Privacy notice

We collect information about you when you use our services. This information may be held electronically and/or in paper form, depending on the service(s) you have accessed.

To support the provision of your healthcare the following information may be collected:

• Basic details about you – name, address, date of birth, next of kin and GP.
• Additional contact information such as telephone numbers (home and/or mobile) and email address.
• Dates when we’ve had contact with you. For example, attendances at an outpatient clinic, a visit to the emergency (A&E) department or a stay in hospital.
• Clinical notes made by our doctors and other healthcare professionals during these contacts or stays.
• Results of investigations that may have been undertaken.
• Photographs, images or videos.
• Information from other health or social care professionals that have been involved in your care, for example your GP or social worker.
• Lifestyle information that may be clinically relevant.
• Information on your occupation and your home setting that may be clinically relevant.
• Your ethnicity and/or religion.
• Personal information of other people involved in your care, such as a relative or someone who helps to care for you.

We collect and process your personal information to enable us to provide healthcare services to you. It is vital in helping us to:

• have all necessary information for assessing your needs and for making decisions with you about your care and discharge
• have details of referrals, appointments and services you have received
• assess the quality of care we give you
• properly investigate if you and your family have a concern or a complaint about your healthcare.

To have accurate and up-to-date information about you which will be available to you if you: -

• move to another area
• need to use another service
• see a different healthcare professional.

We work closely with many organisations to provide you with the best possible care. This means that with your consent (where required), and when it is beneficial to your health or in your vital interests, your information will be shared with organisations including:

• Your GP practice
• Other hospitals and community organisations providing care services
• Clinical commissioning groups responsible for the management of your local NHS budget
• Specialist companies providing diagnostic and testing services you might need
• Those with parental responsibility for patients, including guardians
• Carers without parental responsibility (subject to explicit consent)
• Medical researchers for research purposes (subject to explicit consent, unless the data is anonymous)
• Other NHS organisations and the Department of Health and Social Care for the purposes of planning, commissioning, monitoring, managing and auditing healthcare services
• Bodies with statutory investigative powers such as the Care Quality Commission, the General Medical Council, the Health and Safety Executive, the Parliamentary and Health Service Ombudsman
• National generic registries, for example the UK and Ireland Association of Cancer Registries
• Organisations processing data on our behalf for the purposes of your care and managing your appointments.

Also, where necessary and appropriate, to:

• Non-statutory investigators e.g. Members of Parliament
• Government departments other than the Department of Health and Social Care
• Solicitors, the police, the courts (including coroner’s inquests), tribunals and inquiries.

Confidential patient-identifiable information is only shared with other organisations where there is a legal basis for it as follows:

• When there is a court order
• When there is a statutory power to share patient data
• When the patient has given his/her explicit consent to the sharing
• When the sharing of patient data without consent has been authorized by the Confidentiality Advisory Group of the Health Research Authority (HRA CAG) under Section 251 of the NHS Act 2006.

We can only process data if we have a lawful basis to do so. There are six available lawful bases for processing which are set out in Article 6 of the UK GDPR.

For patients and healthcare related processing we primarily use on Article 6(1)(e), but we may also process your data under Article 6(1)(c), Article 6(1)(e), Article 6(1)(d) and for employees Article 6(1)(b). Please also refer to the other specialist areas in the privacy notice.

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

As the data we process generally includes health data we will also rely on the following conditions under Article 9 of the UK GDPR for processing this data:

(h) Health or social care (with a basis in law)

(i) Public health (with a basis in law).

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format.

All the information systems used by our Trust are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by the Trust are influenced by several sources including the UK GDPR, 10 National Data Guardian Standards and guidelines and standards produced by NHS Digital and other government departments and agencies.

Every NHS organisation has a Caldicott Guardian who is responsible for protection the confidentiality of your personal data.

We let you know in this privacy notice how we use your data.

You can ask for a copy of your information, and we are required to respond within one month of the request being verified, but we can extend that by a further two months if the request is complex. We sometimes refuse to provide some of the information, this is called an exemption. If we do not provide all the information, we will let you know why.

To request patient information, you will need to log on to our portal and create an account, this will allow you to submit your request, view the progress and then let you download copies. The portal can be accessed using this link where there are full instructions, FAQ’s and a user guide to help you with the process.

If you need support with this, please email disclosures@uhs.nhs.uk or write to the following address:

Disclosures Team
Mailpoint 61
University Hospital Southampton NHS Foundation Trust
Tremona Road
Southampton
SO16 6YD

If you feel that the information, we hold about you is incorrect you can ask to have it corrected. If we believe it is correct, for instance clinical opinions made by a health professional, then we will not correct it. If that is the case, we will add a statement to your record of your concern but not change the information.

Contact dataprotection@uhs.nhs.uk

You have the right to have your personal data deleted if it is no longer needed. Any request will be considered but it is unlikely that we will be able to delete your health records or staff records as we have a legal obligation to keep those records.

Contact dataprotection@uhs.nhs.uk

You have the right to ask us to stop using your information. This is not an absolute right and only applies in certain circumstances. This is an alternative to erasing your data.

Contact dataprotection@uhs.nhs.uk

This allows you to receive and use your personal data for your own purposes across different services. It will allow you to move, copy or transfer from one IT environment to another. This right only applies when consent or performance of a contract is the lawful basis. 

You can refer to the 'lawful processing' section above for more information on how we only use lawful basis to process data.

Contact dataprotection@uhs.nhs.uk

This right allows you to object to the processing of your data in certain circumstances. This is not an absolute right unless your information is used for direct marketing.

Contact dataprotection@uhs.nhs.uk

If a decision is made based solely on an automated process, then we are required to inform you. The Trust does not use any automated decision-making system. Decisions made about you are made by our health professionals.

Contact dataprotection@uhs.nhs.uk

This will depend on what the information is. There are legal and professional requirements which we follow and the Records Management Code of Practice 2021, a guide to the management of health and care records, details what they are.

We will keep your records for the minimum period as outlined in the Code of Practice, however, we may keep the records for longer than the minimum period where there is a justification for care, legal or audit purposes, subject to separate approval.

The University Hospital Southampton NHS Foundation Trust is one of the many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending the emergency department, important information about you is collected in a patient record. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you our services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit the NHS overview, where full details can be found and you will be able to view, set or change your opt-our settings.

You can change your mind about your choice at any time.

Southampton Children’s Hospital is part of University Hospital Southampton NHS Foundation Trust, a major centre for specialist paediatric services in the south of England. In order to provide your child with the adequate treatment needed, we collect and process their personal information as well personal information of parent/carer.

The personal data that we collect about your child may include details such as:

• Full name, address, telephone number (mobile and home), email address
• Date of birth
• Gender
• Who has parental responsibility and contact number(s)
• Previous appointment history
• Details and records of treatment and care notes
• Medical history
• Information from research/clinical trials
• Results of x-rays, scans, blood tests, etc.
• Genetic Information
• Other relevant data from people who care for your child and know them well, such as health professionals, social workers, relatives and carers.
• Whether or not you or your child is subject to any protection orders regarding their health, wellbeing and human rights (safeguarding status).
• A record of contact with us by telephone or email for the purposes of the provision of healthcare including complaints, claims or patient advice and liaison service (PALS) enquiries
• Race or ethnic origin
• Religious or other beliefs.
• Any disability or require any additional support with appointments (like an interpreter or advocate).

Your child and parent/carer’s personal data can be collected in several ways:

• Data may be provided by your GP or another healthcare professional your child has seen when they refer your child for treatment at Southampton Children's Hospital.
• Data may be provided directly from you – in person, over the telephone or on a form you have completed.
• Data may also be provided by third parties, for example, social services, education services or children’s charities.

We use your child’s data to ensure that:

• The right decisions are made about their care.
• Their treatment is safe and effective.
• We can work well with other organisations that may be involved in their care.
• We can remind a parent/carer about appointments and send you relevant correspondence.
• Preparing statistics on NHS performance and monitoring how we spend public money.
• Supporting the funding of your child’s care.
• Reporting and investigating complaints, claims and untoward incidents.

If you are not happy with the way the Trust handles your personal information, please contact the data protection team in the first instance.

Data Protection Team
Trust Management Office
Mailpoint 180
University Hospital Southampton NHS Foundation Trust
Tremona Road
Southampton
SO16 6YD

Telephone: 023 8120 4743
Email: dataprotection@uhs.nhs.uk

You also have the right to make a complaint to the Information Commissioner’s Office, the independent data protection regulator. They can be contacted using their online form or by calling their helpline on 0303 123 1113.

The NHS Central and South Genomic Laboratory Hub is one of seven genomic laboratory hubs nationally delivering the NHS Genomic Medicine Service, providing testing, interpretation and reporting services. The NHS trusts that make up the Central and South Laboratory Hub are:

• University Hospital Southampton NHS Foundation Trust
• Birmingham Women’s and Children’s NHS Foundation Trust
• University Hospitals Birmingham NHS Foundation Trust
• Oxford University Hospitals NHS Foundation Trust
• Salisbury NHS Foundation Trust

Together with NHS England, we are responsible as joint controllers under data protection legislation for the processing of personal data to provide the NHS Genomic Medicine Service.

Details on how the Central and South Genomic Laboratory Hub use your personal data are here. To find out how the NHS uses your genomic information see NHS Genomic Medicine service.

If you wish to take part in clinical research as a patient or volunteer, we will need to use your personal data to conduct the research. .

To find out how your personal data is used please see Clinical Research – take part.

MyMR is your personal health record which stores and displays your personal and medical information.

You may be invited to use MyMR by your clinical team or you can register if you are or have been a patient at the Trust.

To find out how your data is used please see MyMR privacy notice.

HIOWAA has equipped its clinicians with body-worn videos (BWV). The use is carefully monitored, and the data is only kept for 30 days unless there is legal requirement to keep it for longer, for example a police investigation.

The conditions of use are available on the HIOWAA web site.

Becoming a member of UHS means having the opportunity to get involved in your hospital and help shape the future of University Hospital Southampton NHS Foundation Trust.

As a member, you're kept up to date about developments at the Trust and you have a voice to raise the issues that are important to you.

To find out how your data is used please see Trust members.

We share the information that you provide when seeking payment of an invoice from the Trust that as part in the National Fraud Initiative, in which all NHS organisations are required to participate. This information is matched against payroll data including staff names and addresses to ensure that all necessary declarations of interest have been made in accordance with the Trust’s Standards of Business Conduct Policy. Please refer to the privacy notice here from the Cabinet Office for details on how this information is used.

The Trust uses different surveillance equipment for the following reasons:

• prevention and detection of crime
• to protect the Trust’s assets
• safety and security of the public, patients, visitors and staff
• to support investigation by the police or other authorised agencies.

CCTV is located in and around all our hospitals. ANPR (automatic number plate recognition) is located at all car park entrances and exits to capture the entry and exit of vehicles. The use of BWV is restricted to Trust security staff and car park attendants and will only be activated if an incident is taking place, or they believe an incident may occur.

All images are held in a secure location and access is restricted to the security team.

If you have any queries about the use of CCTV/BWV (security staff) please email security@uhs.nhs.uk.

If you have any queries about the use of ANPR/BWV (car park staff) please email travelwise@uhs.nhs.uk.

The programme has now ended, and all personal data has been deleted from the Trust network, however test results will still be held by national bodies, as part of your health record.

This privacy notice includes information for applicants, employees, former employees and volunteers.

During your employment the Trust collects stores and processes personal information about prospective, current and former staff.

The processing of employee personal information is necessary for the purpose of employment, social security and social protection laws. The legal basis for processing this information is Article 6(1)(b), contract.

If you are applying for a role at the Trust please follow this link for details on how your data as an application will be used.

• Contact details, this is your name, addresses, telephone numbers and emergency contact details
• Personal information including gender, race, ethnicity, religion and sexual orientation
• Employment records such as professional memberships, references, right to work documents
• Bank details
• Pension details
• Occupational health information (restricted to occupational health)
• Trade union membership
• Offences – alleged and criminal.

Your personal information is processed for the purposes of:

• Staff administration and management (including payroll and performance)
• Business management and planning
• Pensions administration
• Accounting and auditing accounts and records
• Education
• Health administration and services
• Matching for the National Fraud Initiative - please refer to the privacy notice here from the Cabinet Office for details on how this information is used

The Trust will not routinely disclose any information about you. However, to enable effective staff administration and comply with our obligations as your employer, we will share the information which you provide during your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) and Care Information Services (smartcard) systems.

The Trust’s payroll functionality is administered by Salisbury NHS Foundation Trust and details of your employment are shared directly with the dedicated payroll team.

There may be circumstances where we must or can share information about you to comply with or manage:

• Disciplinary/investigation processes, including referrals to professional bodies
• Legislative and/or statutory requirements
• Court orders which may have been imposed on us
• NHS counter fraud requirements, including the National Fraud Initiative
• Requests for information from the police and other law enforcement agencies for the prevention and detection of crime and/or fraud if the crime is of a serious nature

Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details set out above in the previous 'your information rights' section.

The Trust recognises that it has a duty to protect both itself and its employees from misuse of the network, internet and e-mail. Inappropriate use may put the organisation at risk from a security perspective and damage the reputation of the Trust.

The Trust will provide technical security measures to protect unauthorised access to the Trust network both internally and via external connections. Alongside these network controls, standard users will not have permission to install software. This protects endpoints, Trust data and systems from accidental installation of untrusted, unsigned or malicious software.

Security systems will log data relating to time and date of an incident, username, event, files affected including other key criteria. Logging is typically retained for 12 months where possible.

Audit trails may also be released to patients requesting details of employees who have accessed their medical record and may be monitored through compliance spot checks or for audit purposes.

