Your Medical Record
The health and social care system are facing significant pressures due to COVID-19. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking, and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. COPI notices have now been extended until the end of March 2021 to help give healthcare organisations and Local Authorities the confidence to share the data needed to respond to COVID-19. This means that at the end of March 2021, the processing of data will be stopped, and information shared for the specific purpose of COVID-19 will be deleted. Further information is available on gov.uk here and some FAQs on this law are available here.
During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new Opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals, and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text, or email.
During this period of emergency, we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation. Our approach will be in the form of the tool ‘Attend Anywhere,’ which the nationally supported video consultation platform is provided by NHS England/Improvement.
You can find out a bit more information on how the process will work for our patients by watching this video.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England, and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of UK General Data Protection Regulation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require, and we will ensure that any information collected is treated with the appropriate safeguards.
To support staff testing for Covid-19, information about the use of data at this time has been published.
It sets out how an individual’s personal data is collected and used when participating in the testing programme, as well as further information about the programme itself. You can read the full details on the link below:
Flu vaccines and the COVID-19 response
On average, flu kills over 11,000 people each year – some years this number is much higher – and it hospitalises many more. This is anything but a typical year due to the potential impact of flu and COVID-19 circulating at the same time.
This year, as well as GP practices inviting key eligible groups to receive their vaccination, reminders have gone out nationally to supplement this. COVID-19 vaccines will also be managed centrally once they are available. Given the potential time gap required between the flu and COVID-19 vaccines, it is important that the invites, reminders, and uptake of the vaccines are carefully managed together and regarded as part of the response to the COVID-19 pandemic.
This guidance describes how data is being used to help ensure that those who are entitled to a flu vaccine receive one. This includes data relating to both health and care staff and patients.
- I'm a patient/service user - what do I need to know?
- I work in a health and care organisation - what do I need to know?
- I'm an IG Professional - what do I need to know?
Patients Know Best
Sherwood Forest Hospitals is pleased to offer patients an online service that gives you secure access to your health record. It’s designed to improve your patient experience and access to NHS services and information. It also means you can receive electronic notification of your appointments, through to your computer, smartphone, or tablet device.
This service is free to our patients and can be accessed using the NHS App and through our trusted partner Patients Know Best (PKB). It’s part of our promise and on-going commitment to give you more choice and control over your care. The service will allow you to:
View your medical information including:
- Outpatient appointments
- medical correspondence
- test results
- access health resources tailored for you.
As part of this process patients will start to receive an email, letter, or text to ask them to register for the service.
Our Legal Basis for processing personal information
The ways in which we use your information are governed by law.
Clinical (direct) care
When your information is used for your care and administrative purposes related to
your care it is processed for the purposes of Article 6.1(e) of the GDPR – processing is necessary for the performance of a task carried out in the public interest and Article 9.2(h) of the GDPR – processing of special categories of data is necessary for the purposes of preventative or occupational medicine... [and] the provision of health or social care treatment or the management of health or social care systems and services.
Secondary (indirect care) purposes
When there is a legal requirement that we provide specified data to NHS Digital for
example, we rely on Article 6(1)c of the GDPR. In cases where the common law duty of confidentiality cannot be satisfied through consent, we seek approval from the
Secretary of State via the Confidentiality Advisory Group under Section 251 of the
National Health Service Act 2006.
In most instances we will rely on Article 6(1)e and Article 9(2)j of the GDPR if and
when we use your information for research. If you have formally consented to take
part in research, this will satisfy the common law duty of confidentiality. Where it has
been impracticable to obtain your consent we will seek approval from the Secretary
of State via the Confidentiality Advisory Group under Section 251 of the National
Health Service Act 2006.
For further information on this legislation please visit the Government's UK legislation
The information we hold about you
We hold your electronic and paper health (and where applicable social care) records. This contains sensitive information about you, your health, and your wellbeing. The following list provides an example of the type of information (both past and present) that can be held within your record:
- Demographic and contact details (name, date of birth, address, telephone number, email address, gender, sex, religion, marital status etc.)
- Appointments and Consultations
- Diagnoses (including physical disabilities and mental health conditions)
- Medication, Vaccinations, Pathology results (e.g. blood tests) and Allergies
- Social care involvement
- Hospital correspondence and correspondence from other health and social care settings (including x-rays, discharge letters and referrals)
- Relationships/Next of Kin.
How the NHS and care services use your information
We are one of the many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services.
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply.
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time. Our Trust is compliant with the national data opt-out policy.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Do I have a choice?
If you wish to receive safe and appropriate care and treatment at our hospital, we must maintain an accurate record of relevant information about you. If you have any concerns about providing information, or how we share it with other health and social care providers, please discuss this with our staff so that you fully understand the potential impact on your care or treatment.
Do you ever share my information without my consent?
We will not disclose your information to any other third parties for non-care purposes without your consent unless there are exceptional circumstances or where we are legally required to report information to the appropriate authorities.
- Notifications of new births
- Diagnosis of infectious diseases such as meningitis or measles (but not HIV or AIDS) which may put other people at risk
- To comply with a court order
- Public interest, for example, if there is a risk of death or serious harm
- A legal need to share it, for example: to protect a child under the Children Act and Local Safeguarding Procedures
- To support investigations by the NHS Counter Fraud Agency
- A legitimate enquiry from the police under UK General Data Protection Regulation for information relating to a serious crime
- To comply with Confidentiality Advisory Group approvals under Section 251 of the NHS Act 2006, this permits the collection of health information for patients with specific conditions without consent for the benefit of research and other important activities. Examples include the National Cancer Registry, the Trauma Audit and Research Network, the National Congenital Anomaly, Rare Disease Registration Service, and the NHS Patient Survey Programme. If you wish to opt out of your information being used for these purposes, please contact the Trust’s Data Protection Officer.
Child Protection Information Sharing System (CP-IS)
The CP-IS shares information about children subject to a Child Protection Plan (CPP), pregnant women with an Unborn Child Protection Plan (UCPP) and children who are designated a Looked After Child (LAC) in particular children being cared for under the following sections of the Children’s Act 1989:
- Full Care Order (Section 31)
- Interim Care Order (Section 38)
- Voluntary Care Agreement (Section 20).
The benefits of this data sharing are that it:
- provides mental, sexual, dental and community paediatric healthcare professionals with a reliable source of information on who vulnerable children are in circumstances where they present for unscheduled or scheduled care
- supports maintaining contact with vulnerable children and young people to help reduce the risk of poor health outcomes, abuse, injuries and in extreme circumstances avoidable death whilst quarantined in their homes or subject to significant social restrictions during the Covid-19 response
- will enable early intervention – informing healthcare professionals so they can take action to prevent or reduce future harm happening to children
- allow improved safety and care – ensuing the information is at hand at the point of care and when children need help increase workforce efficiency and effectiveness – reducing the manual activities and filling any gaps in contextual information about a protected child.
The CP-IS flag and health audit data is currently shared between:
- Local Authorities
- emergency departments
- minor injury units
- walk-in centres
- GP out-of-hours services/111
- Unscheduled access to maternity units
- Unscheduled access to paediatric wards
- ambulance services
NHS England has now directed NHS Digital under the Covid-19 Public Health NHS England Directions, to establish and operate a system for the collection and analysis of information about child protection in response to the increased risk to vulnerable children due to the impact of the Covid-19 pandemic. The purpose is to share child protection information with the current healthcare providers and further care settings, to heighten awareness of the children at risk and enable those with statutory duty to safeguard and promote the welfare of children, to fulfill their obligations. The CP-IS will operate in the current settings (as above) for these purposes and be extended to:
- Mental health settings (unscheduled and scheduled)
- Sexual health settings (unscheduled)
- Dental settings (unscheduled and scheduled)
- Community paediatrics.
