This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and with whom and for which legal purpose we may share it.
The Trust also publishes a number of specific notices which are available at the bottom of this page.
Who we are?
Yeovil District Hospital NHS Foundation Trust (The Trust) delivers health serves to a population of approx. 200,000 people primarily from Yeovil and the rural areas of South Somerset, North & West Dorset and West Mendip. The Trust has been an innovator in new Care Pathways, pioneering the Symphony program and being an NHS Vanguard trust since 2015.
The Trust employs more than [3,000] staff and has approx.  General & Acute care beds, as well as a dedicated Women’s hospital. The Trust provides outpatient and inpatient consultant services overseen by the two strategic business units urgent and elective care, covering areas including – A&E, acute & general medical services, a full range of medical outpatient services, critical care, trauma and orthopaedics, emergency and general surgery, oncology, diagnostic services, paediatrics, obstetrics and gynaecology.
The Trust is registered with the Information Commissioner’s Office (ICO) in the UK, as a Data Controller and to process personal and special categories of information under the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (subject to parliamentary approval) and our registration number is [Z732882X].
For further information please refer to the ‘About us’ page on our website
Why we collect personal information about you?
The staff caring for you need to collect and maintain information about you, your health, and your treatment and care, so that you can be given the safest and highest quality care. This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.
What is our legal basis for processing personal information about you?
Any personal information we hold about you is processed for the purposes of ‘provision of health or social care, or treatment or the management of health of social care systems and services’ under Article 9 GDPR and chapter 2, section 9 of the Data Protection Act 2018 (subject to parliamentary approval). For further information on this legislation please visit: http://www.legislation.gov.uk/
What personal information do we need to collect about you and how do we obtain it?
Personal information about you is collected in a number of ways, including referral details from your GP or another health provider, or personal details directly from you or your authorised representative.
The data we hold includes basic personal information about you such as your name, address (including correspondence), telephone numbers, date of birth, next of kin contacts and your GP details. We may also hold your email address, marital status, occupation, overseas status, place of birth and preferred name or maiden name.
In addition to the above, we may hold healthcare information about including:
- Health notes and reports, including details of treatment and care, Physical and Mental Health conditions, results of investigations and what future care you may require
- Personal information from people who are carers such as relatives, or health or social care professionals
- Other personal information such as smoking status, any learning disabilities, and your family, lifestyle and social circumstances
- Details of your religion and racial or ethnic origin
- Whether or not you are subject to any protection orders (safeguarding status), Offences, Criminal proceedings Outcomes and sentences.
It is important for us to have a complete picture of you because:
- Accurate and up to date information assists us in providing patients with the right care
- Full information will be readily available in the event you need to see another doctor, or are referred to a specialist or another part of the NHS
- Accurate and up to date information assists us in providing staff with the information and training required to carry out their role in the Trust
- It helps the NHS prepare statistics on its performance and audits of its services, and enables better monitoring of public spending and planning and management of the health service.
- It improves the Training of NHS healthcare professionals and employees, and assists the NHS in conducting its Research and Development activities
What website information do we collect?
Information about your computer hardware and software is automatically collected. This information can include your IP address, browser type, domain names, access times and referring website addresses. This information is used for the operation of the service, to maintain the quality and provide general statistics regarding use of the Yeovil District Hospital websites.
The Trust’s websites will disclose your personal information without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on Yeovil District Hospital or the sites; (b) protect and defend the rights or property of Yeovil District Hospital; and, (c) act under exigent circumstances to protect the personal safety of users of Yeovil District Hospital, or the public.
Please keep in mind that if you directly disclose personally identifiable information or personally sensitive data through The Trust’s public message boards, this information may be collected and used by others. Note: The Trust does not read any of your private online communications. Links to other websites: The Trust encourages you to review the privacy statements of websites you choose to link to from our site so that you can understand how those Web sites collect, use and share your information. The Trust is not responsible for the privacy statements or other content on Web sites outside The Trust’s family of Web sites. Therefore we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites.
Collecting personal information on E forms: The Trust websites use electronic forms, and these forms enable you to give us feedback about the web site, to give feedback about specific activity the Hospital is involved in; to give feedback as part of a formal consultation; to take part in fundraising activities or giving; to register for an event or activity; to register interest as a member or volunteer.
Where we are asking for personal information we will always ask you to acknowledge acceptance and understanding of this Fair Collection/Privacy Notice, before the electronic form can be submitted.
Direct Marketing: The Trust may also use your personally identifiable information to inform you of other products or services available from Yeovil District Hospital and its affiliates. The Trust may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered. The Trust keeps track of the websites and pages our patients visit in order to determine which of our services are the most popular. This data is used to deliver customised content and advertising within to customers whose behavior indicates that they are interested in a particular subject area. You have the right to refuse/withdraw consent to direct marketing at any time.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalise pages, or register with Yeovil District Hospital site or services, a cookie helps to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses, shipping addresses, and so on. When you return to the same Yeovil District Hospital Web site, the information you previously provided can be retrieved, so you can easily use the features that you customised.
