How we use your information
The Hospital of St John & St Elizabeth collect store and use personal data during our work every day, such as medical records, and computerised information.
We take our duty to protect your personal information and confidentiality very seriously and take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible.
Why do we collect information about you?
We keep records about your health and any treatment. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer.
It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.
We use your personal data in line with the following legal justifications or “grounds”:
- You have requested us to take steps in order for you to enter into a contract with the Hospital so that we may provide you with healthcare services
- The use of your personal information is necessary for the provision of healthcare services provided to you as part of the contract between you and the Hospital
The information that we process as part of providing your service includes “special category” information. This special category information is data related to race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation. The legal basis that we use to process this special category information is:
- The use of the information is necessary for medical diagnosis or the provision of healthcare services
- How your personal information is used
- Your records are used to direct, manage and deliver the care you receive to ensure that:
- The clinical team involved in your care have accurate and up to date information to assess your health and decide on the best care for you.
- Your concerns can be properly investigated if a complaint is raised.
- Appropriate information is available if you see another professional.
Who do we share personal information with?
Everyone working within the hospital has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.
We will not disclose your information to any other third parties except where there is a legitimate interest, we may share information with Medical Professionals engaged by us to carry out services to you. This includes:
- Your GP or medical practitioner – we will contact your GP or medical practitioner with a discharge summary following any inpatient or day case procedures (excluding outpatient).
- To submit claims relating to your treatment to your insurer or any other third party covering the cost of any treatment on your behalf.
- The Department of Health or any other statutory body to whom we are required to submit data.
- Authorised organisations to convert your data into an anonymised statistical form.
We may be required to disclose information to the Police, any regulatory or Government departments or a court of law. We will inform you as soon as reasonably practical after we receive the request, unless we are prohibited by law from doing so or it is not practicable to do so.
How long is your personal information kept for?
Your personal information is kept in line with the recommended legal and professional best practice retention standards set out in the NHS Records Management Code of Practice for Health and Social Care 2016.
Private Hospital Information Network (PHIN)
As part of a UK-wide programme to improve the public’s access to information on the quality and outcome of private healthcare, we share some of your personal data (NHS Number in England and Wales, CHI Number in Scotland or Health and Care Number in Northern Ireland) with The Private Healthcare Information Network (PHIN). PHIN then sends this Number to the relevant national information authority (for example NHS Digital in England) which links it to national hospital data and mortality data. The linked information, with your personal data removed, is then provided to PHIN to measure quality of care, check for adverse events after discharge from this hospital, such as unplanned re-admissions to hospital, emergency transfers between hospitals, or deaths following treatment. Additionally, the records we send to PHIN will include your postcode to enable statistical processing.
Personal information is treated with high standards of confidentiality in accordance with data protection laws and the duty of confidentiality. Any information that is published will always be in an anonymised statistical form and will not identify you. This information will not be shared or analysed for any purpose other than those stated above.
Further detail is contained in PHIN’s Privacy Notice; a copy is available on PHIN’s website.
Your consent for your personal information to be processed in this way is entirely voluntary. You do not have to give consent and are free to withdraw consent at any time without giving any reason, and without your medical care or legal rights being affected.
Child Protection Information Sharing (CP-IS)
The Hospital of St John & St Elizabeth also has access to the UK Child Protection Information Sharing (CP-IS) system in order to facilitate the sharing of information between health and local authorities where a child may be at risk of being neglected, maltreated or abused. When a child is admitted for unscheduled treatment we will capture the NHS number and will share this with local authorities and NHS trusts across England. The national implementation of CP-IS is endorsed by the Care Quality Commission.
Disclosure of information
You have the right to restrict how and with whom we share the personal information in your records that identifies you. You can also change your mind at any time about a disclosure decision.
How your personal information is used to improve the service we provide
Your information may also be used to:
- Review the care we provide to ensure it is of the highest standard and quality.
- Ensure our services can meet patient needs in the future.
- Investigate patient queries, complaints and legal claims.
- Ensure that we receive payment for the care you receive.
- Prepare statistics on our performance.
- Undertaking health research and development (with your consent – you may choose whether or not to be involved).
- Helping to train and educate healthcare professionals.
How you can access your records?
The UK General Data Protection Regulation gives you a right to access the information we hold about you on our records. Requests must be made in writing to the Medical Records Department. The hospital will provide information to you within one month of receipt of:
A completed application form, containing adequate supporting information (such as your full name, address, date of birth, NHS number, proof of identification etc.)
HJE must be able verify your identity using “reasonable means”. Please send all requests to the below address along with an indication of what information you are requesting to enable us to locate it in an efficient manner. This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, we will contact you within one month of the receipt of the request and explain why the extension is necessary.
Your other rights in relation to your personal data
In addition to the right to access your health records (which is referred to as a Subject Access Request), you have other rights in relation to your personal data:
Right to restriction of processing: there are some circumstances where you may wish us to stop using your personal data for a period of time. We are not obliged to comply with all requests and we will consider other factors such as whether we need to continue to process your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercising or defending legal claims.
Right to rectification: we are careful to ensure the accuracy of your information but you may ask us to amend or update your data if you feel that this is necessary.
Right to data portability: we must transfer the information that you have provided to us to you (or another individual or organisation) at your request if it is technically feasible for us to do so.
If you are not happy with the way in which we have dealt with a request from you in relation to any of your rights or have any concerns in relation to the lawful processing of your personal data then you may make a complaint to the Information Commissioner’s Office.
Further information can be found on the ICO website.
The Data controller responsible for keeping your information confidential is:
The Hospital of St John & St Elizabeth (ICO Registration Number Z8761565)
60 Grove End Road,
St John’s Wood, London
Tel: 020 7806 4000
Data controllers are required to register with the Information Commissioner. Details are publicly available from:
Information Commissioner’s Office
Telephone: 08456 306060 Website: www.ico.gov.uk
The Hospital has appointed a Data Protection Officer (DPO). The role of the DPO is to monitor compliance with the UK GDPR, train staff and conduct internal audits and to be the first point of contact for supervisory authorities and for individuals whose data is processed.
Should you wish to contact the DPO please email firstname.lastname@example.org.
The confidentiality of patient information is of paramount concern to the Hospital of St John & St Elizabeth, to this end, the Hospital of St John & St Elizabeth fully complies with Data Protection Legislation and Medical Confidentiality Guidelines.
Medical information will be kept confidential, it will only be disclosed to those involved with your treatment or care, or to their agents and, if applicable, to any person or organisation who may be responsible for meeting your treatment expenses, or their agents.
Hospital of St John & St Elizabeth supports ethically approved research projects.
Anonymised or aggregated data may be used by the Hospital of St John & St Elizabeth, or disclosed to others for research or statistical purposes, no individual is identifiable in this anonymised research.
Hospital of St John & St Elizabeth supports the assessment of clinical governance, as part of these initiatives, the long term efficacy and effectiveness of certain treatments are measured. To assist in these reviews, patient identifiable data may be used by the Hospital of St John & St Elizabeth, or disclosed to organisations such as the National Institute for Clinical Excellence (NICE), the Cancer Registry or the Public Health Service involved in such research and will be used only for the specific purposes of the research project. Such researchers will be under a duty of medical confidentiality and that imposed by the Data Protection Act.
Access to Non-Medical Information
Hospital of St John & St Elizabeth and your insurers would, on occasion, like to keep you informed of products and services which they consider may be of interest to you. No medical information would be disclosed to others for this purpose and non-medical information would be disclosed on a strictly confidential basis. Should you not wish to receive information about products and services from the Hospital of St John & St Elizabeth please let us know in writing.
Names and Addresses
Hospital of St John & St Elizabeth DOES NOT make the names and addresses of patients available to other organisations.
A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer’s hard disk so that the website can remember who you are.
A cookie will typically contain the name of the domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number.
When you visit our website we send you a cookie. Cookies may be used in the following ways:
- To help us recognise you as a unique visitor (just a number) when you return to our website and to allow us to tailor content or advertisements to match your preferred interests or to avoid showing you the same adverts repeatedly.
- To compile anonymous, aggregated statistics that allow us to understand how users use our site and to help us improve the structure of our website. We cannot identify you personally in this way.
Two types of cookies may be used on this website; session cookies, which are temporary cookies that remain in the cookie file of your browser until you leave the site, and persistent cookies, which remain in the cookie file of your browser for much longer (though how long will depend on the lifetime of the specific cookie).
Disabling/ Enabling Cookies
You have the ability to accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our site if cookies are disabled.
The inclusion of a link to an external website from HJE.ORG.UK should not be understood to be an endorsement of that website or the site’s owners (or their products/services).
Information may be disclosed to others with a view to preventing fraud.