Your medical record
The information we hold about you
We hold your electronic and paper health (and where applicable social care) records. This contains sensitive information about you, your health and your wellbeing. The following list provides an example of the type of information (both past and present) that can be held within your record:
- Demographic and contact details (name, date of birth, address, telephone number, email address, gender, sex, religion, marital status etc.)
- Appointments and Consultations
- Diagnoses (including physical disabilities and mental health conditions)
- Medication, Vaccinations, Pathology results (e.g. blood tests) and Allergies;
- Social care involvement
- Hospital correspondence and correspondence from other health and social care settings (including x-rays, discharge letters and referrals)
- Relationships/Next of Kin.
How the NHS and care services use your information
We are one of the many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.
You have a choice about whether you want your confidential patient information to be used in this way.
To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit https://www.nhs.uk/your-nhs-data-matters/. If you do choose to opt out you can still consent to your data being used for specific purposes.
If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
Do I have a choice?
If you wish to receive safe and appropriate care and treatment at our hospital we must maintain an accurate record of relevant information about you. If you have any concerns about providing information, or how we share it with other health and social care providers, please discuss this with our staff so that you fully understand the potential impact on your care or treatment.
Do you ever share my information without my consent?
We will not disclose your information to any other third parties for non-care purposes without your consent unless there are exceptional circumstances or where we are legally required to report information to the appropriate authorities.
- Notifications of new births
- Diagnosis of infectious diseases such as meningitis or measles (but not HIV or AIDS) which may put other people at risk
- To comply with a court order
- Public interest, for example, if there is a risk of death or serious harm
- A legal need to share it, for example: to protect a child under the Children Act and Local Safeguarding Procedures
- To support investigations by the NHS Counter Fraud Agency
- A legitimate enquiry from the police under data protection legislation for information relating to a serious crime
Sharing information with your family
With your agreement we will share information about your current care with your family or carer. It is important that we know which family members or carers to involve in your care, and who we can share your information with. This person does not need to be related to you but they should be able to tell us your wishes in case you are unable to do so yourself.
Security cameras are installed at various locations at our sites to prevent and detect crime, and for the protection of staff, visitors and patients and their property.
Short Message Service (SMS) text messaging
When attending the Trust for an outpatient appointment or a procedure you may be asked to confirm that the Trust has an accurate contact number and mobile telephone number for you. With your agreement your mobile number can be used to provide appointment details via SMS text messages.
How long do you keep my records?
There are national records management standards in the NHS for how long we need to keep information about you. This varies depending on the type of information. Typically, your health record is destroyed or deleted 8 years following the end of treatment, or death. Records for some patients, e.g. children’s records, are kept much longer. Our policy on the Retention and Disposal of Health Records is available here.
How do we keep your information secure and confidential?
You have the right to confidentiality under data protection legislation, the Human Rights Act 1998 and the common law duty of confidence. Everyone working in the NHS has a legal duty to keep information about you confidential. Anyone who receives information from us is also under a legal duty to keep it secure and confidential.
Your information is held in secure systems in both paper and electronic format. Our electronic systems record when, and by whom, your record was accessed.
New systems are subjected to a data protection impact assessment to ensure any risks to privacy are mitigated.
All staff complete annual data protection and confidentiality training, supplemented by related policies and procedures. These policies can be found on our website.
Who do you share my information with?
We recognise our duty to share information about our patients with healthcare professionals from other organisations to ensure safe and effective continuity of your care. We do so under a formal agreement about how it will be used and kept confidential. Some examples are:
NHS radiology system
We are part of a group of NHS hospitals in the East Midlands that have a shared NHS radiology system. This will enable healthcare professionals in other NHS hospitals in the East Midlands to access your radiology record when necessary, to ensure you receive consistent, safe and effective clinical care and treatment, irrespective of where you receive your care.
Here is a link to their Privacy Notice.
Nottinghamshire Health and Care Portal
We participate in the Nottinghamshire Health and Care Portal. The community portal enables providers to electronically share your health and social care information, such as hospital and GP attendances, test results, medication and care plans with other Nottinghamshire health and social care providers. With your explicit consent, health and social care professionals, or staff who are supervised by health and social care professionals, will be able to access this information to better coordinate and provide care to you. Access is strictly controlled and the shared record is hosted by Nottingham University Hospitals NHS Trust in their secure data centre.