What do we do with your personal information?
Your records are used to directly, manage and deliver healthcare to you to ensure that:
- Staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
- Staff have information they need to be able to assess and improve the quality and type of care you receive.
- Appropriate information is available, should you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.
The personal information we collect about you may also be used to:
- Remind you about your appointments and send you relevant correspondence.
- Review the care we provide to ensure it is of the highest standard and quality through audits or service improvements.
- Support funding of your care with commissioning organisations.
- Preparing NHS performance statistics required by The Department of Health or other regulatory bodies.
- Assist in training and education of healthcare professionals.
- Report and investigate complaints, claims and untoward incidents, report events to the appropriate authorities when required to do so by law.
- Review your suitability for research studies or clinical trials.
- Contact you with regards to patient satisfaction surveys relating to services you have used within The Trust, so as to further improve our services to patients in future. Where possible, we will always look to minimize and anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis to act otherwise.
Who do we share your information with and why?
The Trust may share your information for health purposes with other NHS organisations, e.g. health authorities, NHS Trusts, general practitioners (GPs), ambulance services, NHS England, Public Health England and other NHS common services agencies such as primary care agencies. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.
For your benefit, we may also need to share information from your health records with non-NHS organisations, from which you are also receiving care, such as social services or private healthcare organisations. However, we will not disclose any health information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.
A new service called SIDeR (Somerset Integrated Digital electronic Record) is being rolled out across Somerset over the next few years to allow GP practices, hospitals and Social Care to securely view your health and care information. SIDeR will help us to link up our existing IT systems that record and securely store your information, so that medical and care staff can view your information to help them deliver better and safer care for you. For example, they will be able to see what medications you’re taking, what allergies you have and what appointments you have coming up. If you have a care plan in place, they will also be able to see this to understand what your exact needs are.
We may also be asked to share basic information about you, such as your name and address, which does not include sensitive information from your health records. Generally, we would do this to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Fair Processing Notice, under the Data Protection legislation.
Where patient information is shared with or processed by other non-NHS organisations, an information sharing agreement is drawn up to ensure information is managed in a way that complies with relevant legislation. These non-NHS organisations may include, but are not restricted to: social services, education services, local authorities, the Police, voluntary sector providers and private sector providers.
Yeovil District Hospital does not sell, rent or lease its customer lists to third parties. From time to time we may contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your unique personally identifiable information (e-mail, name, address, telephone number) is not transferred to the third party. In addition, Yeovil District Hospital may share data with trusted partners to help us perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to Yeovil District Hospital, and they are required to maintain the confidentiality of your information under data processing agreements. Information may sometimes be shared with system suppliers for the purposes of maintenance.
There are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).
For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.
The Trust is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Trust in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, the Trust will always do its best to notify you of this sharing.
How we maintain your records
Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements. We hold and process your information in accordance with the Data Protection Act 2018 (subject to Parliamentary approval) and GDPR, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
- maintain full and accurate records of the care we provide to you
- keep records about you confidential and secure
- provide information in a format that is accessible to you
The Trust is committed to securing your personal information from unauthorised access, use or disclosure, and secures it on computer servers in a controlled, secure environment, protected from unauthorised access, use or disclosure.
All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary.
All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.
Further information can be found in our Information Governance policies, which are available by contacting our Data Protection Officer.
What are your rights?
If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 (subject to parliamentary approval) and GDPR gives you certain rights, including the right to:
- Request access to the personal data we hold about you, e.g. in health records.
- Request the correction of inaccurate or incomplete information recorded in our health records, subject to certain safeguards.
- Refuse or withdraw consent to the sharing of your health records: Under the GDPR and Data Protection Act 2018 (subject to parliamentary approval), we are authorised to process, i.e. share, your health records ‘for the management of healthcare systemsand services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research). Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal.
- Request your personal information to be transferred to other providers on certain occasions.
- Object to the use of your personal information: In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (e.g. as part of a local/regional data sharing initiative). This ‘National Data Opt-out’ initiative commenced via a roll out system from March 2018, with patients and the public able to use the system from 25 May 2018, with the planned roll out of the program concluding in March 2020. Further information can be found on the following website: https://digital.nhs.uk/national-data-opt-out
- We will always try to keep your information confidential, where possible use minimization and pseudonymisation and encryption in communication, and only share information when absolutely necessary.
If you wish to obtain a copy of the Trust’s Data Protection Policy which covers individual rights, raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.
Data Protection Officer
Samantha Hann is the Data Protection Officer for the Trust who can be contacted via email firstname.lastname@example.org or via post:
Data Protection Officer c/o Clinical Governance Team
Yeovil District Hospital NHS Foundation Trust
Information Commissioner’s Office
The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation. If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the ICO at:
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate) or 01625 545 700 if you prefer to use a national rate number
Patient Advice & Liaison Service
If you have a concern about any aspect of your care or treatment at this hospital please contact: