Who we are?

Yeovil District Hospital NHS Foundation Trust (The Trust) delivers health services to a population of over 200,000 people, mostly from Yeovil and the rural areas of South Somerset, North & West Dorset and West Mendip. The Trust is an innovator in new Care Pathways, pioneering the Symphony programme in 2015.

The Trust employs more than 2,300 staff and has approx. 350 General & Acute care beds, as well as a dedicated Women’s hospital.  The Trust provides outpatient and inpatient consultant services, including  – A&E, acute & general medical services, a full range of medical outpatient services, critical care, trauma and orthopaedics, emergency and general surgery, oncology, diagnostic services, paediatrics, obstetrics and gynaecology.

The Trust is registered with the Information Commissioner’s Office (ICO) in the UK, as a Data Controller able to process personal and special categories of information under the General Data Protection Regulations (GDPR) and the Data Protection Act 2018. Our registration number is [Z732882X].

For further information please refer to the ‘About us’ page on our website

Terms

Anonymise/ pseudonymise Methods of making your data to make your personal
details invisible to people who have no need to see it.
Data
Protection Act (DPA)
The UK Data Protection Act 2018 (or the Act)
GDPR EU General Data Protection Regulations
Legal
Basis
The lawful reasons for us to process personal and special category data
Personal
data
Information about a living, identifiable individual
Service
user
Someone who uses our services, usually a patient, but sometimes a carer, visitor or similar.
Trust, the Yeovil District Hospital and its subsidiaries, sometimes
‘we’ in this document
Third
party
Someone else. For example; another person or website. This document uses ‘Third Party’ to describe someone who is neither you or an NHS representative.

Why we collect personal data about you?

Your personal data is any data that can help someone to identify you personally, including your name, weight, height, date of birth, health conditions and treatments you receive.

The staff caring for you need to collect and maintain information about you, your health, and your treatment and care, so that you can be given the safest and highest quality care.

National Data Opt Out

Sometimes we may use data that we collect for your direct care for other, secondary uses, like research, or in trials or for statistical purposes. We will only ever do this when the professionals using it for these secondary uses cannot identify you. For example; We will never send your name, address or any other contact details to anyone who is not directly involved in your care.

If you don’t want us to use your information for secondary uses, you can ‘opt out’ using the ‘National Data Opt Out’.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters

The law

We must use personal data in line with the law, including the GDPR and the DPA. The Act applies to any personal data whether held in electronic, computer or video images (including scans) or physical media like paper and microfilm.

The Data Protection Principles

Whenever we process your personal data, we must follow the GDPR Article 5 data protection principles

1.   Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.   The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

What is our legal basis for processing personal data about you?

While you may give your consent to treatment, we do not rely on that same consent to use your data as a ‘legal basis for processing’. Instead we are likely to rely on ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

This processing is necessary to perform a public task (GDPR Article 6(1)(e)) and necessary for the provision of health or social care treatment (GDPR Article 9(2)(h)).

Your data may also be used to protect the health of the general public.

This data will be processed when it is necessary to comply with a legal obligation (GDPR Article 6(1)(c) and necessary for public health (GDPR Article 9(2)(j)).  Wherever possible we will use anonymous data.

Your data may also be used to ensure that adult and children’s safeguarding matters are managed appropriately.

This will only be when it is necessary to perform a public task (GDPR Article 6(1)(e)) and when it is necessary to carry out obligation under social protection law (GDPR Article 9(2)(b)).

Your data may also be used for health research and development (see below).

The legal basis for this processing is necessary to perform a public task (GDPR Article 6(1)(e)) and is necessary for scientific or historical research purpose (GDPR Article 9 (2)(j)). 

However, we must also comply with our common law duty of confidence. Individual consent will be sought for participation in particular research projects. Please ask if you are unsure.

In particular the Trust has a legal duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to securely maintain an accurate, complete and up to date record in respect of each service user, including a record of the decisions surrounding the care and treatment provided to the service user. Because of this, there are limitations on your rights to object to the keeping of records or to ask for them to be deleted. For more information see the section on ‘What are your rights’.

This means we can use your personal data to provide you with your care without seeking your consent to process your personal data to provide that care.  

Other legal duties may require us to use your data for

  • processing a complaint,
  • assessing, monitoring and improving the quality and safety of the services we provide,
  • seek feedback on the quality of services, or
  • the general management of the NHS.

But this list is not exhaustive

The NHS is supported by a complex network of statutory duties and powers. If you require specific information about the particular duty or power supporting any data protection activity, please contact the Data Protection Officer. data.protection@ydh.nhs.uk

What personal data do we need to collect about you and how do we obtain it?

We collect personal data about you in a number of ways, including referral details from your GP or another health provider, or personal details directly from you or your authorised representative.