Sharing information with your family
With your agreement we will share information about your current care with your family or carer. It is important that we know which family members or carers to involve in your care, and who we can share your information with. This person does not need to be related to you, but they should be able to tell us your wishes in case you are unable to do so yourself.
How long do you keep my records?
There are national records management standards in the NHS for how long we need to keep information about you. This varies depending on the type of information. Typically, your health record is destroyed or deleted 8 years following the end of treatment, or death. Records for some patients, e.g. children’s records, are kept much longer. Our policy on the Retention and Disposal of Health Records is available here.
How do we keep your information secure and confidential?
You have the right to confidentiality under UK General Data Protection Regulation, the Human Rights Act 1998, and the common law duty of confidence. Everyone working in the NHS has a legal duty to keep information about you confidential. Anyone who receives information from us is also under a legal duty to keep it secure and confidential.
Your information is held in secure systems in both paper and electronic format. Our electronic systems record when, and by whom, your record was accessed.
New systems are subjected to a data protection impact assessment to ensure any risks to privacy are mitigated.
All staff completes annual data protection and confidentiality training, supplemented by related policies and procedures. These policies can be found on our website in the ‘About Us’ section here.
Who do you share my information with?
We recognise our duty to share information about our patients with health and care professionals from other organisations to ensure safe and effective continuity of your care. We do so under a formal agreement about how it will be used and kept confidential. Some examples are:
NHS radiology system
We are part of a group of NHS hospitals in the East Midlands that have a shared NHS radiology system. This will enable healthcare professionals in other NHS hospitals in the East Midlands to access your radiology record when necessary, to ensure you receive consistent, safe, and effective clinical care and treatment, irrespective of where you receive your care.
Here’s a link to their Privacy Notice.
Nottinghamshire Health and Care Portal
We participate in the Nottinghamshire Health and Care Portal. The community portal enables providers to electronically share your health and social care information, such as hospital and GP attendances, test results, medication and care plans with other Nottinghamshire health and social care providers. With your explicit consent, health and social care professionals, or staff who are supervised by health and social care professionals, will be able to access this information to better coordinate and provide care to you. Access is strictly controlled, and the shared record is hosted by Nottingham University Hospitals NHS Trust in their secure data centre.
Musculoskeletal (MSK) Service
You and your GP have agreed you should be referred to the MSK service. This means that the clinical staffs who work in that team will be able to look at what is written in your GP record. This is all done electronically. But if you have said you don’t want either all your record to be viewed or a part of it not to be viewed – then they won’t be able to look.
Seeing what care you have received before will help the staff in the MSK service do a better assessment of your current problem and so will be able to help you to decide what treatment you want to receive now for this current problem.
The GP record though will still be kept by the GP; we’re only allowing the MSK specialists to ‘see’ it. What this also means is your GP can see what you and the MSK service have agreed as your treatment.
With the online application “AirView”, the Physiologists from the Sleep Service at Sherwood Forest Hospitals NHS Foundation Trust can monitor your sleep diagnosis and/or therapy from a distance.
For this purpose, data is collected by ResMed CPAP or Non-Invasive Ventilator Machines which are used to diagnose or treat patients with sleep-disordered breathing. This data includes the length of time the machine and the mask are used, leakage figures, pressure values or the apnoea-hypopnoea index – are transmitted to AirView in encrypted form.
The Device is identified by means of the serial number; no personal data such as name or address are sent. Afterwards, the data which have been transmitted can only be attributed to individuals by Sherwood Forest Hospital NHS Foundation Trust, who can then use the information for your treatment.
National Adult Asthma Audit
The adult asthma audit forms part of the National Clinical Audit and Patient Outcomes Programmes (NCAPOP). The adult asthma audit will collect patient identifiable information in order to link patient data to HES, ONS, eDris and PEDW data.
NACAP has approval from the Health Research Authority (for England and Wales) to collect this information without patient consent. Please see reference number below:
Health Research Authority – CAG reference number: CAG 8-06(b)/2013
National Inpatient Survey
This national survey will help us at and the Care Quality Commission to find out what was good about your care and if any improvements are needed.
Below are the companies that provide this service to the Trust:
- Healthnet - https://healthnethomecare.co.uk/
- Healthcare at home - https://hah.co.uk/
- Pharmaxo - https://pharmaxo.com/
- Alcura - https://www.alcura-health.co.uk/
- Baxter - https://www.baxterhealthcare.co.uk/our-products
CareLink™ System is a service provided by Medtronic to health care professionals to upload patient insulin pumps, continuous glucose monitor devices and compatible BG meters. This enables health care professionals to generate reports to assist with patient’s diabetes management. health care professional’s may create a patient profile in the system and upload a patients compatible device in clinic to see data from their device or request that the patient links their CareLink Personal™ with the clinic so that data patients upload at home can be viewed in CareLink™ System by the health care professional.
Further information is available here.
Pilot study in conjunction with the Sherwood Forest perioperative team whereby Sapien Health will be used to support 100 patients before and after their surgery with a view to improving their surgical outcomes.
Sapien is a mobile app-based behavioural intervention for patients undergoing elective surgery. The Sapien Health model combines personalised digital guidance with 1-to-1 remote health coaching to help optimise patients preoperatively and support their recovery during the postoperative phase.
Further information is available here.
Outpatient Parental Antibiotic’s Therapy (OPAT) Database – Horizon Strategic Partners Ltd
The database will store patient demographics, treatment plans and medications. Further information is available here.
The service uses Endobase software package to record the finding of the endoscopy procedure and produce a final report which is shared with the Patient, their GP and printed for a copy to be retained on their paper patient record file.
We continually try to raise the standard of care we provide. To do this we need to review the clinical work we do, this is typically done using a process known as Clinical Audit. Access to your patient records for this purpose is monitored and only anonymous information is used.
Health Research Authority
Consent is an important part of the research process and is frequently sought for participation in research studies. One reason is to ensure that any disclosure of confidential information meets the requirements of the common law duty of confidentiality. Where consent is sought from research participants, they are normally told how information about them will be used. The guidance below outlines the relevant time frame patient records should be retained if they have participated in a clinical trial.
The rationale for retaining patient records for an appropriate period is to allow further analysis and safety monitoring by regulatory authorities as necessary.
The Medical Research Council (MRC) has set out guidance for the time frame of the retention of medical notes below:
- For basic research –research data and data material should be retained for 5 years after the completion of the trial.
- For population health and clinical studies, the records and research data should be retained for 20 years after the study has been completed.
- Studies that require records to be retained for more than 20 years must have a valid justification.
- In some cases, the sponsor of the clinical trial may have set guidance for a specific retention time which differs from the MRC. In such cases the sponsor guidance should be followed.
In order to identify patient records that must be retained in this way a yellow alert sticker is placed on the red alert page in the inside of a patients’ notes.
If there is any doubt or concern over how long an individual patient’s record should be stored please contact the Head of Research and Innovation.
Here is a link to their Privacy Notice.
If you want to know more
If you have any concerns about how we keep and manage your personal information, please discuss this with a member of the team providing your care at the Trust.
Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please see further information below ‘How can I see the information you hold about me’.
Your right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing - You have the the right to object to the processing of your personal data in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
How can I see the information you hold about me?
You have the right to access any information we hold about you. Please email: email@example.com or write to:
Access to Health Records
King’s Mill Hospital
Sutton in Ashfield
Telephone: 01623 672231
Can I access personal information about my child?
Information about children under 12 may be released to a person with parental responsibility. However, the best interests of the child will always be considered.
Even if a child is very young, data about them is still their personal data and does not belong to anyone else. It is the child who has a right of access to the information held about them.
Before responding to a request for information held about a child 12 years or over, we will consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we will respond to the child rather than the parent. What matters is that the child can understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.
Can I access personal information on someone else’s behalf?
