Privacy Policy

May 2018

The New Foscote Hospital Limited is committed to ensuring that your personal information is kept securely and used confidentially and lawfully only by authorised individuals and bodies and is processed only for the purposes for which you have given consent and for which we have a legal basis.

Our privacy policy has been written in compliance with the new European laws on General Data Protection Regulation 2016/679 (GDPR) from May 2018 which requires that: “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.”

All of our staff at The New Foscote Hospital Limited and all external contacts (medical and business contacts) have a legal duty to keep your information confidential.

Data Protection Officer

The New Foscote Hospital’s Data Protection Officer (DPO) is the Hospital Manager, Mrs Marion Southwood.

If you have any questions or requests regarding the usage of your personal data at The New Foscote Hospital Limited please contact her on 01295 252281 or email the Data Protection Officer.

Where do you collect my information from and what data do you store about me?

Your personal contact information, such as your name, postal address, email and phone number may be collected from:

  • an initial enquiry made by you via our website, by email, by phone or in writing
  • a job application
  • others involved in your healthcare, such as your GP, your consultant and their secretaries.

More sensitive information regarding, for example, your current physical or mental health, previous hospital visits (NHS and private), prescribed medications and financial status may be collected from:

  • your current healthcare providers, such as your GP, consultant and their secretaries
  • hospitals you have previously been admitted to
  • debt collection agencies.

How is my information used?

We will use your information to:

  • communicate with you regarding your healthcare appointment bookings, treatments, follow-up appointments, results and to request feedback on your treatments by telephone and/or email, based on your stated preference(s).
  • provide the required healthcare services and treatments
  • maintain business records and monitor outcomes for the purposes of our own and external regulatory body quality assurance
  • provide information about you where we have a legal or regulatory obligation to do so (for example, in legal proceedings or for the prevention of fraud)
  • process applications for employment.

Who has access to this information?

Healthcare provision and support

Your medical information will be shared with those involved in your health assessment, care and treatment, which may include:

  • Consultants
  • Anaesthetists
  • Nursing staff
  • Physiotherapists
  • Radiographers
  • Medical secretaries

Consultants, anaesthetists and their secretaries are not directly employed by The New Foscote Hospital Limited but are under contract to us and are legally bound by our strict confidentiality policies.

We may also share your medical information, where necessary to support your care, with:

  • local NHS hospitals providing support services, such as blood testing and biopsies
  • your GP
  • other hospitals (NHS and private)
  • the payor of your treatment – eg your health insurance company or employer
  • the local safeguarding team, if we are concerned you may be vulnerable or ‘at risk’
  • your nominated contacts and emergency contact.

Individuals and organisations not involved in your healthcare

We may, if necessary, share only such information as is relevant, with:

  • our lawyers, auditors, financial and tax advisors and NHS organisations
  • external document scanning and storage facilities
  • electronic patient data storage systems
  • radiology imaging storage and reporting systems
  • external IT system providers
  • debt collection agencies (if your bill is not paid on time)

Regulatory bodies

We are regulated by, and obliged to share patient data, with:

  • The Care Quality Commission (which inspects all hospitals in England)
  • NHS England (including for Patient Reported Outcome Measures (PROMS) data)
  • The government’s Department of Health
  • Private Healthcare Information Network (PHIN) ( – please see PHIN’s own privacy notice here).

This data is pseudonymised and individuals cannot be identified from these records.

Other bodies, due to legal obligation

We may be required to provide information about you because we are legally obliged to. This may be:

  • because of a court order
  • in relation to the prevention or detection of crime by the police
  • in response to a legal request from the Home Office or HMRC.

Change of hospital ownership

If the hospital were to be sold or transferred to another organisation, your patient and health records would be transferred to the new owner, to minimise disruption to current or past patients.

Changes to our privacy policy

If changes are made to our privacy policy we will aim to notify patients through, for example, a notice on our website.

What legal basis does The New Foscote Hospital Limited have for using my personal information?

Reason for using informationLegal basisLegal basis for ‘special category’ (ie sensitive personal information)
Receiving an enquiry and creating an initial patient recordPre-contractual relationship to provide you with the required informationSubstantial public interest
Providing you with health services and treatmentsContractual relationship to provide fulfilment of the appropriate healthcareTo provide health assessment and care for you

To protect your vital interests when you are physically or legally incapable of giving consent

Liaising with other healthcare professionals regarding your care and updating others (eg your relatives)Contractual relationship to provide fulfilment of the appropriate healthcareTo provide health assessment and care for you

Substantial public interest

To establish, exercise or defend our legal rights

Settling your bill, if you are a self-paying or privately insured patientLegitimate interest for internal administrative purposesTo provide health assessment and care for you

To establish, exercise or defend our legal rights

Providing improved quality, training or security (eg post-discharge surveys)Appropriate business needTo manage and improve the healthcare services we deliver
Audit and research programmes run by external bodiesLegitimate interest in supporting health service research.