The data we hold may include basic personal data about you such as your;

  • name,
  • address (including correspondence address),
  • telephone numbers,
  • date of birth,
  • next of kin contacts
  • GP details, 
  • email address,
  • marital status,
  • occupation,
  • overseas status,
  • place of birth
  • preferred name or maiden name.

In addition to the above, we may hold healthcare information about including:  

  • Health notes and reports, including details of treatment and care, physical and mental health conditions, results of investigations and what future care you may require
  • Personal data from people who are carers such as relatives, or health or social care professionals 
  • Other personal data such as smoking status, any learning disabilities, and your family, lifestyle and social circumstances
  • Details of your religion and racial or ethnic origin
  • Whether or not you are subject to any protection orders (safeguarding status), Offences, Criminal proceedings outcomes and sentences.

It is important for us to have a complete picture of you because; full, complete, accurate data assists us to;

  • provide our patients with the right care at the right time
  • ensure your data is available should you need to see other doctors, nurses or specialists or another part of the NHS
  • improve the training of NHS healthcare professionals and employees to carry out their roles
  • help the NHS in conducting its research and development activities
  • help the NHS prepare statistics on its performance and audits of its services, and enables better monitoring of public spending and planning and management of the health service.

What website data do we collect?

Information about your computer hardware and software is automatically collected. This information can include your IP address (the numbers that identify your computer to the internet), browser type, domain names, access times and referring website addresses. This information is used for the operation of the service, to maintain the quality and provide general statistics regarding use of the Yeovil District Hospital websites.   

The Trust’s websites may disclose your personal data, but we will only do so if the law says we must, or if we genuinely believe that it is necessary to;

  1. comply with the law, or;
  2. protect the rights or property of the hospital, or;
  3. protect the personal safety of staff or users of the hospital

Any information you disclose about yourself through The Trust’s public message boards or social media site is not subject to this privacy notice. It may be collected and used by others. If you disclose the sensitive data of others, this may be a criminal offence.

The Trust does not read any of your private online communications.

Links to other websites: The Trust encourages you to review the privacy statements of third party websites you choose to link to from our site so that you can understand how those web sites collect, use and share your data. The Trust is not responsible for the privacy statements or other content on third party web sites outside The Trust’s family of web sites. We are not responsible for the protection and privacy of any data that you provide whilst visiting such sites.

Collecting personal data on e-forms: The Trust websites use electronic forms. These forms enable you to

  • give us feedback about the web site;
  • give us feedback about specific activity the Hospital is involved in;
  • give feedback as part of a formal consultation;
  • take part in fundraising activities or giving;
  • register for an event or activity;
  • register interest as a member or volunteer.

When we ask for personal data, we will always ask you to acknowledge acceptance and understanding of this Fair Collection/Privacy Notice, before the electronic form can be submitted.

Direct Marketing:  The Trust may also use your personally identifiable data to inform you of other products or services available from Yeovil District Hospital and its affiliates. The Trust may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered.   The Trust keeps track of the websites and pages our patients visit in order to determine which of our services are the most popular. We use this data to deliver customised content and advertising to customers whose behaviour indicates that they are interested in a particular subject area.

You have the right to refuse/withdraw consent to direct marketing at any time.

Use of Cookies: The Trust website uses “cookies” to help you personalise your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you. Cookies can only be read by a web server in the domain that issued the cookie to you.

One of the primary purposes of cookies is to provide a convenience feature to save you time. For example, if you personalise pages, or register with Yeovil District Hospital site or services, a cookie helps to recall your specific data on subsequent visits. This simplifies the process of recording your personal data, such as billing addresses, shipping addresses, and so on. When you return to the same Yeovil District Hospital Web site, the data you previously provided can be retrieved, so you can easily use the features that you customised.

You can accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of The Trust’s services or websites you visit. You can read more about the cookies used by the Trust’s web sites by clicking on the Cookie link at the bottom of the web page.  For more details visit our website’s terms of use page, and our privacy and cookies policy page.

What do we do with your personal data?

Your records are used to directly manage and deliver healthcare to you, to ensure that:

  • Staff involved in your care have accurate and up to date data to assess and advise on the most appropriate care for you.
  • Staff have data they need to be able to assess and improve the quality and type of care you receive.
  • Appropriate data is available, should you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.

The personal data we collect about you may also be used to:

  • Remind you about your appointments and send you relevant correspondence.
  • Review the care we provide to ensure it is of the highest standard and quality through audits or service improvements.
  • Support funding of your care with commissioning organisations.
  • Preparing NHS performance statistics required by The Department of Health or other regulatory bodies.
  • Assist in training and education of healthcare professionals.
  • Report and investigate complaints, claims and untoward incidents, report events to the appropriate authorities when required to do so by law. 
  • Review your suitability for research studies or clinical trials.
  • Contact you with regards to patient satisfaction surveys relating to services you have used within The Trust, so as to further improve our services to patients in future.
  • To identify patients who may be chargeable as overseas visitors, and potentially to process payment claims for funding.