The Trust has the facility to monitor employee accounts, however, this is only undertaken when security alerts are raised or when authorised and verified requests are made by HR. Staff are informed and understand that their system use can be monitored and recorded.

Employees must be aware that requests made to the Trust under an individual’s right of access (subject access requests) may result in emails being disclosed.

The Trust’s Informatics department is committed to maintaining the privacy, dignity and confidentiality of service users at all times. We adhere to the principles of data protection legislation, Department of Health and Social Care and NHS Digital policies, procedures and codes of practice.

The Informatics department uses your personal information to create and manage IT user accounts, monitor system access and performance.

IT log in system generated audit trails are also used to improve internal processes, identify account and system issues and establish if inappropriate access and/or use of IT equipment/resources have occurred.

NHS smartcards allow healthcare professionals to access clinical and personal information appropriate to their role held on national NHS IT systems.

If you hold or register a smartcard your identity must be verified using personal information and details including your driving licence and passport numbers will be recorded along with a photographic image within NHS Digital’s Care Identity Service (CIS) system.

All users issued with a smartcard can update certain aspects of their record on the CIS database as well as change their pin code and, when necessary, renew their own smartcard certificates. Certificates last two years and can be self-renewed within 90 days leading up to the expiry date – after this time please contact the Informatics team.

All Informatics staff adhere to a strict code of ethics in relation to the confidentiality of all personal and sensitive data.

The Trust uses Microsoft Outlook as its primary email system. As a member of staff, you are required to read, understand and comply with the informatics Security Policy on email usage. The informatics Security Policy is available on the staff intranet pages.

The Informatics department will use your personal information to create anonymised, pseudonymised and statistical compliance reports.

NHS Digital now provides national monitoring of all internet activity through NHS devices to local organisations such as hospitals and GP surgeries. This means that all internet activity is monitored to quickly identify any abnormalities so that immediate action can be taken to address any potential problem as quickly as possible. NHS Digital will be able to identify the affected device and user in real time so that alerts can be provided nationally and locally to minimise the threat to the NHS, staff and patients.

The UHS process will be that whenever an alert is received Informatics will immediately retrieve the device and commence erasing any data and rebuilding the device. Please be aware that any information stored locally on the machine will be removed with immediate effect.

Appropriate action will be taken over any inappropriate or malicious breaches detected in line with the Trust policies and procedures.

This will depend on what the information is. There are legal and professional requirements which we follow and the Records Management Code of Practice 2021, a guide to the management of health and care records, details what they are.

We will keep your records for the minimum period as outlined in the Code of Practice, however, we may keep the records for longer than the minimum period where there is a justification for care, legal or audit purposes, subject to separate approval.

Standards of Business Conduct

The Corporate Affairs team at UHS maintains a register of interests for the Trust. This includes details of all declarations of interests required to be made by staff and recorded on the register in accordance with the Trust’s Standards of Business Conduct Policy, which reflects the requirements of guidance published by NHS England and NHS Improvement and requirements set out in the Trust’s contracts with commissioners. The legal bases for processing this information is Legal obligation (Article 6(1)(c)) and Public task (Article 6(1)(e)).

All declarations of interest made are available to an individual’s line manager and to those administering the NHS Electronic Staff Record (ESR) system used to maintain the register. The Trust is required to:

• publish the interests declared by decision-making staff in a register of interests on the UHS website;
• make extracts from the register of interests available to Finance, Procurement and Patient Safety teams on a regular basis to support the management of potential conflicts of interest for decision-making groups or individuals in the Trust;
• make the register(s) available by request from the Corporate Affairs team.

If staff have substantial grounds for believing that publication of their interests should not take place, then they should contact the Corporate Affairs team to explain why. In exceptional circumstances, for instance where publication of information might put a member of staff at risk of harm, information may be withheld or redacted on public registers. However, this will be done by exception only and information will not be withheld or redacted due to a personal preference.

After its expiry, an interest will remain on the appropriate register for a minimum of six months and a private record of historic interests will be retained for a minimum of six years.

All staff are automatically enrolled as members of the Trust as permitted by the National Health Service Act 2006. The Corporate Affairs team at UHS maintains a register of members for the staff membership using information in the NHS Electronic Staff Record (ESR) system. The register of members must include the name, address, email, telephone number and staff group/class of the staff constituency to which a member of staff belongs. The legal basis for processing this information is Article 6(1)(c), public task.

We use your information to inform you of governor elections and voting information. This information is shared with the returning officer for governor elections in which staff in a particular staff constituency are eligible to vote, which processes this information on behalf of the Trust.

Your personal details will remain on the register until such time as you advise us that you no longer wish to be a member.