The UK General Data Protection Regulation does not stop you making a request on someone else’s behalf. This is often necessary for a solicitor acting on behalf of a client, or it could simply be that an individual wants someone else to act for them.
In these cases, we will need to satisfy ourselves that the third party making the request has the individual’s permission to act on their behalf. It is the third party’s responsibility to provide this evidence, which could be a written authority to make the request, or a power of attorney.
If a person does not have the mental capacity to manage their own affairs and you are their attorney, for example you have a Lasting Power of Attorney with authority to manage their property and affairs; you will have the right to access information about the person you represent to help you carry out your role. The same applies to a person appointed to make decisions about such matters:
- In England and Wales, by the Court of Protection
- In Scotland, by the Sheriff Court; and
- In Northern Ireland, by the High Court (Office of Care and Protection).
Accessing and sharing information: Acting on behalf of a person with dementia
Can I access information about the deceased under the UK General Data Protection Regulation?
The Regulation only applies to personal information about a living individual. You may access information about deceased individuals through other legislation, such as the Access to Health Records Act.
Do I have to prove who I am?
Yes, we must be satisfied that an applicant is the patient or their authorised representative. This means we will ask for proof of identity and reserve the right to make further checks if necessary or refuse access if there is any doubt.
Applicants applying for a child’s health records will be asked to supply a copy of the child’s birth certificate and sign a form of authority confirming that they hold legal parental responsibility or if the applicant is not a parent, documentary evidence confirming parental responsibility.
What can I expect if I have rights under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland)?
Under equality law we have a duty to make sure that our services are accessible to all service users. You can request a response in a particular format that is accessible to you, such as Braille, large print, email, or audio format.
If you think that we have failed to make a reasonable adjustment, you can make a claim under the Equality Act (or Disability Discrimination Act in Northern Ireland).
Further advice is available from:
Equality Advisory Support Service (EASS) – http://www.equalityadvisoryservice.com; and
Citizens Advice – https://www.citizensadvice.org.uk/.
Can we withhold any information?
Yes. There are some circumstances where the information you have asked for contains information that relates to another person. Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, we are entitled to withhold this information.
The UK General Data Protection Regulation covers personal information that:
- is held, or going to be held on computer
- is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved
- is in most health, educational, social service, or housing records; or
- is other information held by a public authority?
How to complain
If you feel we have withheld some of your personal information, we recommend you contact us with your concern. Make sure you state the information you think is being withheld.
If you have contacted us and still believe some of your personal information is being withheld, or you are unhappy with how we have used your data please contact the Information Commissioner’s Office via their live chat service or call their helpline on 0303 123 1113.
The ICO’s address:
Information Commissioner’s Office
Security cameras are installed at various locations at our sites to prevent and detect crime, and for the protection of staff, visitors and patients and their property.
Short Message Service (SMS) text messaging
When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you. With your agreement your mobile number can be used to provide appointment details via SMS text messages.
We use a third-party provider, MailChimp, to deliver our monthly e-newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.
Here is a link to their Privacy Notice.
People who contact us via social media
We use a third-party provider, Tweetdeck to manage our social media interactions.
If you send us a private or direct message via social media, the message will be stored by Tweetdeck for three months. It will not be shared with any other organisations.
Here is a link to their Privacy Notice.
We collect information volunteered by members of the public about membership either using paper forms or an online form which links directly to the membership database hosted by MES (Membership Engagement Services). MES processes personal information in line with our constitution. Information from the paper forms is transferred into the membership database.
Here is a link to their Privacy Notice.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 7th October 2021.
Data Protection Officer
Information Governance Manager firstname.lastname@example.org 01623 672232.
The Trust is registered as a Data Controller with the Information Commissioner’s Office. Our ICO registration number is Z4885823. Our registration entry can be found here.
Further information on the UK General Data Protection Regulation can be found here.
How to contact us
Or write to:
King's Mill Hospital
Sutton in Ashfield