This list is not exhaustive.

Where possible, we will always try to minimize and anonymise / pseudonymise your personal data to protect your confidentiality, unless there is a legal basis to act otherwise.  

Who do we share your data with and why?

The Trust may share your data for health purposes with other NHS organisations, e.g. health authorities, NHS Trusts, general practitioners (GPs), ambulance services, NHS England, Public Health England and other NHS common services agencies such as primary care agencies.   We will also share data with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.  Examples include:

  • NHS Patient Survey Programme (NPSP) is part of the government’s commitment to ensure patient feedback is used to inform the improvement and development of NHS services.  We have a legal duty under Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to assess, monitor and improve the quality and safety of the services provided (including the quality of the experience of service users in receiving those services). We may share your contact data with an NHS approved contractor as a data processor to be used for the purpose of the NPSP. 
  • NHS Digital, on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services – we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations and our legal duty under s259 Health and Social Care Act 2012. For further information about how NHS Digital looks after your data follow this link.  
  • Clinical Commissioning Groups Information may be shared with a Clinical Commissioning Group where it is necessary for them to comply with their legal duties. For example they have particular duties relating to the discharge of patients under the Care Act 2014 and for the provision of continuing care under s3 NHS Act 2006 including in some cases the authorisation of individual funding. Please also see the Somerset Clinical Commissioning Group’s Privacy Notice and Dorset Clinical Commissioning Group’s Privacy Notice.
  • For research purposes. When you agree to take part in a research study, the data about your health and care may be provided to researchers conducting research studies in this organisation and in other organisations. These organisations may be universities, hospitals or companies involved in health and care research. We may share research data when required. Your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research.

If we share your data for research purposes, we will ensure your data is protected by either de-identifying/de-linking it to you and or by ensuring our data “processors” (3rd parties) are contractually responsible for maintaining confidentiality and data integrity.

Where we publish the results of any research it will contain no identifiable information.

We may share your health records

For your benefit, we may also need to share data from your health records with non-NHS organisations you may also receive care from, such as social services or private healthcare organisations.

We will only disclose or share your data to third parties when

  1. There is a specific, lawful, need for example to provide you with essential services and treatments, when people are at risk of harm, when the law says we must, and so on; or
  2. When we need and your consent. Although we usually need your consent for treatment, we won’t always need your consent to share your data. We will usually have a lawful basis (see “What is our legal basis for processing personal data about you?”

A new service called SIDeR (Somerset Integrated Digital electronic Record)  is being rolled out across Somerset over the next few years. SIDeR will allow GP practices, hospitals and Social Care to securely view your health and care data, but only with appropriate access safeguards in place. SIDeR will link up our existing IT systems that record and securely store your data, so that medical and care staff can view your data to help them deliver better and safer care for you. For example, they will be able to see what medicines you’re taking, what allergies you have and what appointments you have coming up. If you have a care plan in place, they will also be able to see this to understand what your exact needs are.

We may also be asked to share basic data about you, such as your name and address, which does not include sensitive data from your health records. Generally, we would do this to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Fair Processing Notice, under the Data Protection legislation.

Where patient data is shared with or processed by third parties, we will draw up an information sharing agreement to ensure data is managed in a way that complies with relevant legislation. These organisations may include, but are not restricted to: social services, education services, local authorities, the Police, voluntary sector providers and private sector providers.

Yeovil District Hospital does not sell, rent or lease its customer lists to third parties. From time to time we may contact you on behalf of third party business partners about a particular offering that may be of interest to you. In those cases, we will not transfer your unique personally identifiable data (e-mail, name, address, telephone number) to the third party. In addition, Yeovil District Hospital may share data with trusted third parties to help us perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal data except to provide these services to Yeovil District Hospital. They are required to maintain the confidentiality of your data under data processing agreements.   Data may sometimes be shared with system suppliers for the purposes of maintenance.

The Trust is required to;

  • protect your personal data,
  • inform you of how your personal data will be used, and
  • allow you to decide if and how your personal  data can be shared.

Any personal  data you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented, unless, there are exceptional circumstances, such as the prevention of harm to others, or occasions where the Trust is required by a legal duty to share information provided to us with others. Examples include:

  • disclosure under a court order,
  • sharing with the Care Quality Commission for inspection purposes,
  • the police for the prevention or detection of crime or
  • where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).

Where there is cause to do this, the Trust will always do its best to notify you of this sharing.

For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.

Research: Sometimes we undertake research studies. We may decide you are suitable for these studies, and ask for your assistance. These studies may involve extra visits and tests which in turn generates extra personal data. You always have a choice to take part in these studies. If you choose not to take part in these studies, it will not affect your future treatment in any way.