Legal obligation to provide data to key bodies – eg the CQC

Consent will be gained or, where consent is not required, the legal basis is in the public interest (for statistical or scientific research purposes)
Contacting you and responding to queriesContractual relationship to provide fulfilment of the appropriate healthcare

Appropriate business need

To provide health assessment and care for you

To establish, exercise or defend our legal rights

 

Investigating and responding to complaints or claimsCompliance with legal obligationsTo provide health assessment and care for you

To establish, exercise or defend our legal rights

To enable others to provide informed healthcare services for you

Managing our businessAppropriate business needs

Compliance with legal obligations

To provide health assessment and care for you

To establish, exercise or defend our legal rights

Informing you of other services available at The New Foscote Hospital LimitedAppropriate business needs

Consent provided

More sensitive information would not be used for this purpose
Transferring your records to a third party, should the hospital be sold or management be transferredContractual relationship to provide fulfilment of the appropriate healthcare

Compliance with legal obligations

To provide health assessment and care for you

To protect your vital interests when you are physically or legally incapable of giving consent

To enable others to provide informed healthcare services for you

 

Where is my information stored and how do you keep it safe?

The information we store on you is held in the UK in paper format and on our secure servers. We take every possible step to ensure that your data is stored securely and is processed and used only in accordance with the General Data Protection Regulations (GDPR) 2018. Methods we use include:

  • Encryption
  • Pseudonymisation
  • Controlling access to systems
  • Training our staff to make them aware of how to handle information and how and when to report when something goes wrong
  • Regular testing of our technology and ways of working including keeping up to date on the latest security updates.

How long do you keep my information for?

We retain personal data for no longer than required and in line with The New Foscote Hospital’s detailed retention schedule. This is based on statutory requirements and legal obligations, including the Records Management Code of Practice for Health & Social Care 2016, as well as our business requirements.

Medical record retention periods

Type of recordWhen retainedMinimum retention timeNotes
All health recordsAt the end of your treatment7 years (some can be up to 40 years)COSHH Regulations 2002
Ultrasound and x-ray images and reportsAt the end of your treatmentAs part of the patient record, these are retained as above.

 

Other

Type of recordWhen retainedMinimum retention timeNotes
Accident formsAt time of reporting of accident3 years
CCTV (in communal areas, eg hospital car park and reception)At time of recording31 daysInformation Commissioner’s Code of Conduct
Complaints/litigationAt time of reporting of incident10 years
Compucare records (patient administration software records)At the end of your treatmentPermanent archive recordThe National Archives guidance, Managing Electronic Records
Job applicationsFollowing successful or unsuccessful application1 year (unsuccessful)

3 years following termination of employment (successful)

Subject access requestsAt the point of response to the request3 years

 

Please note that this list is not exhaustive. If you would like further information on the retention period of a particular type of patient record, please email your request to the Hospital Manager’s Personal Assistant.

What rights do I have regarding the storage and usage of my information?

You have certain rights, under law, regarding how your personal and medical data is stored and used. You can exercise these rights, verbally or in writing, at any time by contacting our Data Protection Officer or any of our administrative staff on 01295 252281 or by email. There will not normally be a charge to process your request. If, for any reason, we are unable to carry out your request, we will notify you of the reasons why not. Your rights, under the General Data Protection Regulation 2018 are listed below:

Right of access

You are entitled to:

  • confirmation that we are processing your personal data
  • a copy of your personal data which is held by us
  • other supplementary information.

Right to rectification

You have the right to:

  • have inaccurate personal data rectified, or completed if it is incomplete.
  • make a request for rectification verbally or in writing.
  • receive a response within one calendar month of your request.

In certain circumstances we may refuse a request for rectification, for example, if we consider it unfounded or excessive.

Right to erasure (or ‘the right to be forgotten’)

This right is not absolute and only applies in certain circumstances. It applies when:

  • the personal data is no longer necessary for the purpose which we originally collected or processed it for
  • we are relying on consent as your lawful basis for holding the data, and you withdraw their consent
  • we are relying on legitimate interests as your basis for processing, you object to the processing of your data, and there is no overriding legitimate interest to continue this processing
  • we are processing the personal data for direct marketing purposes and you object to that processing
  • we have processed the personal data unlawfully
  • we have to do it to comply with a legal obligation.

Right to restrict processing

You have the right to request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances.

  • when processing is restricted, we are permitted to store your personal data, but not use it.
  • you can make a request for restriction verbally or in writing.
  • we have one calendar month to respond to a request.

Right to data portability

This right only applies to information an individual has provided to a controller. It gives you the right to obtain and reuse your personal data for your own purposes across different services.

It allows you to:

  • move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability
  • take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.

Rights relating to automated decision making

We do not use automated decision making or profiling at The New Foscote Hospital Limited.

Right to withdraw consent

You may withdraw consent for us to use your data for any purpose for which you have previously given consent. This will not affect the lawfulness of processing based on consent before its withdrawal.

To withdraw your consent, please contact our Data Protection Officer by phone on 01295 252281 or email.

Right to object

You have the absolute right to object to the processing of your personal data if it is for direct marketing purposes.

You can also object if the processing is for:

  • a task carried out in the public interest
  • the exercise of official authority vested in us
  • our legitimate interests (or those of a third party).

Right to complain to the Information Commissioner’s Office

If you are unhappy with the way in which we have responded to a request from you to exercise any of your rights or believe that we have not adhered to the legislation you can complain to the government’s Information Commissioner’s Office (the ICO). Further information can be found on the ICO website here.

Contacting our Data Protection Officer

If you have any questions regarding our management of your personal data or if you would like to exercise any of your rights relating to your information, please contact our Data Protection Officer:

Data Protection Officer, The New Foscote Hospital Limited, 2 Foscote Rise, Banbury, Oxfordshire OX16 9XP  

Tel  01295 252281   Email  marion.southwood@thefoscotehospital.co.uk