.

Third party website content

We may embed external content from third party websites such as YouTube and include cookies. This content is not published on our website. It is delivered using tools and services from third party sites that can be inserted into our site such as media players, RSS feeds and widgets. These websites may use cookies. Their content is subject to the privacy policy of the relevant third party provider and not ours.