How we maintain your records

Your personal data is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care 2016 and National Archives Requirements.  We hold and process your data in accordance with the Data Protection Act 2018 and GDPR, as explained above.  In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.   Under the NHS Confidentiality Code of Practice, all our staff are required to protect your data, inform you of how your data will be used, and allow you to decide if and how your data can be shared.  Any preferences you have will be noted in your records.

We have a duty to:

  • maintain full and accurate records of the care we provide to you
  • keep records about you confidential and secure
  • provide information in a format that is accessible to you

The Trust is committed to securing your personal data from unauthorised access, use or disclosure, and secures it on computer servers in a controlled, secure environment, protected from unauthorised access, use or disclosure.

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary.  All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.

Further information can be found in our Information Governance policies, which are available by visiting our webpage at https://yeovilhospital.co.uk/about-us/corporate-information/information-governance/ or contacting our Data Protection Officer data.protection@ydh.nhs.uk

What are your rights?

Data Protection law gives you significant rights over the use of your personal data. Those rights include;

Be informed. We will tell you what we will do with your data. We may do this through notices (like this) or through leaflets, notices on our website, posters and possibly through emails and messages.

Subject Access Requests. GDPR gives you the right to access the data we hold about you on our records.  For medical records requests should be made in writing to the Medical Records Department. The Trust will provide the information to you within one month of receipt of your request and sufficient information to identify you. There is generally no charge but the Trust reserves the right to make a reasonable administrative charge in the case of requests which are manifestly unfounded or excessive, in particular because of their repetitive character.

If you have parental responsibility for a child in your care, you may request access to their personal data on the child’s behalf. Similarly, you may have specific authority (eg a Power of Attorney) to request access for an adult who is incapable of making their own request.

Please be aware, any personal data requested on behalf of someone else remains the property of the person(s) concerned. It should only ever be requested and used for the benefit of the person(s) concerned.

Just because a record, or someone else’s record may mention you or use your name, does not always make it your data. Each request for personal data will be assessed on its own merits.

In some circumstances, we may be obliged to refuse a request, but we will give you reasons why.

Rectification. If you think that the data we hold on you is inaccurate or incomplete you may ask us to rectify or complete it. You can make your request by contacting the Trust’s Data Protection Officer.  We will tell you within one month what action we intend to take in response to your request.

Erasure. Under GDPR you sometimes have a right to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. You can make your request by contacting the Trust’s Data Protection Officer. We will tell you within one month what action we intend to take in response to your request.

However this right does not apply to many of our key data holdings such as health records and employees’ records as we are keeping such records as part of our legal duties. For a full explanation of the right and when it applies please see the Information Commissioner’s website.

Restriction.  This is closely linked to other rights. You have the right to restrict processing in limited circumstances for example if you think our data is inaccurate and you want to limit what we do with it until we have considered rectification (see above).  You can make your request by contacting the Trust’s Data Protection Officer. We will tell you within one month what action we intend to take in response to your request.

Objection. You have a general right to object to our processing your personal data if we are processing your data for direct marketing. We will always respect such an objection.  You also have a right to object on “grounds relating to your particular situation” when we are processing your personal data:

  • On the basis of our legitimate interests or the performance of a task in the public interest/exercise of official authority. This would include our processing of medical records and employee records; or
  • For purposes of scientific/historical research and statistics.

In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (e.g. as part of a local/regional data sharing initiative). This ‘National Data Opt out’ initiative commenced via a roll out system from March 2018, with patients and the public able to use the system from 25 May 2018, with the planned roll out of the program concluding in March 2020. Further information can be found on the following website: https://digital.nhs.uk/national-data-opt-out

We can refuse to uphold an objection, if it is not based on a particular situation. or on compelling legal or public interest grounds – for example;

  • to prevent physical or mental harm to a vulnerable person or  
  • identifying a patient’s address if they are the subject of family disputes or the victim of domestic abuse.

These rights are not absolute (other than prevention of marketing) and will not apply in all circumstances. For example, you do not have a right to insist that we delete your medical records as we have a legal duty to keep them.  For more information about your rights please see: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

If you wish to exercise any of the rights other than a Subject Access Request please contact the Trust’s Data Protection Officer.  data.protection@ydh.nhs.uk

You can obtain a copy of the Trust’s Data Protection Policy which covers individual rights.

We will tell you within one month what action we intend to take in response to your request.

If you have any concern about how we have handled your data you can contact our Patient Advice & Liaison Service (PALS). pals@ydh.nhs.uk  You also have a right to complain to the Information Commissioner if you are in any way unhappy with the way we have processed your personal data or allowed you to exercise your rights. Please see: www.ico.org.uk/concerns.