If you want to know more
If you have any concerns about how we keep and manage your personal information, please discuss this with a member of the team providing your care at the Trust.
How can I see the information you hold about me?
You have the right to access any information we hold about you.
Access to Health Records
Case Notes Store
King’s Mill Hospital
Sutton in Ashfield
Telephone: 01623 672231
Can I access personal information about my child?
Information about children may be released to a person with parental responsibility. However, the best interests of the child will always be considered.
Even if a child is very young, data about them is still their personal data and does not belong to anyone else. It is the child who has a right of access to the information held about them.
Before responding to a request for information held about a child, we will consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we will respond to the child rather than the parent. What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.
Can I access personal information on someone else’s behalf?
The Data Protection Act does not stop you making a request on someone else’s behalf. This is often necessary for a solicitor acting on behalf of a client, or it could simply be that an individual wants someone else to act for them.
In these cases, we will need to satisfy ourselves that the third party making the request has the individual’s permission to act on their behalf. It is the third party’s responsibility to provide this evidence, which could be a written authority to make the request, or a power of attorney.
If a person does not have the mental capacity to manage their own affairs and you are their attorney, for example you have a Lasting Power of Attorney with authority to manage their property and affairs; you will have the right to access information about the person you represent to help you carry out your role. The same applies to a person appointed to make decisions about such matters:
- In England and Wales, by the Court of Protection;
- In Scotland, by the Sheriff Court; and
- In Northern Ireland, by the High Court (Office of Care and Protection).
Accessing and sharing information: Acting on behalf of a person with dementia
Can I access information about the deceased under the Data Protection Act 2018?
The Act only applies to personal information about a living individual. You may access information about deceased individuals through other legislation, such as the Access to Health Records Act.
Do I have to prove who I am?
Yes, we must be satisfied that an applicant is the patient or their authorised representative. This means we will ask for proof of identity and reserve the right to make further checks if necessary or refuse access if there is any doubt.
Applicants applying for a child’s health records will be asked to supply a copy of the child’s birth certificate and sign a form of authority confirming that they hold legal parental responsibility or if the applicant is not a parent, documentary evidence confirming parental responsibility.
What can I expect if I have rights under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland)?
Under equality law we have a duty to make sure that our services are accessible to all service users. You can request a response in a particular format that is accessible to you, such as Braille, large print, email or audio format.
If you think that we have failed to make a reasonable adjustment, you can make a claim under the Equality Act (or Disability Discrimination Act in Northern Ireland).
Further advice is available from:
Equality Advisory Support Service (EASS) – http://www.equalityadvisoryservice.com; and
Citizens Advice – https://www.citizensadvice.org.uk/.
Can we withhold any information?
Yes. There are some circumstances where the information you have asked for contains information that relates to another person. Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, we are entitled to withhold this information.
The Data Protection Act covers personal information that:
- is held, or going to be held on computer;
- is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved;
- is in most health, educational, social service or housing records; or
- is other information held by a public authority?
What can I do if I believe we have not sent all the information I am entitled to?
If you feel we have withheld some of your personal information, we recommend you contact us with your concern. Make sure you state the information you think is being withheld.
If you have contacted us and still believe some of your personal information is being withheld, please contact the Information Commissioner’s Office via their live chat service or call their helpline on 0303 123 1113.
We use a third party provider, MailChimp, to deliver our monthly e-newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.
Here is a link to their Privacy Notice: https://mailchimp.com/legal/privacy/
People who contact us via social media
We use a third party provider, Tweetdeck to manage our social media interactions.
If you send us a private or direct message via social media the message will be stored by Tweetdeck for three months. It will not be shared with any other organisations.
Here is a link to their Privacy Notice: https://twitter.com/en/privacy
We collect information volunteered by members of the public about membership either using paper forms or an online form which links directly to the membership database hosted by MES (Membership Engagement Services). MES processes personal information in line with our constitution. Information from the paper forms is transferred into the membership database.
Here is a link to their Privacy Notice.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 29th May 2018.
Data Protection Officer
Our ICO registration number is Z4885823. Further information on the Data Protection Act 2018 can be found here.
How to contact us
Or write to:
Information Governance Department
Sherwood Forest Hospitals NHS Foundation Trust
King's Mill Hospital
Sutton in Ashfield